dcrat | 59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573

Analysis

max time kernel
131s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2025, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe
Size

1.3MB
MD5

c4c3dda932f1f288a7091eb1b6bfcc8f
SHA1

63216a8fc66477860834a280b812b170863af11a
SHA256

59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573
SHA512

cf6ed58e0942d09663627a79464bf77eccedfa79082fe12724a2fc022edd56c2107fae25be23bc14c070354583e06335dad635974a6a2f9d74c80ec6ea35b269
SSDEEP

24576:mM0FvyGsOBDr8gCy5viNtXY91McnOTlRLzrwlKfPGGPwOQVC8+zJ:F0FvJzgSiNR5VzrwMfuG4OQ3+zJ

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5648	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5300	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6068	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5652	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5904	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5236	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5816	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5656	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	2128	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	2128	schtasks.exe	95

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000e000000022ef1-6.dat	dcrat
behavioral2/files/0x000700000002422b-34.dat	dcrat
behavioral2/memory/5920-36-0x0000000000430000-0x0000000000506000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	Snace.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	WebRuntimeDll.exe

Executes dropped EXE 4 IoCs

pid	Process
4780	Snace.exe
1556	Змейка by ДК and AS.exe
5920	WebRuntimeDll.exe
3032	SearchApp.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\backgroundTaskHost.exe	WebRuntimeDll.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\eddb19405b7ce1	WebRuntimeDll.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe	WebRuntimeDll.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\5b884080fd4f94	WebRuntimeDll.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\WebRuntimeDll.exe	WebRuntimeDll.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\be88ae029a832b	WebRuntimeDll.exe
File created	C:\Program Files\Internet Explorer\ja-JP\cmd.exe	WebRuntimeDll.exe
File created	C:\Program Files\Internet Explorer\ja-JP\ebf1f9fa8afd6d	WebRuntimeDll.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\security\database\56085415360792	WebRuntimeDll.exe
File created	C:\Windows\WaaS\tasks\Змейка by ДК and AS.exe	WebRuntimeDll.exe
File created	C:\Windows\security\database\wininit.exe	WebRuntimeDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Змейка by ДК and AS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Snace.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	Snace.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3176	schtasks.exe
1784	schtasks.exe
4364	schtasks.exe
464	schtasks.exe
5652	schtasks.exe
1836	schtasks.exe
3596	schtasks.exe
1392	schtasks.exe
3368	schtasks.exe
4444	schtasks.exe
908	schtasks.exe
4028	schtasks.exe
1188	schtasks.exe
2928	schtasks.exe
3520	schtasks.exe
744	schtasks.exe
4176	schtasks.exe
380	schtasks.exe
4920	schtasks.exe
5008	schtasks.exe
412	schtasks.exe
1288	schtasks.exe
5236	schtasks.exe
1596	schtasks.exe
5656	schtasks.exe
1316	schtasks.exe
4324	schtasks.exe
2936	schtasks.exe
2476	schtasks.exe
1920	schtasks.exe
1388	schtasks.exe
2656	schtasks.exe
3316	schtasks.exe
3272	schtasks.exe
5904	schtasks.exe
1040	schtasks.exe
796	schtasks.exe
900	schtasks.exe
5816	schtasks.exe
3848	schtasks.exe
5648	schtasks.exe
5300	schtasks.exe
6068	schtasks.exe
1340	schtasks.exe
1916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
5920	WebRuntimeDll.exe
5920	WebRuntimeDll.exe
5920	WebRuntimeDll.exe
5920	WebRuntimeDll.exe
5920	WebRuntimeDll.exe
5920	WebRuntimeDll.exe
5920	WebRuntimeDll.exe
5920	WebRuntimeDll.exe
5920	WebRuntimeDll.exe
5920	WebRuntimeDll.exe
5920	WebRuntimeDll.exe
5920	WebRuntimeDll.exe
5920	WebRuntimeDll.exe
3032	SearchApp.exe
3032	SearchApp.exe
3032	SearchApp.exe
3032	SearchApp.exe
3032	SearchApp.exe
3032	SearchApp.exe
3032	SearchApp.exe
3032	SearchApp.exe
3032	SearchApp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3032	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5920	WebRuntimeDll.exe
Token: SeDebugPrivilege	3032	SearchApp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1556	Змейка by ДК and AS.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 4780	1928	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	86
PID 1928 wrote to memory of 4780	1928	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	86
PID 1928 wrote to memory of 4780	1928	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	86
PID 1928 wrote to memory of 1556	1928	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	87
PID 1928 wrote to memory of 1556	1928	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	87
PID 1928 wrote to memory of 1556	1928	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	87
PID 4780 wrote to memory of 5576	4780	Snace.exe	88
PID 4780 wrote to memory of 5576	4780	Snace.exe	88
PID 4780 wrote to memory of 5576	4780	Snace.exe	88
PID 5576 wrote to memory of 5932	5576	WScript.exe	97
PID 5576 wrote to memory of 5932	5576	WScript.exe	97
PID 5576 wrote to memory of 5932	5576	WScript.exe	97
PID 5932 wrote to memory of 5920	5932	cmd.exe	99
PID 5932 wrote to memory of 5920	5932	cmd.exe	99
PID 5920 wrote to memory of 3032	5920	WebRuntimeDll.exe	146
PID 5920 wrote to memory of 3032	5920	WebRuntimeDll.exe	146

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe
"C:\Users\Admin\AppData\Local\Temp\59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Roaming\Snace.exe
  "C:\Users\Admin\AppData\Roaming\Snace.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\reviewWinrefperfsvc\NHaFmwJEQMsxRcKOggYq.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\reviewWinrefperfsvc\JyFFgHmHFgHO7gB8l.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5932
    - - C:\reviewWinrefperfsvc\WebRuntimeDll.exe
        
        "C:\reviewWinrefperfsvc\WebRuntimeDll.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5920
      - C:\Users\Public\Documents\My Pictures\SearchApp.exe
        
        "C:\Users\Public\Documents\My Pictures\SearchApp.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
- C:\Users\Admin\AppData\Roaming\Змейка by ДК and AS.exe
  "C:\Users\Admin\AppData\Roaming\Змейка by ДК and AS.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Links\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Links\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\security\database\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\security\database\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\security\database\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WebRuntimeDllW" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\WebRuntimeDll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WebRuntimeDll" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\WebRuntimeDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WebRuntimeDllW" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\WebRuntimeDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\aff403968f1bfcc42131676322798b50\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\f9532e701a889cdd91b8\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\f9532e701a889cdd91b8\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\aff403968f1bfcc42131676322798b50\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\aff403968f1bfcc42131676322798b50\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Pictures\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Pictures\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Application Data\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\ja-JP\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\ja-JP\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\reviewWinrefperfsvc\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\reviewWinrefperfsvc\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\reviewWinrefperfsvc\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Snace.exe

Filesize
1.1MB

MD5
886ec8f57236b11553cbb8de98cf1b69

SHA1
f72c049fcd8baa73e74d70c79d3f3b3045b8cd90

SHA256
958a4807d4c38b89256f1094b72703e7bdec8ca424443e9db71cc271ec75200e

SHA512
6284b75c1f9f8b30926e5e1c6a2a0925ef2aeb5202ac706b9565a226199de6b249e5f01a523df96d79f943986a642d420ecf077590d8f03ceba060eb2fa36114

Download Submit
C:\Users\Admin\AppData\Roaming\Змейка by ДК and AS.exe

Filesize
204KB

MD5
89a940000e5a7562ca32fe47e62d9ab3

SHA1
5afb63a26e2ac622e265e1279323a349c71e0b2d

SHA256
819bca0c3d379cb4375fd72199957791edab39e76eeec2f3be403275009787e8

SHA512
2a3f1818ef815a9a5ce944621775c33774f748877fd7baf858d1224a1beba2aac707354356d717b2143e6ef2877ce63fd7e41a5d083fb3d93b9887452f466553

Download Submit
C:\reviewWinrefperfsvc\JyFFgHmHFgHO7gB8l.bat

Filesize
42B

MD5
3f6e29bbbf283829bb2dc00aeb600bfb

SHA1
064b543066405b411d9713fdc3d042bcebc6a984

SHA256
775dc60b73fa023ba0a7d4b394a4d911c74af2951e0f6379d337ee566a81cd2b

SHA512
9d8a79cbebd80bb4d7b37f8106b1556a06be25cb89d70593f1b4a1b2111a3088bc08b6115bef9db2df408d22f5dc06644abf6e4a5edcaff385c9f033a17e7865

Download Submit
C:\reviewWinrefperfsvc\NHaFmwJEQMsxRcKOggYq.vbe

Filesize
213B

MD5
60bb10e1b4c6be7987af6cdb164a2ea7

SHA1
452bd2a19a71b7b0138cebc399013e7fd5faf992

SHA256
139fcb96f7b9fce0dde74056a75940d5cd131571a1ce3005476efec24824df39

SHA512
09cc5f1de91462474618ce6bc9bf6fbc3f8e9961cc27548428d146f274570a7d8f5a6562d3f66f7fe874cdbd2ecc720f933b3122bb41b25415201e3a7275ec96

Download Submit
C:\reviewWinrefperfsvc\WebRuntimeDll.exe

Filesize
827KB

MD5
6307ea5399fdc7482c17c3ac5e287d13

SHA1
9861a738275262a084500d39743674a274c8a396

SHA256
8e1afc545da625009596890cb867865d1073ca7ac96efae987663305f53c3e3b

SHA512
369e88b1de6b0824e52253a25aed270bceb607265c7040e3324d8b323b719af6cbbc273f408ce9271005e424fa24be9d6db4a32b72a754b5bb2747a09ad97d42

Download Submit
memory/1928-0-0x00007FFE082F3000-0x00007FFE082F5000-memory.dmp

Filesize
8KB

Download
memory/1928-1-0x0000000000A60000-0x0000000000BBC000-memory.dmp

Filesize
1.4MB

Download
memory/5920-36-0x0000000000430000-0x0000000000506000-memory.dmp

Filesize
856KB

Download