dcrat | b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

428bdccd4c240a253810e1c2a4ff8b78.exe
Size

827KB
MD5

428bdccd4c240a253810e1c2a4ff8b78
SHA1

6cb81ccde6f9cd26b0b60ce5b5d948dbda609c8c
SHA256

b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d
SHA512

81619bed44fca74f7c9cd3dc7fef9d52cea24ea4d6ea5cf3eedbe25c9a3f16f12889ff30644371146f8d55a280ed2e6b730c69c50bf2b944c74cc6d7914d1a63
SSDEEP

12288:GurCqcV04iJuX03lJmrw1DMVMkNcL4uhB6lg1npjzh/Ta6:bypiJOw1D8YhB6lkpjdO6

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 55 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe428bdccd4c240a253810e1c2a4ff8b78.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1292	schtasks.exe
348	schtasks.exe
2868	schtasks.exe
1284	schtasks.exe
2316	schtasks.exe
2592	schtasks.exe
1040	schtasks.exe
980	schtasks.exe
2988	schtasks.exe
2280	schtasks.exe
2560	schtasks.exe
2776	schtasks.exe
452	schtasks.exe
2720	schtasks.exe
2964	schtasks.exe
2716	schtasks.exe
952	schtasks.exe
1808	schtasks.exe
1672	schtasks.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\5940a34987c991	428bdccd4c240a253810e1c2a4ff8b78.exe
2816	schtasks.exe
2104	schtasks.exe
2100	schtasks.exe
2916	schtasks.exe
2472	schtasks.exe
1504	schtasks.exe
2380	schtasks.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\5940a34987c991	428bdccd4c240a253810e1c2a4ff8b78.exe
2976	schtasks.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\cc11b995f2a76d	428bdccd4c240a253810e1c2a4ff8b78.exe
772	schtasks.exe
2412	schtasks.exe
1608	schtasks.exe
548	schtasks.exe
2616	schtasks.exe
2736	schtasks.exe
3052	schtasks.exe
2520	schtasks.exe
2604	schtasks.exe
File created	C:\Windows\Setup\State\886983d96e3d3e	428bdccd4c240a253810e1c2a4ff8b78.exe
1880	schtasks.exe
1580	schtasks.exe
2972	schtasks.exe
2672	schtasks.exe
1428	schtasks.exe
2304	schtasks.exe
2460	schtasks.exe
1172	schtasks.exe
1108	schtasks.exe
472	schtasks.exe
1792	schtasks.exe
2768	schtasks.exe
736	schtasks.exe
692	schtasks.exe
352	schtasks.exe

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2732	schtasks.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2336-1-0x00000000010E0000-0x00000000011B6000-memory.dmp	dcrat
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe	dcrat
behavioral1/memory/2404-49-0x0000000000B00000-0x0000000000BD6000-memory.dmp	dcrat
behavioral1/memory/1984-56-0x00000000011C0000-0x0000000001296000-memory.dmp	dcrat
behavioral1/memory/2168-63-0x0000000001260000-0x0000000001336000-memory.dmp	dcrat
behavioral1/memory/1524-82-0x00000000000C0000-0x0000000000196000-memory.dmp	dcrat
behavioral1/memory/2332-89-0x0000000000380000-0x0000000000456000-memory.dmp	dcrat
behavioral1/memory/1792-96-0x00000000002E0000-0x00000000003B6000-memory.dmp	dcrat
behavioral1/memory/2236-103-0x0000000001170000-0x0000000001246000-memory.dmp	dcrat

Executes dropped EXE 10 IoCs

Processes:

dwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

pid process

2404 dwm.exe
1984 dwm.exe
2168 dwm.exe
1872 dwm.exe
2868 dwm.exe
1524 dwm.exe
2332 dwm.exe
1792 dwm.exe
2236 dwm.exe
2716 dwm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service
T1102

Processes:

flow ioc

9 pastebin.com
11 pastebin.com
13 pastebin.com
15 pastebin.com
23 pastebin.com
4 pastebin.com
5 pastebin.com
7 pastebin.com
17 pastebin.com
19 pastebin.com
21 pastebin.com

pid	process
2404	dwm.exe
1984	dwm.exe
2168	dwm.exe
1872	dwm.exe
2868	dwm.exe
1524	dwm.exe
2332	dwm.exe
1792	dwm.exe
2236	dwm.exe
2716	dwm.exe

flow	ioc
9	pastebin.com
11	pastebin.com
13	pastebin.com
15	pastebin.com
23	pastebin.com
4	pastebin.com
5	pastebin.com
7	pastebin.com
17	pastebin.com
19	pastebin.com
21	pastebin.com

Drops file in Program Files directory 17 IoCs

Processes:

428bdccd4c240a253810e1c2a4ff8b78.exe428bdccd4c240a253810e1c2a4ff8b78.exe

description	ioc	process
File created	C:\Program Files\Windows Photo Viewer\de-DE\5940a34987c991	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\101b941d020240	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\24dbde2999530e	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Program Files (x86)\Windows Defender\27d1bcfc3c54e0	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\cc11b995f2a76d	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\5940a34987c991	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Program Files (x86)\Reference Assemblies\56085415360792	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Program Files (x86)\Windows Defender\System.exe	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Program Files\7-Zip\Lang\dwm.exe	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Program Files\7-Zip\Lang\6cb0b6c459d5d3	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe	428bdccd4c240a253810e1c2a4ff8b78.exe
File opened for modification	C:\Program Files\7-Zip\Lang\dwm.exe	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\WmiPrvSE.exe	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Program Files (x86)\Reference Assemblies\wininit.exe	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\lsm.exe	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\winlogon.exe	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe	428bdccd4c240a253810e1c2a4ff8b78.exe

Drops file in Windows directory 6 IoCs

Processes:

428bdccd4c240a253810e1c2a4ff8b78.exe428bdccd4c240a253810e1c2a4ff8b78.exe

description	ioc	process
File created	C:\Windows\Offline Web Pages\csrss.exe	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Windows\Offline Web Pages\886983d96e3d3e	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Windows\Setup\State\csrss.exe	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Windows\Setup\State\886983d96e3d3e	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Windows\Fonts\csrss.exe	428bdccd4c240a253810e1c2a4ff8b78.exe
File created	C:\Windows\Fonts\886983d96e3d3e	428bdccd4c240a253810e1c2a4ff8b78.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2736	schtasks.exe
2976	schtasks.exe
1040	schtasks.exe
2304	schtasks.exe
1792	schtasks.exe
736	schtasks.exe
1428	schtasks.exe
2868	schtasks.exe
2472	schtasks.exe
2672	schtasks.exe
2560	schtasks.exe
1108	schtasks.exe
2100	schtasks.exe
952	schtasks.exe
2280	schtasks.exe
3052	schtasks.exe
1284	schtasks.exe
1580	schtasks.exe
2104	schtasks.exe
2988	schtasks.exe
548	schtasks.exe
1672	schtasks.exe
2964	schtasks.exe
472	schtasks.exe
1880	schtasks.exe
1808	schtasks.exe
2520	schtasks.exe
2720	schtasks.exe
2380	schtasks.exe
692	schtasks.exe
2604	schtasks.exe
2776	schtasks.exe
2916	schtasks.exe
2768	schtasks.exe
348	schtasks.exe
2616	schtasks.exe
2716	schtasks.exe
1172	schtasks.exe
2412	schtasks.exe
352	schtasks.exe
2460	schtasks.exe
2592	schtasks.exe
2316	schtasks.exe
772	schtasks.exe
2972	schtasks.exe
2816	schtasks.exe
1292	schtasks.exe
980	schtasks.exe
452	schtasks.exe
1608	schtasks.exe
1504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

428bdccd4c240a253810e1c2a4ff8b78.exe428bdccd4c240a253810e1c2a4ff8b78.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

pid	process
2336	428bdccd4c240a253810e1c2a4ff8b78.exe
2336	428bdccd4c240a253810e1c2a4ff8b78.exe
2336	428bdccd4c240a253810e1c2a4ff8b78.exe
1952	428bdccd4c240a253810e1c2a4ff8b78.exe
2404	dwm.exe
1984	dwm.exe
2168	dwm.exe
1872	dwm.exe
2868	dwm.exe
1524	dwm.exe
2332	dwm.exe
1792	dwm.exe
2236	dwm.exe
2716	dwm.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

428bdccd4c240a253810e1c2a4ff8b78.exe428bdccd4c240a253810e1c2a4ff8b78.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exedwm.exe

description	pid	process
Token: SeDebugPrivilege	2336	428bdccd4c240a253810e1c2a4ff8b78.exe
Token: SeDebugPrivilege	1952	428bdccd4c240a253810e1c2a4ff8b78.exe
Token: SeDebugPrivilege	2404	dwm.exe
Token: SeDebugPrivilege	1984	dwm.exe
Token: SeDebugPrivilege	2168	dwm.exe
Token: SeDebugPrivilege	1872	dwm.exe
Token: SeDebugPrivilege	2868	dwm.exe
Token: SeDebugPrivilege	1524	dwm.exe
Token: SeDebugPrivilege	2332	dwm.exe
Token: SeDebugPrivilege	1792	dwm.exe
Token: SeDebugPrivilege	2236	dwm.exe
Token: SeDebugPrivilege	2716	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

428bdccd4c240a253810e1c2a4ff8b78.execmd.exe428bdccd4c240a253810e1c2a4ff8b78.exedwm.execmd.exedwm.execmd.exedwm.execmd.exedwm.execmd.exedwm.execmd.exedwm.execmd.exe

description	pid	process	target process
PID 2336 wrote to memory of 300	2336	428bdccd4c240a253810e1c2a4ff8b78.exe	cmd.exe
PID 2336 wrote to memory of 300	2336	428bdccd4c240a253810e1c2a4ff8b78.exe	cmd.exe
PID 2336 wrote to memory of 300	2336	428bdccd4c240a253810e1c2a4ff8b78.exe	cmd.exe
PID 300 wrote to memory of 760	300	cmd.exe	w32tm.exe
PID 300 wrote to memory of 760	300	cmd.exe	w32tm.exe
PID 300 wrote to memory of 760	300	cmd.exe	w32tm.exe
PID 300 wrote to memory of 1952	300	cmd.exe	428bdccd4c240a253810e1c2a4ff8b78.exe
PID 300 wrote to memory of 1952	300	cmd.exe	428bdccd4c240a253810e1c2a4ff8b78.exe
PID 300 wrote to memory of 1952	300	cmd.exe	428bdccd4c240a253810e1c2a4ff8b78.exe
PID 1952 wrote to memory of 2404	1952	428bdccd4c240a253810e1c2a4ff8b78.exe	dwm.exe
PID 1952 wrote to memory of 2404	1952	428bdccd4c240a253810e1c2a4ff8b78.exe	dwm.exe
PID 1952 wrote to memory of 2404	1952	428bdccd4c240a253810e1c2a4ff8b78.exe	dwm.exe
PID 2404 wrote to memory of 2688	2404	dwm.exe	cmd.exe
PID 2404 wrote to memory of 2688	2404	dwm.exe	cmd.exe
PID 2404 wrote to memory of 2688	2404	dwm.exe	cmd.exe
PID 2688 wrote to memory of 2640	2688	cmd.exe	w32tm.exe
PID 2688 wrote to memory of 2640	2688	cmd.exe	w32tm.exe
PID 2688 wrote to memory of 2640	2688	cmd.exe	w32tm.exe
PID 2688 wrote to memory of 1984	2688	cmd.exe	dwm.exe
PID 2688 wrote to memory of 1984	2688	cmd.exe	dwm.exe
PID 2688 wrote to memory of 1984	2688	cmd.exe	dwm.exe
PID 1984 wrote to memory of 2844	1984	dwm.exe	cmd.exe
PID 1984 wrote to memory of 2844	1984	dwm.exe	cmd.exe
PID 1984 wrote to memory of 2844	1984	dwm.exe	cmd.exe
PID 2844 wrote to memory of 2492	2844	cmd.exe	w32tm.exe
PID 2844 wrote to memory of 2492	2844	cmd.exe	w32tm.exe
PID 2844 wrote to memory of 2492	2844	cmd.exe	w32tm.exe
PID 2844 wrote to memory of 2168	2844	cmd.exe	dwm.exe
PID 2844 wrote to memory of 2168	2844	cmd.exe	dwm.exe
PID 2844 wrote to memory of 2168	2844	cmd.exe	dwm.exe
PID 2168 wrote to memory of 356	2168	dwm.exe	cmd.exe
PID 2168 wrote to memory of 356	2168	dwm.exe	cmd.exe
PID 2168 wrote to memory of 356	2168	dwm.exe	cmd.exe
PID 356 wrote to memory of 2744	356	cmd.exe	w32tm.exe
PID 356 wrote to memory of 2744	356	cmd.exe	w32tm.exe
PID 356 wrote to memory of 2744	356	cmd.exe	w32tm.exe
PID 356 wrote to memory of 1872	356	cmd.exe	dwm.exe
PID 356 wrote to memory of 1872	356	cmd.exe	dwm.exe
PID 356 wrote to memory of 1872	356	cmd.exe	dwm.exe
PID 1872 wrote to memory of 2740	1872	dwm.exe	cmd.exe
PID 1872 wrote to memory of 2740	1872	dwm.exe	cmd.exe
PID 1872 wrote to memory of 2740	1872	dwm.exe	cmd.exe
PID 2740 wrote to memory of 1712	2740	cmd.exe	w32tm.exe
PID 2740 wrote to memory of 1712	2740	cmd.exe	w32tm.exe
PID 2740 wrote to memory of 1712	2740	cmd.exe	w32tm.exe
PID 2740 wrote to memory of 2868	2740	cmd.exe	dwm.exe
PID 2740 wrote to memory of 2868	2740	cmd.exe	dwm.exe
PID 2740 wrote to memory of 2868	2740	cmd.exe	dwm.exe
PID 2868 wrote to memory of 828	2868	dwm.exe	cmd.exe
PID 2868 wrote to memory of 828	2868	dwm.exe	cmd.exe
PID 2868 wrote to memory of 828	2868	dwm.exe	cmd.exe
PID 828 wrote to memory of 1312	828	cmd.exe	w32tm.exe
PID 828 wrote to memory of 1312	828	cmd.exe	w32tm.exe
PID 828 wrote to memory of 1312	828	cmd.exe	w32tm.exe
PID 828 wrote to memory of 1524	828	cmd.exe	dwm.exe
PID 828 wrote to memory of 1524	828	cmd.exe	dwm.exe
PID 828 wrote to memory of 1524	828	cmd.exe	dwm.exe
PID 1524 wrote to memory of 2856	1524	dwm.exe	cmd.exe
PID 1524 wrote to memory of 2856	1524	dwm.exe	cmd.exe
PID 1524 wrote to memory of 2856	1524	dwm.exe	cmd.exe
PID 2856 wrote to memory of 3024	2856	cmd.exe	w32tm.exe
PID 2856 wrote to memory of 3024	2856	cmd.exe	w32tm.exe
PID 2856 wrote to memory of 3024	2856	cmd.exe	w32tm.exe
PID 2856 wrote to memory of 2332	2856	cmd.exe	dwm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\428bdccd4c240a253810e1c2a4ff8b78.exe
"C:\Users\Admin\AppData\Local\Temp\428bdccd4c240a253810e1c2a4ff8b78.exe"
1⤵
- DcRat
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JxDgkPjzIz.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:300

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\428bdccd4c240a253810e1c2a4ff8b78.exe
"C:\Users\Admin\AppData\Local\Temp\428bdccd4c240a253810e1c2a4ff8b78.exe"
3⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952

C:\Program Files\7-Zip\Lang\dwm.exe
"C:\Program Files\7-Zip\Lang\dwm.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:2640

C:\Program Files\7-Zip\Lang\dwm.exe
"C:\Program Files\7-Zip\Lang\dwm.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:2492

C:\Program Files\7-Zip\Lang\dwm.exe
"C:\Program Files\7-Zip\Lang\dwm.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:356

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:2744

C:\Program Files\7-Zip\Lang\dwm.exe
"C:\Program Files\7-Zip\Lang\dwm.exe"
10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"
11⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:1712

C:\Program Files\7-Zip\Lang\dwm.exe
"C:\Program Files\7-Zip\Lang\dwm.exe"
12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"
13⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:1312

C:\Program Files\7-Zip\Lang\dwm.exe
"C:\Program Files\7-Zip\Lang\dwm.exe"
14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat"
15⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:3024

C:\Program Files\7-Zip\Lang\dwm.exe
"C:\Program Files\7-Zip\Lang\dwm.exe"
16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
17⤵
PID:688

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:1144

C:\Program Files\7-Zip\Lang\dwm.exe
"C:\Program Files\7-Zip\Lang\dwm.exe"
18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"
19⤵
PID:2552

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:1972

C:\Program Files\7-Zip\Lang\dwm.exe
"C:\Program Files\7-Zip\Lang\dwm.exe"
20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"
21⤵
PID:2820

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
22⤵
PID:2928

C:\Program Files\7-Zip\Lang\dwm.exe
"C:\Program Files\7-Zip\Lang\dwm.exe"
22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"
23⤵
PID:2520

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
24⤵
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\5b7985c2-d100-11ee-bb00-c695cbc44580\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Setup\State\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Templates\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe
Filesize
827KB

MD5
428bdccd4c240a253810e1c2a4ff8b78

SHA1
6cb81ccde6f9cd26b0b60ce5b5d948dbda609c8c

SHA256
b9565d219fb7879e482bfc859721acc5e10edadb73a9bb6eb3190e58e45bea5d

SHA512
81619bed44fca74f7c9cd3dc7fef9d52cea24ea4d6ea5cf3eedbe25c9a3f16f12889ff30644371146f8d55a280ed2e6b730c69c50bf2b944c74cc6d7914d1a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat
Filesize
200B

MD5
edd601ce00bb8ed26ef1a6dffd79f131

SHA1
941dc3d93711f0e2ef6d0a2337f96e0d01bc00d7

SHA256
beb96618d5f2d6f3a09751eb52a1ce9dd8ebf020d1cca9ed205f0d28b5f4cb25

SHA512
d3e2785d235c3030f9ed81067718ecc1983ffc847b7fa69bb951d7f137bddc913ec153a9e77b67cc0f997ecf05c1354d01edebf8255640162a57a65e0a70b9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat
Filesize
200B

MD5
4c2696ca8b936cf2f580030f948755e6

SHA1
5246fbf87cbbaeeb419842844b3338d5a152a59e

SHA256
cb906f264f2fe0103ebfff385ae783debbd453deb8c37ff82c968278e9686d3d

SHA512
1bf205dc79243a8519ef4cc1e873478fe1d45835255fe35742139aae85b326947dd42ee4fdd359333cf7d4ac80f38eb0a016d57eb0461203315c01fc35b376e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat
Filesize
200B

MD5
0ffe801077eef6fb7651c24409db8a03

SHA1
04036d47d8a3df194565e532798c77cfc0d9fdda

SHA256
8187488bc4b74c43a840302b022027ba774be564c74b453381cd824d8bddee79

SHA512
37fc4d7ad26addf06dde2ca9c34ec2b104a7cdf25f2549a182885be80f8758bc8fa6d3d3d5ee7a3298959130818ae5eebb02c4df67f237be956409b734eafa76

Download Submit
C:\Users\Admin\AppData\Local\Temp\JxDgkPjzIz.bat
Filesize
235B

MD5
aa47a52226edd674d30f095a8dc9d67e

SHA1
cb771d2aaccc03e0adaaffe12a7006099defcfb9

SHA256
e9a118b6e83ec5f739ee3796bc6811f604c62cbe073c153bc0c53c20d3f904dc

SHA512
f751f676be91a8370e56c0e2ffffb592558b4ffcc164bd4ddba9883e414b25c4c70bb526ad31d0253fb7428513633a778b0e0cbd13af305b3d990260150e2fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat
Filesize
200B

MD5
38d16529b552c155f6a94728cdd66a34

SHA1
03af55aab52f10a0be66326975de8d9e766fdf53

SHA256
71ae6ca70151dc4d52f8544d847154ac20ff5389da2a32d0a890648c5a533fc9

SHA512
0da54c59b4fa9abd22d62987d13f08239ebebcc6415544b2459284c696dc8ea94e36ad3cca2342b9beffef5ac085cf5a0977d1098987f6e0325f3cec9c444878

Download Submit
C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat
Filesize
200B

MD5
921c74cacdda108e6d74234f835278ae

SHA1
57305cdf31650fac6338d391c8bc3e52e4f891c9

SHA256
1d9ccc3895fb62f2efd127f4ece3c19301e45c66527ba8f01540a9af8f0002d0

SHA512
a047aa2ebe08f09d79d82c301e77e79bb46081be0356c67ee2cdf447f30cf471df9fd2ceb327a6dccd703e6de2942fcfbd4a9269c106df84136041cd84e9e4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat
Filesize
200B

MD5
c04d564974a1ac7833ca2787c15a6cfc

SHA1
dc6a020236c516ff1a9770a7fe8c42faf3963bd1

SHA256
2c394d403f9c4ec6941294b9a9e28f4d98d8477c3388fbeae213e38f9126a087

SHA512
30cf0926a1379836ea8737d65936ff6413ebb20d3a7c72bf942edd008a61c50cdb22ff1d213874af9fac90a880283bbe4f0be648ee676d6882f84fdb6e3fdeec

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat
Filesize
200B

MD5
14242437b465dda346a623e76c051975

SHA1
6221a39e2807c40bb3cd0384aec533f960f7db57

SHA256
e86788378fc33149fc74c8c48a0c6172981529d9a7ec7e9baf079b49ad3b680a

SHA512
826e8adb74f51b91a08ea568cc2c812d9eec270b61787c3aef60a326a3790ac75183384440eed0968f532b7010b13a0e57d2884bda9ef8e0437a363f8402e0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat
Filesize
200B

MD5
52a22505da6e007282a7f64c1c99efac

SHA1
3343289f11685bcb930df3b48be5492e761f8573

SHA256
7e7f66e53eaba05f7e9a43447b3f84ad9412fd760fd5f489f058e95278a34053

SHA512
4a24df4e65b3b9cbdad9ab4eae60c4fbc2affa87bd4b73b547e333659382f755bb00081a0534430b334fd618414746242c8301e4b0a47bc561ec21e5c4091606

Download Submit
C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat
Filesize
200B

MD5
b8b5a2ac1e7374f64a3095d02e0dbe35

SHA1
02f563293022cf598e737afac3874a5199949111

SHA256
93d9803314d904ac38ecf22c915b06720f2dc6339343ed506fdbf7f46ff0b1d2

SHA512
1fa618fba9591f6257c10c457daa6a13d99046163f7436e438f702d702ef8a1d0e0b19facd35f8ccaa972f71522f1bdee8483f794a16210581fe3a26d73644e4

Download Submit
memory/1524-82-0x00000000000C0000-0x0000000000196000-memory.dmp

Filesize
856KB

Download
memory/1792-96-0x00000000002E0000-0x00000000003B6000-memory.dmp

Filesize
856KB

Download
memory/1984-56-0x00000000011C0000-0x0000000001296000-memory.dmp

Filesize
856KB

Download
memory/2168-63-0x0000000001260000-0x0000000001336000-memory.dmp

Filesize
856KB

Download
memory/2236-103-0x0000000001170000-0x0000000001246000-memory.dmp

Filesize
856KB

Download
memory/2332-89-0x0000000000380000-0x0000000000456000-memory.dmp

Filesize
856KB

Download
memory/2336-0-0x000007FEF54C3000-0x000007FEF54C4000-memory.dmp

Filesize
4KB

Download
memory/2336-20-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-2-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmp

Filesize
9.9MB

Download
memory/2336-1-0x00000000010E0000-0x00000000011B6000-memory.dmp

Filesize
856KB

Download
memory/2404-49-0x0000000000B00000-0x0000000000BD6000-memory.dmp

Filesize
856KB

Download