dcrat | 7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
Size

827KB
MD5

56ab99637a82f98cec56b3318878bc99
SHA1

9b5e3f53a3a7eeb37cf9d00e1787816e2e16fe0b
SHA256

7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8
SHA512

aacedc5ed4baf76c1551d865358d5c1662d2cac17bea9bbc35abecc6b145f4be50423b29c2e90cd0ff3e3d11874aee184b9d42c1f8a395f0fa2246c46bdba323
SSDEEP

12288:ws2MkHy0AkGWpU5cv+ALaOBULNrBjHo0+ET08QzjrWZIESls:oMGyZkGWPlaOBULdBjiN8QsDz

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	3944	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	3944	schtasks.exe	83

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3140-1-0x0000000000100000-0x00000000001D6000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cbf-11.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe

Executes dropped EXE 1 IoCs

pid	Process
4452	sysmon.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Google\ea9f0e6c9e2dcd	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files\Windows Defender\es-ES\sysmon.exe	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\dwm.exe	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\e6c9b481da804f	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files\Windows Photo Viewer\TextInputHost.exe	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files\VideoLAN\886983d96e3d3e	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\OfficeClickToRun.exe	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files\WindowsApps\fontdrvhost.exe	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files\Google\taskhostw.exe	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files\Windows Photo Viewer\22eafd247d37c3	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files\Windows Mail\0a1fd5f707cd16	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files\VideoLAN\csrss.exe	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files\Windows Mail\sppsvc.exe	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files\Windows Defender\es-ES\121e5b5079f7c0	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\6cb0b6c459d5d3	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\security\templates\aa97147c4c782d	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Windows\PrintDialog\fontdrvhost.exe	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Windows\PrintDialog\5b884080fd4f94	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
File created	C:\Windows\security\templates\MusNotification.exe	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4692	schtasks.exe
1644	schtasks.exe
4580	schtasks.exe
4396	schtasks.exe
2352	schtasks.exe
2660	schtasks.exe
2032	schtasks.exe
2772	schtasks.exe
3772	schtasks.exe
5096	schtasks.exe
2144	schtasks.exe
3872	schtasks.exe
884	schtasks.exe
632	schtasks.exe
3192	schtasks.exe
3672	schtasks.exe
2732	schtasks.exe
1076	schtasks.exe
4760	schtasks.exe
4032	schtasks.exe
3716	schtasks.exe
3984	schtasks.exe
3156	schtasks.exe
4264	schtasks.exe
1208	schtasks.exe
848	schtasks.exe
4688	schtasks.exe
3016	schtasks.exe
584	schtasks.exe
4932	schtasks.exe
2296	schtasks.exe
1880	schtasks.exe
4160	schtasks.exe
1152	schtasks.exe
4104	schtasks.exe
4928	schtasks.exe
944	schtasks.exe
1256	schtasks.exe
3712	schtasks.exe
672	schtasks.exe
3836	schtasks.exe
5032	schtasks.exe
2064	schtasks.exe
3012	schtasks.exe
3356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3140	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
3140	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
3140	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
3140	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
3140	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
3140	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
3140	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
4452	sysmon.exe
4452	sysmon.exe
4452	sysmon.exe
4452	sysmon.exe
4452	sysmon.exe
4452	sysmon.exe
4452	sysmon.exe
4452	sysmon.exe
4452	sysmon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4452	sysmon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3140	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
Token: SeDebugPrivilege	4452	sysmon.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 1044	3140	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe	130
PID 3140 wrote to memory of 1044	3140	7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe	130
PID 1044 wrote to memory of 5076	1044	cmd.exe	132
PID 1044 wrote to memory of 5076	1044	cmd.exe	132
PID 1044 wrote to memory of 4452	1044	cmd.exe	139
PID 1044 wrote to memory of 4452	1044	cmd.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe
"C:\Users\Admin\AppData\Local\Temp\7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K79ePxSlaT.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5076
- - C:\Program Files\Windows Defender\es-ES\sysmon.exe
    "C:\Program Files\Windows Defender\es-ES\sysmon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Google\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\PrintDialog\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\PrintDialog\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\PrintDialog\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\es-ES\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\es-ES\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 11 /tr "'C:\Windows\security\templates\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\security\templates\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 8 /tr "'C:\Windows\security\templates\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
827KB

MD5
56ab99637a82f98cec56b3318878bc99

SHA1
9b5e3f53a3a7eeb37cf9d00e1787816e2e16fe0b

SHA256
7ff470b90b9950a85f958412ecc2d71fe9f243bd3a4882a630745d8276a718d8

SHA512
aacedc5ed4baf76c1551d865358d5c1662d2cac17bea9bbc35abecc6b145f4be50423b29c2e90cd0ff3e3d11874aee184b9d42c1f8a395f0fa2246c46bdba323

Download Submit
C:\Users\Admin\AppData\Local\Temp\K79ePxSlaT.bat

Filesize
215B

MD5
e9aa78334417ea228ba10bf3a9343fbc

SHA1
6ab466789ab6a5d49e49dc8c2de1dd3a1a6c9e1f

SHA256
03cf0ef4263ea85346a76331f5ef81bb1ac2b2941a2e68b6bb0839e52be36f1b

SHA512
9ea8bc2aca80538ff2571605ffb465ab46424a253cbb4e5c0bf4727aba87480375d868db62390386478399940ba533c740743ac7a91f7dc0ca9e285a7eca99b8

Download Submit
memory/3140-0-0x00007FF8470A3000-0x00007FF8470A5000-memory.dmp

Filesize
8KB

Download
memory/3140-1-0x0000000000100000-0x00000000001D6000-memory.dmp

Filesize
856KB

Download
memory/3140-2-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

Filesize
10.8MB

Download
memory/3140-38-0x00007FF8470A0000-0x00007FF847B61000-memory.dmp

Filesize
10.8MB

Download