dcrat | a96f478eaccaa6f24f94f782f2e65717ce87a2ed8c6e43bdb48dd9f4d83a5f75

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/03/2025, 22:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DCRatBuild.exe
Size

1.1MB
MD5

7a9b75201612cbddbd7306ad838b7702
SHA1

3e933e2963ea93327b484a7fb35edeb8e70b5825
SHA256

a96f478eaccaa6f24f94f782f2e65717ce87a2ed8c6e43bdb48dd9f4d83a5f75
SHA512

2de8b99ff6223c0fe5802aa46a2c8f004ae2d3cf614663861857f360eb78fb93903e5210f8022358416495f18b28b9fe3c2b99c5386b170f36f92c16f818c17a
SSDEEP

24576:U2G/nvxW3Ww0tJjFQ+qTLRr61LjemLSAN0+KleGpi:UbA30RwRXo/NolG

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2708	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2708	schtasks.exe	35

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d58-9.dat	dcrat
behavioral1/memory/2744-13-0x00000000009A0000-0x0000000000A76000-memory.dmp	dcrat
behavioral1/memory/2348-51-0x0000000000BE0000-0x0000000000CB6000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

pid	Process
2744	componentwebsession.exe
2348	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2696	cmd.exe
2696	cmd.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\6203df4a6bafc7	componentwebsession.exe
File created	C:\Program Files\Internet Explorer\de-DE\dwm.exe	componentwebsession.exe
File created	C:\Program Files\Internet Explorer\de-DE\6cb0b6c459d5d3	componentwebsession.exe
File created	C:\Program Files\Windows Portable Devices\explorer.exe	componentwebsession.exe
File created	C:\Program Files\Windows Portable Devices\7a0fd90576e088	componentwebsession.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lsass.exe	componentwebsession.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\componentwebsession.exe	componentwebsession.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\aaa46b87f7008d	componentwebsession.exe
File created	C:\Windows\Logs\HomeGroup\services.exe	componentwebsession.exe
File created	C:\Windows\Logs\HomeGroup\c5b4cb5e9653cc	componentwebsession.exe
File created	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\taskhost.exe	componentwebsession.exe
File created	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\b75386f1303e64	componentwebsession.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2852	schtasks.exe
2660	schtasks.exe
3044	schtasks.exe
1076	schtasks.exe
1196	schtasks.exe
2256	schtasks.exe
2632	schtasks.exe
1048	schtasks.exe
1648	schtasks.exe
2672	schtasks.exe
1736	schtasks.exe
2920	schtasks.exe
1916	schtasks.exe
292	schtasks.exe
1792	schtasks.exe
2964	schtasks.exe
2004	schtasks.exe
2452	schtasks.exe
1656	schtasks.exe
2136	schtasks.exe
2772	schtasks.exe
2008	schtasks.exe
1620	schtasks.exe
1148	schtasks.exe
1660	schtasks.exe
1936	schtasks.exe
1836	schtasks.exe
3028	schtasks.exe
2668	schtasks.exe
2204	schtasks.exe
1072	schtasks.exe
1700	schtasks.exe
2572	schtasks.exe
2720	schtasks.exe
1484	schtasks.exe
2388	schtasks.exe
756	schtasks.exe
1796	schtasks.exe
2880	schtasks.exe
1512	schtasks.exe
1664	schtasks.exe
2276	schtasks.exe
1128	schtasks.exe
684	schtasks.exe
2420	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2744	componentwebsession.exe
2744	componentwebsession.exe
2744	componentwebsession.exe
2348	lsm.exe
2348	lsm.exe
2348	lsm.exe
2348	lsm.exe
2348	lsm.exe
2348	lsm.exe
2348	lsm.exe
2348	lsm.exe
2348	lsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	componentwebsession.exe
Token: SeDebugPrivilege	2348	lsm.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2396	2860	DCRatBuild.exe	30
PID 2860 wrote to memory of 2396	2860	DCRatBuild.exe	30
PID 2860 wrote to memory of 2396	2860	DCRatBuild.exe	30
PID 2860 wrote to memory of 2396	2860	DCRatBuild.exe	30
PID 2396 wrote to memory of 2696	2396	WScript.exe	32
PID 2396 wrote to memory of 2696	2396	WScript.exe	32
PID 2396 wrote to memory of 2696	2396	WScript.exe	32
PID 2396 wrote to memory of 2696	2396	WScript.exe	32
PID 2696 wrote to memory of 2744	2696	cmd.exe	34
PID 2696 wrote to memory of 2744	2696	cmd.exe	34
PID 2696 wrote to memory of 2744	2696	cmd.exe	34
PID 2696 wrote to memory of 2744	2696	cmd.exe	34
PID 2744 wrote to memory of 1816	2744	componentwebsession.exe	81
PID 2744 wrote to memory of 1816	2744	componentwebsession.exe	81
PID 2744 wrote to memory of 1816	2744	componentwebsession.exe	81
PID 1816 wrote to memory of 1044	1816	cmd.exe	83
PID 1816 wrote to memory of 1044	1816	cmd.exe	83
PID 1816 wrote to memory of 1044	1816	cmd.exe	83
PID 1816 wrote to memory of 2348	1816	cmd.exe	84
PID 1816 wrote to memory of 2348	1816	cmd.exe	84
PID 1816 wrote to memory of 2348	1816	cmd.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Bridgemsblockcomponentperf\NlYVQ5qrJ.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Bridgemsblockcomponentperf\2hJ7Mn5f5Z5JkVq57.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Bridgemsblockcomponentperf\componentwebsession.exe
      "C:\Bridgemsblockcomponentperf\componentwebsession.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TLnGuJVyIa.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1816
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1044
      - C:\MSOCache\All Users\lsm.exe
        
        "C:\MSOCache\All Users\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Bridgemsblockcomponentperf\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Bridgemsblockcomponentperf\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Bridgemsblockcomponentperf\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Bridgemsblockcomponentperf\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Bridgemsblockcomponentperf\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Bridgemsblockcomponentperf\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\de-DE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentwebsessionc" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\componentwebsession.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentwebsession" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\componentwebsession.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentwebsessionc" /sc MINUTE /mo 5 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\componentwebsession.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Bridgemsblockcomponentperf\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Bridgemsblockcomponentperf\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Bridgemsblockcomponentperf\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\HomeGroup\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\HomeGroup\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Bridgemsblockcomponentperf\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Bridgemsblockcomponentperf\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Bridgemsblockcomponentperf\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Bridgemsblockcomponentperf\2hJ7Mn5f5Z5JkVq57.bat

Filesize
55B

MD5
8f7257c5f547039c68750c858b05a0ce

SHA1
1c222f1fa6a871cdb8d8bf90ab5d2f8f0b64e0ee

SHA256
2d925c9f62648aaf46b91efb3e63e6eb49dbcdbebf85acd9886ce71d001cb504

SHA512
eaaf6cd27c1d10afdcefafaa4f488ff0121a966ceb67821fcffac777a27b394a431dac44f953dc868bf8db42e420e8e37ca05717ce65cb711085059dded718af

Download Submit
C:\Bridgemsblockcomponentperf\NlYVQ5qrJ.vbe

Filesize
221B

MD5
372a1fd5b0a18b5d2c8433868b80409f

SHA1
9460aeae733aca6a42a1b45ad5684cab9cbddef5

SHA256
e511fb9d01a3955c024250db45725d631ced31d74b96525c11dc46ac79613fa7

SHA512
910646531fcb860b91ea656c73a66981eb3c1f10d20e5dbb0fbd4ede6541abae11bd3a18daee519b53cd370f94d0262f51ddca642e6e1af5e7955b824611e278

Download Submit
C:\Users\Admin\AppData\Local\Temp\TLnGuJVyIa.bat

Filesize
194B

MD5
8f8f13588370e48c14ff27674f2d988c

SHA1
005b013d5fd86ee392ece043a6bb89379e895790

SHA256
d84ce0b20b185e0e6db232b5a0a0a5d50a44c2076f6fd631696912816747a456

SHA512
22781617df52e160f3b3770f5d47feed8a60276491479eefdee15fceaa87f5468805f31ee963d16dce2680aa941e15ecd3e20daff2f2b45cba7060a4139e14d0

Download Submit
\Bridgemsblockcomponentperf\componentwebsession.exe

Filesize
829KB

MD5
9ec0d74bdb80b5c29ff2d930c22ba856

SHA1
f58ca771c957db21e5fd41c4ea2d0563e3b876c8

SHA256
c5750aada53c6a8c0f2214e463e960ac582c2c27a5b4e33bf52fee513b39607c

SHA512
1a43ef0e869c7657ae2236164ad09c64a05b1cf94ef44addddcd94015c455ee263f1bf1c3ec24fe44b99d6c8c8f9b746d13b3fe510364670f7c3edf7299367b4

Download Submit
memory/2348-51-0x0000000000BE0000-0x0000000000CB6000-memory.dmp

Filesize
856KB

Download
memory/2744-13-0x00000000009A0000-0x0000000000A76000-memory.dmp

Filesize
856KB

Download