dcrat | f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cf

Analysis

max time kernel
93s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
Size

1.2MB
MD5

d3b579a658327ea6b0b270989961d4a0
SHA1

4f973046dd649eb484960bb5decdcb1854eb759a
SHA256

f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cf
SHA512

0ed2079276cef4e973e2b0166f4f57ce124c43d2d866a772c78a8a801458256fdb1d233cb0a047dd2e8ee6b09ab66505f75073ed241f73f9944d14078b5d4468
SSDEEP

24576:v+r+6mj4wnm4qDfidSA440wOkTM5lcQANNVRIQPc2UWab:v++6mJqDuQd52QANNVRIQ8

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	644	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	644	schtasks.exe	83

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1376-1-0x0000000000500000-0x0000000000632000-memory.dmp	dcrat
behavioral2/files/0x0008000000023c93-18.dat	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe

Executes dropped EXE 1 IoCs

pid	Process
2788	csrss.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\SIGNUP\69ddcba757bf72	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Program Files\Windows Media Player\ea1d8f6d871115	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\6cb0b6c459d5d3	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File opened for modification	C:\Program Files\Windows Media Player\upfc.exe	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Program Files (x86)\Adobe\e6c9b481da804f	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxMetadata\upfc.exe	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Program Files (x86)\Internet Explorer\29c1c3cc0f7685	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\fontdrvhost.exe	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\5b884080fd4f94	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\taskhostw.exe	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\smss.exe	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Program Files\Windows Media Player\upfc.exe	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Program Files\Windows NT\csrss.exe	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Program Files\Windows NT\886983d96e3d3e	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ea9f0e6c9e2dcd	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\smss.exe	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Program Files (x86)\Google\Temp\9e8d7a4ca61bd9	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\dwm.exe	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Program Files (x86)\Adobe\OfficeClickToRun.exe	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Program Files (x86)\Internet Explorer\unsecapp.exe	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SKB\LanguageModels\5940a34987c991	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Windows\GameBarPresenceWriter\csrss.exe	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Windows\GameBarPresenceWriter\886983d96e3d3e	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Windows\debug\OfficeClickToRun.exe	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Windows\debug\e6c9b481da804f	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
File created	C:\Windows\SKB\LanguageModels\dllhost.exe	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1720	schtasks.exe
4596	schtasks.exe
3604	schtasks.exe
5004	schtasks.exe
2636	schtasks.exe
1604	schtasks.exe
1672	schtasks.exe
4200	schtasks.exe
2480	schtasks.exe
1880	schtasks.exe
4700	schtasks.exe
4512	schtasks.exe
1492	schtasks.exe
3208	schtasks.exe
3692	schtasks.exe
2164	schtasks.exe
3408	schtasks.exe
1764	schtasks.exe
1804	schtasks.exe
2016	schtasks.exe
3320	schtasks.exe
1424	schtasks.exe
400	schtasks.exe
1204	schtasks.exe
4392	schtasks.exe
904	schtasks.exe
1432	schtasks.exe
8	schtasks.exe
3500	schtasks.exe
2236	schtasks.exe
2832	schtasks.exe
4020	schtasks.exe
3996	schtasks.exe
3160	schtasks.exe
4068	schtasks.exe
4320	schtasks.exe
4416	schtasks.exe
4044	schtasks.exe
3220	schtasks.exe
2696	schtasks.exe
408	schtasks.exe
3468	schtasks.exe
3384	schtasks.exe
1168	schtasks.exe
536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1376	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
1376	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
1376	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
1812	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
1812	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
1812	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
1812	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
1812	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
1812	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
1812	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
1812	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
1812	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
1812	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
1812	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
1812	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
1812	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
1812	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
1812	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
2788	csrss.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
Token: SeDebugPrivilege	1812	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
Token: SeDebugPrivilege	2788	csrss.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1812	1376	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe	96
PID 1376 wrote to memory of 1812	1376	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe	96
PID 1812 wrote to memory of 4600	1812	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe	131
PID 1812 wrote to memory of 4600	1812	f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe	131
PID 4600 wrote to memory of 1184	4600	cmd.exe	133
PID 4600 wrote to memory of 1184	4600	cmd.exe	133
PID 4600 wrote to memory of 2788	4600	cmd.exe	141
PID 4600 wrote to memory of 2788	4600	cmd.exe	141

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
"C:\Users\Admin\AppData\Local\Temp\f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe
  "C:\Users\Admin\AppData\Local\Temp\f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hwBOjlsGgH.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1184
  - - C:\Windows\GameBarPresenceWriter\csrss.exe
      "C:\Windows\GameBarPresenceWriter\csrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\SIGNUP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\SIGNUP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\debug\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\LanguageModels\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\SKB\LanguageModels\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\GameBarPresenceWriter\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\upfc.exe

Filesize
1.2MB

MD5
d3b579a658327ea6b0b270989961d4a0

SHA1
4f973046dd649eb484960bb5decdcb1854eb759a

SHA256
f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cf

SHA512
0ed2079276cef4e973e2b0166f4f57ce124c43d2d866a772c78a8a801458256fdb1d233cb0a047dd2e8ee6b09ab66505f75073ed241f73f9944d14078b5d4468

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f6fffabc85ab9bfd39576690b7107ddc421d458f6021a754a0b69969ba6e51cfN.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwBOjlsGgH.bat

Filesize
207B

MD5
9678b58c77bb324624153a44b62cb766

SHA1
86b45c358d6e9f8fc57e10e3d0c63b39bd34431d

SHA256
8bea3e0c0294a9c7b81882d29b2c95e92cab2cd96a574438f5c766dd82401767

SHA512
8562e17d1758bee8440067993297f601eaaf1f2ff37c64df155dfdc87232d9c240f846dccb7192004fae5d417ecd6ee44150ad661d15c5d63230132dabc78365

Download Submit
memory/1376-0-0x00007FFE599A3000-0x00007FFE599A5000-memory.dmp

Filesize
8KB

Download
memory/1376-1-0x0000000000500000-0x0000000000632000-memory.dmp

Filesize
1.2MB

Download
memory/1376-2-0x00007FFE599A0000-0x00007FFE5A461000-memory.dmp

Filesize
10.8MB

Download
memory/1376-3-0x000000001B150000-0x000000001B16C000-memory.dmp

Filesize
112KB

Download
memory/1376-6-0x0000000002820000-0x000000000282C000-memory.dmp

Filesize
48KB

Download
memory/1376-5-0x000000001B170000-0x000000001B186000-memory.dmp

Filesize
88KB

Download
memory/1376-4-0x000000001B7F0000-0x000000001B840000-memory.dmp

Filesize
320KB

Download
memory/1376-17-0x00007FFE599A0000-0x00007FFE5A461000-memory.dmp

Filesize
10.8MB

Download