dcrat | 59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2025, 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe
Size

1.3MB
MD5

c4c3dda932f1f288a7091eb1b6bfcc8f
SHA1

63216a8fc66477860834a280b812b170863af11a
SHA256

59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573
SHA512

cf6ed58e0942d09663627a79464bf77eccedfa79082fe12724a2fc022edd56c2107fae25be23bc14c070354583e06335dad635974a6a2f9d74c80ec6ea35b269
SSDEEP

24576:mM0FvyGsOBDr8gCy5viNtXY91McnOTlRLzrwlKfPGGPwOQVC8+zJ:F0FvJzgSiNR5VzrwMfuG4OQ3+zJ

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	5068	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	5068	schtasks.exe	95

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000024075-6.dat	dcrat
behavioral2/files/0x000700000002412e-34.dat	dcrat
behavioral2/memory/2156-36-0x0000000000350000-0x0000000000426000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	WebRuntimeDll.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	Snace.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 4 IoCs

pid	Process
3260	Snace.exe
1220	Змейка by ДК and AS.exe
2156	WebRuntimeDll.exe
4320	dwm.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\6cb0b6c459d5d3	WebRuntimeDll.exe
File created	C:\Program Files\Windows Defender\it-IT\WmiPrvSE.exe	WebRuntimeDll.exe
File created	C:\Program Files\Windows Defender\it-IT\24dbde2999530e	WebRuntimeDll.exe
File created	C:\Program Files (x86)\Common Files\Services\upfc.exe	WebRuntimeDll.exe
File created	C:\Program Files (x86)\Common Files\Services\ea1d8f6d871115	WebRuntimeDll.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe	WebRuntimeDll.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe	WebRuntimeDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Змейка by ДК and AS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Snace.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	Snace.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	WebRuntimeDll.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3100	schtasks.exe
1228	schtasks.exe
3976	schtasks.exe
4964	schtasks.exe
1496	schtasks.exe
1128	schtasks.exe
4184	schtasks.exe
688	schtasks.exe
2084	schtasks.exe
1948	schtasks.exe
3740	schtasks.exe
4048	schtasks.exe
1468	schtasks.exe
3520	schtasks.exe
1400	schtasks.exe
540	schtasks.exe
1776	schtasks.exe
2012	schtasks.exe
1556	schtasks.exe
4072	schtasks.exe
1980	schtasks.exe
4356	schtasks.exe
4140	schtasks.exe
2508	schtasks.exe
4620	schtasks.exe
3396	schtasks.exe
1740	schtasks.exe
4752	schtasks.exe
4628	schtasks.exe
2240	schtasks.exe
3736	schtasks.exe
4792	schtasks.exe
3088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2156	WebRuntimeDll.exe
2156	WebRuntimeDll.exe
2156	WebRuntimeDll.exe
2156	WebRuntimeDll.exe
2156	WebRuntimeDll.exe
4320	dwm.exe
4320	dwm.exe
4320	dwm.exe
4320	dwm.exe
4320	dwm.exe
4320	dwm.exe
4320	dwm.exe
4320	dwm.exe
4320	dwm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4320	dwm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	WebRuntimeDll.exe
Token: SeDebugPrivilege	4320	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1220	Змейка by ДК and AS.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 3260	3032	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	86
PID 3032 wrote to memory of 3260	3032	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	86
PID 3032 wrote to memory of 3260	3032	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	86
PID 3032 wrote to memory of 1220	3032	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	87
PID 3032 wrote to memory of 1220	3032	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	87
PID 3032 wrote to memory of 1220	3032	59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe	87
PID 3260 wrote to memory of 3412	3260	Snace.exe	89
PID 3260 wrote to memory of 3412	3260	Snace.exe	89
PID 3260 wrote to memory of 3412	3260	Snace.exe	89
PID 3412 wrote to memory of 2812	3412	WScript.exe	97
PID 3412 wrote to memory of 2812	3412	WScript.exe	97
PID 3412 wrote to memory of 2812	3412	WScript.exe	97
PID 2812 wrote to memory of 2156	2812	cmd.exe	99
PID 2812 wrote to memory of 2156	2812	cmd.exe	99
PID 2156 wrote to memory of 1680	2156	WebRuntimeDll.exe	134
PID 2156 wrote to memory of 1680	2156	WebRuntimeDll.exe	134
PID 1680 wrote to memory of 216	1680	cmd.exe	136
PID 1680 wrote to memory of 216	1680	cmd.exe	136
PID 1680 wrote to memory of 4320	1680	cmd.exe	138
PID 1680 wrote to memory of 4320	1680	cmd.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe
"C:\Users\Admin\AppData\Local\Temp\59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Roaming\Snace.exe
  "C:\Users\Admin\AppData\Roaming\Snace.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\reviewWinrefperfsvc\NHaFmwJEQMsxRcKOggYq.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\reviewWinrefperfsvc\JyFFgHmHFgHO7gB8l.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\reviewWinrefperfsvc\WebRuntimeDll.exe
        
        "C:\reviewWinrefperfsvc\WebRuntimeDll.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GdfGRv0ydm.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:216
        
        C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe
        
        "C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
- C:\Users\Admin\AppData\Roaming\Змейка by ДК and AS.exe
  "C:\Users\Admin\AppData\Roaming\Змейка by ДК and AS.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\it-IT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\d9c22b4eaa3c0b9c12c7\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\reviewWinrefperfsvc\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\reviewWinrefperfsvc\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\reviewWinrefperfsvc\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Services\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Services\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GdfGRv0ydm.bat

Filesize
229B

MD5
f798bb4def99219cb8ec72ed20058ee6

SHA1
d94463e0fe480825d7f762697f9f4d0cc6d083f3

SHA256
f8d2cf1ed48fe1a79aefa1f0dafe922de4c6a70f35562124e577be82038640b5

SHA512
ea50272027086fbcfd98f005eeecc62efc50dc78045bab2f79f0d08c478ec3944c1c50f03881a0dec4d60256a8cfdb32e6ee26b2039f95f878cabc4547cf7442

Download Submit
C:\Users\Admin\AppData\Roaming\Snace.exe

Filesize
1.1MB

MD5
886ec8f57236b11553cbb8de98cf1b69

SHA1
f72c049fcd8baa73e74d70c79d3f3b3045b8cd90

SHA256
958a4807d4c38b89256f1094b72703e7bdec8ca424443e9db71cc271ec75200e

SHA512
6284b75c1f9f8b30926e5e1c6a2a0925ef2aeb5202ac706b9565a226199de6b249e5f01a523df96d79f943986a642d420ecf077590d8f03ceba060eb2fa36114

Download Submit
C:\Users\Admin\AppData\Roaming\Змейка by ДК and AS.exe

Filesize
204KB

MD5
89a940000e5a7562ca32fe47e62d9ab3

SHA1
5afb63a26e2ac622e265e1279323a349c71e0b2d

SHA256
819bca0c3d379cb4375fd72199957791edab39e76eeec2f3be403275009787e8

SHA512
2a3f1818ef815a9a5ce944621775c33774f748877fd7baf858d1224a1beba2aac707354356d717b2143e6ef2877ce63fd7e41a5d083fb3d93b9887452f466553

Download Submit
C:\reviewWinrefperfsvc\JyFFgHmHFgHO7gB8l.bat

Filesize
42B

MD5
3f6e29bbbf283829bb2dc00aeb600bfb

SHA1
064b543066405b411d9713fdc3d042bcebc6a984

SHA256
775dc60b73fa023ba0a7d4b394a4d911c74af2951e0f6379d337ee566a81cd2b

SHA512
9d8a79cbebd80bb4d7b37f8106b1556a06be25cb89d70593f1b4a1b2111a3088bc08b6115bef9db2df408d22f5dc06644abf6e4a5edcaff385c9f033a17e7865

Download Submit
C:\reviewWinrefperfsvc\NHaFmwJEQMsxRcKOggYq.vbe

Filesize
213B

MD5
60bb10e1b4c6be7987af6cdb164a2ea7

SHA1
452bd2a19a71b7b0138cebc399013e7fd5faf992

SHA256
139fcb96f7b9fce0dde74056a75940d5cd131571a1ce3005476efec24824df39

SHA512
09cc5f1de91462474618ce6bc9bf6fbc3f8e9961cc27548428d146f274570a7d8f5a6562d3f66f7fe874cdbd2ecc720f933b3122bb41b25415201e3a7275ec96

Download Submit
C:\reviewWinrefperfsvc\WebRuntimeDll.exe

Filesize
827KB

MD5
6307ea5399fdc7482c17c3ac5e287d13

SHA1
9861a738275262a084500d39743674a274c8a396

SHA256
8e1afc545da625009596890cb867865d1073ca7ac96efae987663305f53c3e3b

SHA512
369e88b1de6b0824e52253a25aed270bceb607265c7040e3324d8b323b719af6cbbc273f408ce9271005e424fa24be9d6db4a32b72a754b5bb2747a09ad97d42

Download Submit
memory/2156-36-0x0000000000350000-0x0000000000426000-memory.dmp

Filesize
856KB

Download
memory/3032-0-0x00007FFF4DC63000-0x00007FFF4DC65000-memory.dmp

Filesize
8KB

Download
memory/3032-1-0x0000000000D60000-0x0000000000EBC000-memory.dmp

Filesize
1.4MB

Download