dcrat | 4c6650813906ced18f7564f906ea5a033a206cb2c71f244e0d28a04e3f2d7609

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c6650813906ced18f7564f906ea5a033a206cb2c71f244e0d28a04e3f2d7609.exe
Size

1.9MB
MD5

4cc23344d26c44260cb52028cff992b7
SHA1

7f2b7a02ae3f65c6757f134a79c302a92e31311c
SHA256

4c6650813906ced18f7564f906ea5a033a206cb2c71f244e0d28a04e3f2d7609
SHA512

71e7ced9568ede15e9a9fe6edbd7ed77559f9046e8fc77ce83bb3fd464c61794ba719451774b2c02f30abc80a51f3563a1491a74d7f390d8152cd0b3b2928c45
SSDEEP

49152:UbA30IKxSrOw6FNapB0LFyYsyqX96ZU8jMWg3:UberOGpaMYducjM3

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2196	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2196	schtasks.exe	35

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Blockreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Blockreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Blockreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016ccc-14.dat	dcrat
behavioral1/memory/2176-18-0x00000000003F0000-0x0000000000590000-memory.dmp	dcrat
behavioral1/memory/2136-69-0x00000000009E0000-0x0000000000B80000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
2176	Blockreview.exe
2136	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2496	cmd.exe
2496	cmd.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Blockreview.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Blockreview.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\fr-FR\OSPPSVC.exe	Blockreview.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\1610b97d3ab4a7	Blockreview.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\spoolsv.exe	Blockreview.exe
File created	C:\Program Files\Microsoft Games\Purble Place\ja-JP\f3b6ecef712a24	Blockreview.exe
File created	C:\Program Files\Windows Sidebar\en-US\dllhost.exe	Blockreview.exe
File created	C:\Program Files\Windows Sidebar\Idle.exe	Blockreview.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\services.exe	Blockreview.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\c5b4cb5e9653cc	Blockreview.exe
File created	C:\Program Files\Windows Sidebar\en-US\5940a34987c991	Blockreview.exe
File created	C:\Program Files (x86)\Windows Sidebar\Blockreview.exe	Blockreview.exe
File created	C:\Program Files (x86)\Windows Sidebar\79e77c4328bdc8	Blockreview.exe
File created	C:\Program Files\Windows Sidebar\6ccacd8608530f	Blockreview.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\OSPPSVC.exe	Blockreview.exe
File created	C:\Windows\L2Schemas\1610b97d3ab4a7	Blockreview.exe
File created	C:\Windows\twain_32\audiodg.exe	Blockreview.exe
File created	C:\Windows\twain_32\42af1c969fbb7b	Blockreview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c6650813906ced18f7564f906ea5a033a206cb2c71f244e0d28a04e3f2d7609.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1936	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2012	schtasks.exe
1696	schtasks.exe
1392	schtasks.exe
1872	schtasks.exe
2504	schtasks.exe
2264	schtasks.exe
2724	schtasks.exe
1256	schtasks.exe
1660	schtasks.exe
1600	schtasks.exe
1264	schtasks.exe
316	schtasks.exe
2944	schtasks.exe
1008	schtasks.exe
1504	schtasks.exe
544	schtasks.exe
2764	schtasks.exe
1376	schtasks.exe
1296	schtasks.exe
1716	schtasks.exe
2964	schtasks.exe
820	schtasks.exe
748	schtasks.exe
1824	schtasks.exe
1984	schtasks.exe
2828	schtasks.exe
2860	schtasks.exe
2276	schtasks.exe
2252	schtasks.exe
832	schtasks.exe
1036	schtasks.exe
2144	schtasks.exe
2240	schtasks.exe
1388	schtasks.exe
2132	schtasks.exe
2548	schtasks.exe
1728	schtasks.exe
1688	schtasks.exe
2280	schtasks.exe
2668	schtasks.exe
2040	schtasks.exe
2224	schtasks.exe
3048	schtasks.exe
1756	schtasks.exe
2536	schtasks.exe
2064	schtasks.exe
1032	schtasks.exe
3052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2176	Blockreview.exe
2176	Blockreview.exe
2176	Blockreview.exe
2176	Blockreview.exe
2176	Blockreview.exe
2176	Blockreview.exe
2176	Blockreview.exe
2136	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	Blockreview.exe
Token: SeDebugPrivilege	2136	dllhost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1796	1832	4c6650813906ced18f7564f906ea5a033a206cb2c71f244e0d28a04e3f2d7609.exe	30
PID 1832 wrote to memory of 1796	1832	4c6650813906ced18f7564f906ea5a033a206cb2c71f244e0d28a04e3f2d7609.exe	30
PID 1832 wrote to memory of 1796	1832	4c6650813906ced18f7564f906ea5a033a206cb2c71f244e0d28a04e3f2d7609.exe	30
PID 1832 wrote to memory of 1796	1832	4c6650813906ced18f7564f906ea5a033a206cb2c71f244e0d28a04e3f2d7609.exe	30
PID 1832 wrote to memory of 1972	1832	4c6650813906ced18f7564f906ea5a033a206cb2c71f244e0d28a04e3f2d7609.exe	31
PID 1832 wrote to memory of 1972	1832	4c6650813906ced18f7564f906ea5a033a206cb2c71f244e0d28a04e3f2d7609.exe	31
PID 1832 wrote to memory of 1972	1832	4c6650813906ced18f7564f906ea5a033a206cb2c71f244e0d28a04e3f2d7609.exe	31
PID 1832 wrote to memory of 1972	1832	4c6650813906ced18f7564f906ea5a033a206cb2c71f244e0d28a04e3f2d7609.exe	31
PID 1796 wrote to memory of 2496	1796	WScript.exe	32
PID 1796 wrote to memory of 2496	1796	WScript.exe	32
PID 1796 wrote to memory of 2496	1796	WScript.exe	32
PID 1796 wrote to memory of 2496	1796	WScript.exe	32
PID 2496 wrote to memory of 2176	2496	cmd.exe	34
PID 2496 wrote to memory of 2176	2496	cmd.exe	34
PID 2496 wrote to memory of 2176	2496	cmd.exe	34
PID 2496 wrote to memory of 2176	2496	cmd.exe	34
PID 2176 wrote to memory of 2136	2176	Blockreview.exe	85
PID 2176 wrote to memory of 2136	2176	Blockreview.exe	85
PID 2176 wrote to memory of 2136	2176	Blockreview.exe	85
PID 2496 wrote to memory of 1936	2496	cmd.exe	86
PID 2496 wrote to memory of 1936	2496	cmd.exe	86
PID 2496 wrote to memory of 1936	2496	cmd.exe	86
PID 2496 wrote to memory of 1936	2496	cmd.exe	86

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Blockreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Blockreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Blockreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4c6650813906ced18f7564f906ea5a033a206cb2c71f244e0d28a04e3f2d7609.exe
"C:\Users\Admin\AppData\Local\Temp\4c6650813906ced18f7564f906ea5a033a206cb2c71f244e0d28a04e3f2d7609.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BrowserreviewSavesruntimeperf\cyoW9TDLPAWUwl12Pv6zflv.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\BrowserreviewSavesruntimeperf\4COnkcqgLamz7kP5YHD7l4vjV.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\BrowserreviewSavesruntimeperf\Blockreview.exe
      "C:\BrowserreviewSavesruntimeperf\Blockreview.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2176
    - - C:\Program Files\Windows Sidebar\en-US\dllhost.exe
        
        "C:\Program Files\Windows Sidebar\en-US\dllhost.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2136
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1936
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\BrowserreviewSavesruntimeperf\file.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\BrowserreviewSavesruntimeperf\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\BrowserreviewSavesruntimeperf\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\BrowserreviewSavesruntimeperf\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\L2Schemas\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Purble Place\ja-JP\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Purble Place\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Purble Place\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockreviewB" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Blockreview.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Blockreview" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Blockreview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockreviewB" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Blockreview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Network Sharing\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Network Sharing\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\twain_32\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\twain_32\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BrowserreviewSavesruntimeperf\4COnkcqgLamz7kP5YHD7l4vjV.bat

Filesize
162B

MD5
30ca6fe561a5efd9a1f56bbb4cfd2ec0

SHA1
8c6d786d854487eb43f2ba5c48f739ad565b398e

SHA256
d749a9500abf1e22af57ef9bc10b7e30f599067dffb7152e03c67eb70a1f6e2b

SHA512
85ff52e77cd3e6c2e329d4b921905865484c62dcb8d53ba97d8e04972e78934648b2fe51890ff949436a2afbabbe74c4e65e1d28a51cdcb2620429c7f481018a

Download Submit
C:\BrowserreviewSavesruntimeperf\cyoW9TDLPAWUwl12Pv6zflv.vbe

Filesize
231B

MD5
01218abf206810b6e271415d154b23f4

SHA1
4ca645974bcd3f9baaf6dbf9073e82717494e7fe

SHA256
5631e2c439fe88993fc8a5ace15a447afc23c6f9412fa5e48fc78e96aa14699b

SHA512
caebaa06e1236fe479b49860a57e065ff70ce876b86fe254bac8912c1f1b2be5022a21c59b45148cfa2b8388c0f4f22655ebd36fb13df1221443de3bacce48d8

Download Submit
C:\BrowserreviewSavesruntimeperf\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
\BrowserreviewSavesruntimeperf\Blockreview.exe

Filesize
1.6MB

MD5
3298254972dfd7e76172f9d3a7675b27

SHA1
569946a908e6a9cfa0a3faa28996d886b749e4eb

SHA256
719c6747522525b61a364a3d62e5777c9f8715dc8654bfd082e7928e4db39188

SHA512
8200af5528dcc1f4b6eddb13540f03ba9d142fc6ef779c94ca1d59fbcb2ed3021638c7b6cc7f865c75c8dd3fe8ef652291b91c9044f3c6b9e57f9fad1c99271d

Download Submit
memory/2136-69-0x00000000009E0000-0x0000000000B80000-memory.dmp

Filesize
1.6MB

Download
memory/2176-22-0x00000000006D0000-0x00000000006E6000-memory.dmp

Filesize
88KB

Download
memory/2176-20-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2176-21-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/2176-19-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/2176-23-0x00000000006F0000-0x00000000006FA000-memory.dmp

Filesize
40KB

Download
memory/2176-24-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/2176-25-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download
memory/2176-26-0x0000000000720000-0x000000000072C000-memory.dmp

Filesize
48KB

Download
memory/2176-27-0x0000000000760000-0x0000000000768000-memory.dmp

Filesize
32KB

Download
memory/2176-28-0x0000000000770000-0x000000000077E000-memory.dmp

Filesize
56KB

Download
memory/2176-29-0x0000000000780000-0x000000000078E000-memory.dmp

Filesize
56KB

Download
memory/2176-30-0x0000000002480000-0x000000000248C000-memory.dmp

Filesize
48KB

Download
memory/2176-18-0x00000000003F0000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download