dcrat | 59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573

Analysis

max time kernel
117s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24/03/2025, 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe
Size

1.3MB
MD5

c4c3dda932f1f288a7091eb1b6bfcc8f
SHA1

63216a8fc66477860834a280b812b170863af11a
SHA256

59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573
SHA512

cf6ed58e0942d09663627a79464bf77eccedfa79082fe12724a2fc022edd56c2107fae25be23bc14c070354583e06335dad635974a6a2f9d74c80ec6ea35b269
SSDEEP

24576:mM0FvyGsOBDr8gCy5viNtXY91McnOTlRLzrwlKfPGGPwOQVC8+zJ:F0FvJzgSiNR5VzrwMfuG4OQ3+zJ

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2788	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2788	schtasks.exe	36

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000c000000012266-6.dat	dcrat
behavioral1/files/0x000a000000016d2c-26.dat	dcrat
behavioral1/memory/2800-30-0x0000000000160000-0x0000000000236000-memory.dmp	dcrat
behavioral1/memory/1968-72-0x0000000000EF0000-0x0000000000FC6000-memory.dmp	dcrat

Executes dropped EXE 4 IoCs

pid	Process
2900	Snace.exe
2916	Змейка by ДК and AS.exe
2800	WebRuntimeDll.exe
1968	WebRuntimeDll.exe

Loads dropped DLL 2 IoCs

pid	Process
2852	cmd.exe
2852	cmd.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\WebRuntimeDll.exe	WebRuntimeDll.exe
File created	C:\Program Files (x86)\Windows Sidebar\be88ae029a832b	WebRuntimeDll.exe
File created	C:\Program Files\Google\Chrome\WmiPrvSE.exe	WebRuntimeDll.exe
File created	C:\Program Files\Google\Chrome\24dbde2999530e	WebRuntimeDll.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\services.exe	WebRuntimeDll.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\c5b4cb5e9653cc	WebRuntimeDll.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\Nature\winlogon.exe	WebRuntimeDll.exe
File created	C:\Windows\Web\Wallpaper\Nature\cc11b995f2a76d	WebRuntimeDll.exe
File created	C:\Windows\AppCompat\Programs\lsm.exe	WebRuntimeDll.exe
File created	C:\Windows\AppCompat\Programs\101b941d020240	WebRuntimeDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Snace.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Змейка by ДК and AS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1544	schtasks.exe
2592	schtasks.exe
2324	schtasks.exe
1572	schtasks.exe
940	schtasks.exe
1016	schtasks.exe
2328	schtasks.exe
756	schtasks.exe
1708	schtasks.exe
2096	schtasks.exe
2956	schtasks.exe
2984	schtasks.exe
2240	schtasks.exe
1680	schtasks.exe
2204	schtasks.exe
2104	schtasks.exe
1256	schtasks.exe
2224	schtasks.exe
1740	schtasks.exe
1400	schtasks.exe
2308	schtasks.exe
2428	schtasks.exe
1232	schtasks.exe
1828	schtasks.exe
1624	schtasks.exe
2900	schtasks.exe
1132	schtasks.exe
2028	schtasks.exe
768	schtasks.exe
1996	schtasks.exe
2420	schtasks.exe
1460	schtasks.exe
2340	schtasks.exe
520	schtasks.exe
2456	schtasks.exe
1748	schtasks.exe
1616	schtasks.exe
2424	schtasks.exe
1516	schtasks.exe
452	schtasks.exe
888	schtasks.exe
2996	schtasks.exe
2860	schtasks.exe
1660	schtasks.exe
2676	schtasks.exe
2584	schtasks.exe
1548	schtasks.exe
2476	schtasks.exe
1992	schtasks.exe
912	schtasks.exe
1308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2800	WebRuntimeDll.exe
1968	WebRuntimeDll.exe
1968	WebRuntimeDll.exe
1968	WebRuntimeDll.exe
1968	WebRuntimeDll.exe
1968	WebRuntimeDll.exe
1968	WebRuntimeDll.exe
1968	WebRuntimeDll.exe
1968	WebRuntimeDll.exe
1968	WebRuntimeDll.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	WebRuntimeDll.exe
Token: SeDebugPrivilege	1968	WebRuntimeDll.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2916	Змейка by ДК and AS.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2900	1740	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	30
PID 1740 wrote to memory of 2900	1740	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	30
PID 1740 wrote to memory of 2900	1740	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	30
PID 1740 wrote to memory of 2900	1740	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	30
PID 1740 wrote to memory of 2916	1740	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	31
PID 1740 wrote to memory of 2916	1740	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	31
PID 1740 wrote to memory of 2916	1740	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	31
PID 1740 wrote to memory of 2916	1740	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	31
PID 2900 wrote to memory of 3060	2900	Snace.exe	32
PID 2900 wrote to memory of 3060	2900	Snace.exe	32
PID 2900 wrote to memory of 3060	2900	Snace.exe	32
PID 2900 wrote to memory of 3060	2900	Snace.exe	32
PID 3060 wrote to memory of 2852	3060	WScript.exe	33
PID 3060 wrote to memory of 2852	3060	WScript.exe	33
PID 3060 wrote to memory of 2852	3060	WScript.exe	33
PID 3060 wrote to memory of 2852	3060	WScript.exe	33
PID 2852 wrote to memory of 2800	2852	cmd.exe	35
PID 2852 wrote to memory of 2800	2852	cmd.exe	35
PID 2852 wrote to memory of 2800	2852	cmd.exe	35
PID 2852 wrote to memory of 2800	2852	cmd.exe	35
PID 2800 wrote to memory of 2304	2800	WebRuntimeDll.exe	88
PID 2800 wrote to memory of 2304	2800	WebRuntimeDll.exe	88
PID 2800 wrote to memory of 2304	2800	WebRuntimeDll.exe	88
PID 2304 wrote to memory of 2840	2304	cmd.exe	90
PID 2304 wrote to memory of 2840	2304	cmd.exe	90
PID 2304 wrote to memory of 2840	2304	cmd.exe	90
PID 2304 wrote to memory of 1968	2304	cmd.exe	91
PID 2304 wrote to memory of 1968	2304	cmd.exe	91
PID 2304 wrote to memory of 1968	2304	cmd.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe
"C:\Users\Admin\AppData\Local\Temp\59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Roaming\Snace.exe
  "C:\Users\Admin\AppData\Roaming\Snace.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\reviewWinrefperfsvc\NHaFmwJEQMsxRcKOggYq.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\reviewWinrefperfsvc\JyFFgHmHFgHO7gB8l.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\reviewWinrefperfsvc\WebRuntimeDll.exe
        
        "C:\reviewWinrefperfsvc\WebRuntimeDll.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w3Joh8IWsO.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2840
        
        C:\Program Files (x86)\Windows Sidebar\WebRuntimeDll.exe
        
        "C:\Program Files (x86)\Windows Sidebar\WebRuntimeDll.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
- C:\Users\Admin\AppData\Roaming\Змейка by ДК and AS.exe
  "C:\Users\Admin\AppData\Roaming\Змейка by ДК and AS.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WebRuntimeDllW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\WebRuntimeDll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WebRuntimeDll" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\WebRuntimeDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WebRuntimeDllW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\WebRuntimeDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Saved Games\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\reviewWinrefperfsvc\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\reviewWinrefperfsvc\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\reviewWinrefperfsvc\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\reviewWinrefperfsvc\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\reviewWinrefperfsvc\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\reviewWinrefperfsvc\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Wallpaper\Nature\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Nature\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Wallpaper\Nature\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\AppCompat\Programs\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\AppCompat\Programs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\reviewWinrefperfsvc\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\reviewWinrefperfsvc\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\reviewWinrefperfsvc\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\w3Joh8IWsO.bat

Filesize
221B

MD5
74523218259bd9c97b90fb4b06c8b383

SHA1
a5b6532246dd506afe1bddb6c8e8f367b748ed61

SHA256
2e1ef422d643b9d241394deb78e3203bbe8a1dc4bc5658d227d1fa868466674d

SHA512
b38ffb95d04a7e2107ca431dff3f0b6bf1413b2b8d65a4484c9416ff5fcdab3db046277b6dfc7bec049dfe0107e2993edc6ef573cd69cde46e843132026eb9cb

Download Submit
C:\Users\Admin\AppData\Roaming\Snace.exe

Filesize
1.1MB

MD5
886ec8f57236b11553cbb8de98cf1b69

SHA1
f72c049fcd8baa73e74d70c79d3f3b3045b8cd90

SHA256
958a4807d4c38b89256f1094b72703e7bdec8ca424443e9db71cc271ec75200e

SHA512
6284b75c1f9f8b30926e5e1c6a2a0925ef2aeb5202ac706b9565a226199de6b249e5f01a523df96d79f943986a642d420ecf077590d8f03ceba060eb2fa36114

Download Submit
C:\Users\Admin\AppData\Roaming\Змейка by ДК and AS.exe

Filesize
204KB

MD5
89a940000e5a7562ca32fe47e62d9ab3

SHA1
5afb63a26e2ac622e265e1279323a349c71e0b2d

SHA256
819bca0c3d379cb4375fd72199957791edab39e76eeec2f3be403275009787e8

SHA512
2a3f1818ef815a9a5ce944621775c33774f748877fd7baf858d1224a1beba2aac707354356d717b2143e6ef2877ce63fd7e41a5d083fb3d93b9887452f466553

Download Submit
C:\reviewWinrefperfsvc\JyFFgHmHFgHO7gB8l.bat

Filesize
42B

MD5
3f6e29bbbf283829bb2dc00aeb600bfb

SHA1
064b543066405b411d9713fdc3d042bcebc6a984

SHA256
775dc60b73fa023ba0a7d4b394a4d911c74af2951e0f6379d337ee566a81cd2b

SHA512
9d8a79cbebd80bb4d7b37f8106b1556a06be25cb89d70593f1b4a1b2111a3088bc08b6115bef9db2df408d22f5dc06644abf6e4a5edcaff385c9f033a17e7865

Download Submit
C:\reviewWinrefperfsvc\NHaFmwJEQMsxRcKOggYq.vbe

Filesize
213B

MD5
60bb10e1b4c6be7987af6cdb164a2ea7

SHA1
452bd2a19a71b7b0138cebc399013e7fd5faf992

SHA256
139fcb96f7b9fce0dde74056a75940d5cd131571a1ce3005476efec24824df39

SHA512
09cc5f1de91462474618ce6bc9bf6fbc3f8e9961cc27548428d146f274570a7d8f5a6562d3f66f7fe874cdbd2ecc720f933b3122bb41b25415201e3a7275ec96

Download Submit
\reviewWinrefperfsvc\WebRuntimeDll.exe

Filesize
827KB

MD5
6307ea5399fdc7482c17c3ac5e287d13

SHA1
9861a738275262a084500d39743674a274c8a396

SHA256
8e1afc545da625009596890cb867865d1073ca7ac96efae987663305f53c3e3b

SHA512
369e88b1de6b0824e52253a25aed270bceb607265c7040e3324d8b323b719af6cbbc273f408ce9271005e424fa24be9d6db4a32b72a754b5bb2747a09ad97d42

Download Submit
memory/1740-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

Filesize
4KB

Download
memory/1740-1-0x0000000000960000-0x0000000000ABC000-memory.dmp

Filesize
1.4MB

Download
memory/1968-72-0x0000000000EF0000-0x0000000000FC6000-memory.dmp

Filesize
856KB

Download
memory/2800-30-0x0000000000160000-0x0000000000236000-memory.dmp

Filesize
856KB

Download