dcrat | 6cb03004ec84fff242274e857dde5879044fc6e482c29ce9a06bc8e83cb5ddba

Analysis

max time kernel
140s
max time network
162s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11-11-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

javaw.exe
Size

858KB
MD5

ea2dd294adcba588fb4e947640fc6274
SHA1

5c6aaee79b68a9aadd5635600c35b26032347191
SHA256

6cb03004ec84fff242274e857dde5879044fc6e482c29ce9a06bc8e83cb5ddba
SHA512

e91cca7e41aa6f3415206e7ae445f7c25bc408f91f5037ca7333c66bc13ee094d582772d4fcfd502c423ff22928fb07085954e51175b99bdc2da3fef38785a4f
SSDEEP

12288:Bez6kUa93Bd4pgZ82pK60gXz5EOPIMI/jS5wzqMVv:BapV938pgq21+voFM

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	952	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	952	schtasks.exe	83

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/1660-1-0x00000000000D0000-0x00000000001AC000-memory.dmp	dcrat
behavioral2/files/0x0028000000045063-36.dat	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

javaw.exejavaw.execsrss.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	javaw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	javaw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid	Process
1980	csrss.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
23	ipinfo.io
24	ipinfo.io

Drops file in Program Files directory 16 IoCs

Processes:

javaw.exe

description	ioc	Process
File created	C:\Program Files\Uninstall Information\SearchApp.exe	javaw.exe
File created	C:\Program Files\dotnet\wininit.exe	javaw.exe
File created	C:\Program Files\Windows Media Player\upfc.exe	javaw.exe
File created	C:\Program Files\dotnet\StartMenuExperienceHost.exe	javaw.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6ccacd8608530f	javaw.exe
File created	C:\Program Files\dotnet\55b276f4edf653	javaw.exe
File created	C:\Program Files\Windows Multimedia Platform\upfc.exe	javaw.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\f3b6ecef712a24	javaw.exe
File created	C:\Program Files\dotnet\56085415360792	javaw.exe
File created	C:\Program Files\Windows Media Player\ea1d8f6d871115	javaw.exe
File created	C:\Program Files\Windows Portable Devices\RuntimeBroker.exe	javaw.exe
File created	C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9	javaw.exe
File created	C:\Program Files\Windows Multimedia Platform\ea1d8f6d871115	javaw.exe
File created	C:\Program Files\Windows Defender Advanced Threat Protection\spoolsv.exe	javaw.exe
File created	C:\Program Files\Uninstall Information\38384e6a620884	javaw.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe	javaw.exe

Drops file in Windows directory 11 IoCs

Processes:

javaw.exejavaw.exe

description	ioc	Process
File created	C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\f3b6ecef712a24	javaw.exe
File created	C:\Windows\Help\Help\StartMenuExperienceHost.exe	javaw.exe
File created	C:\Windows\Help\Help\55b276f4edf653	javaw.exe
File created	C:\Windows\Prefetch\ReadyBoot\explorer.exe	javaw.exe
File created	C:\Windows\bcastdvr\upfc.exe	javaw.exe
File created	C:\Windows\bcastdvr\ea1d8f6d871115	javaw.exe
File created	C:\Windows\Prefetch\ReadyBoot\7a0fd90576e088	javaw.exe
File created	C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\spoolsv.exe	javaw.exe
File created	C:\Windows\ModemLogs\Registry.exe	javaw.exe
File created	C:\Windows\ModemLogs\ee2ad38f3d4382	javaw.exe
File created	C:\Windows\rescache\_merged\3970336390\Registry.exe	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 4 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
3692	taskkill.exe
3752	taskkill.exe
780	taskkill.exe
348	taskkill.exe

Modifies registry class 1 IoCs

Processes:

javaw.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings	javaw.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
3112	schtasks.exe
4332	schtasks.exe
2644	schtasks.exe
2028	schtasks.exe
1916	schtasks.exe
3540	schtasks.exe
1836	schtasks.exe
3148	schtasks.exe
4008	schtasks.exe
2592	schtasks.exe
1524	schtasks.exe
3556	schtasks.exe
4540	schtasks.exe
3000	schtasks.exe
2812	schtasks.exe
1736	schtasks.exe
1564	schtasks.exe
452	schtasks.exe
3192	schtasks.exe
3228	schtasks.exe
5088	schtasks.exe
5080	schtasks.exe
1852	schtasks.exe
1696	schtasks.exe
5096	schtasks.exe
4632	schtasks.exe
3620	schtasks.exe
2228	schtasks.exe
4280	schtasks.exe
3028	schtasks.exe
2008	schtasks.exe
3792	schtasks.exe
940	schtasks.exe
760	schtasks.exe
1472	schtasks.exe
3200	schtasks.exe
2732	schtasks.exe
2140	schtasks.exe
2900	schtasks.exe
3328	schtasks.exe
4716	schtasks.exe
1468	schtasks.exe
2172	schtasks.exe
3592	schtasks.exe
884	schtasks.exe
4524	schtasks.exe
2036	schtasks.exe
240	schtasks.exe
3804	schtasks.exe
1664	schtasks.exe
3828	schtasks.exe
3772	schtasks.exe
1612	schtasks.exe
2136	schtasks.exe
4196	schtasks.exe
1120	schtasks.exe
4384	schtasks.exe
4704	schtasks.exe
2244	schtasks.exe
2736	schtasks.exe
4084	schtasks.exe
4592	schtasks.exe
3920	schtasks.exe
3732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

javaw.exejavaw.execsrss.exe

pid	Process
1660	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
2336	javaw.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe
1980	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

csrss.exe

pid	Process
1980	csrss.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

javaw.exejavaw.execsrss.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	Process
Token: SeDebugPrivilege	1660	javaw.exe
Token: SeDebugPrivilege	2336	javaw.exe
Token: SeDebugPrivilege	1980	csrss.exe
Token: SeDebugPrivilege	3692	taskkill.exe
Token: SeDebugPrivilege	3752	taskkill.exe
Token: SeDebugPrivilege	780	taskkill.exe
Token: SeDebugPrivilege	348	taskkill.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

javaw.execmd.exejavaw.execsrss.execmd.exe

description	pid	Process	procid_target
PID 1660 wrote to memory of 1188	1660	javaw.exe	93
PID 1660 wrote to memory of 1188	1660	javaw.exe	93
PID 1188 wrote to memory of 3836	1188	cmd.exe	95
PID 1188 wrote to memory of 3836	1188	cmd.exe	95
PID 1188 wrote to memory of 2336	1188	cmd.exe	100
PID 1188 wrote to memory of 2336	1188	cmd.exe	100
PID 2336 wrote to memory of 1980	2336	javaw.exe	158
PID 2336 wrote to memory of 1980	2336	javaw.exe	158
PID 1980 wrote to memory of 3028	1980	csrss.exe	163
PID 1980 wrote to memory of 3028	1980	csrss.exe	163
PID 3028 wrote to memory of 3692	3028	cmd.exe	165
PID 3028 wrote to memory of 3692	3028	cmd.exe	165
PID 3028 wrote to memory of 3752	3028	cmd.exe	167
PID 3028 wrote to memory of 3752	3028	cmd.exe	167
PID 3028 wrote to memory of 780	3028	cmd.exe	168
PID 3028 wrote to memory of 780	3028	cmd.exe	168
PID 3028 wrote to memory of 348	3028	cmd.exe	169
PID 3028 wrote to memory of 348	3028	cmd.exe	169

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\javaw.exe
"C:\Users\Admin\AppData\Local\Temp\javaw.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dHauyx1dQA.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3836
- - C:\Users\Admin\AppData\Local\Temp\javaw.exe
    "C:\Users\Admin\AppData\Local\Temp\javaw.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Recovery\WindowsRE\csrss.exe
      "C:\Recovery\WindowsRE\csrss.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /f /im crss.exe & taskkill /f /im wininit.exe & taskkill /f /im winlogon.exe & taskkill /f /im svchost.exe
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3028
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im crss.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im wininit.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3752
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im winlogon.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im svchost.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\GAC_64\srmlib\1.0.0.0__31bf3856ad364e35\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\Help\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Help\Help\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\Help\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\dotnet\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\dotnet\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Default\AppData\Local\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Default\AppData\Local\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\dotnet\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\ModemLogs\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\bcastdvr\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\bcastdvr\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Windows\bcastdvr\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\csrss.exe

Filesize
858KB

MD5
ea2dd294adcba588fb4e947640fc6274

SHA1
5c6aaee79b68a9aadd5635600c35b26032347191

SHA256
6cb03004ec84fff242274e857dde5879044fc6e482c29ce9a06bc8e83cb5ddba

SHA512
e91cca7e41aa6f3415206e7ae445f7c25bc408f91f5037ca7333c66bc13ee094d582772d4fcfd502c423ff22928fb07085954e51175b99bdc2da3fef38785a4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\javaw.exe.log

Filesize
1KB

MD5
fcbbff8eeb93ad014bf73143a67cbdce

SHA1
79cd0f544ba90184d14911c68dc2314f2225a020

SHA256
4f3945ae2db9e60f191a1dc16b1e156710f81037869b5515e0c8ed0b31070d01

SHA512
f5c8342c814d31d561642a0218011b86adcac40a068acdfe1870fd26c0b63927a4bcb53fedacb1bfd8f3ae6fde75ddd66ff5ed49dced4a39bfce575f51603ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dHauyx1dQA.bat

Filesize
208B

MD5
d8b9491034fbaea20cb90b5b4631b181

SHA1
714edc9e19439ef110a5d8a335bf55cb873cfa77

SHA256
e539496ac67498e47fccb1c83ff9ebf45c9bd5eb4d155225dffc7992914c6df3

SHA512
3cdcd7534628a6934997e0af2f8138d08377f256ad2a40effb3b328fc47f712ea45bf95a72a394ac6e7c69955f47c2cb2fcf417cff743f5e0cf05f7c21cd396c

Download Submit
memory/1660-0-0x00007FFC03DE3000-0x00007FFC03DE5000-memory.dmp

Filesize
8KB

Download
memory/1660-1-0x00000000000D0000-0x00000000001AC000-memory.dmp

Filesize
880KB

Download
memory/1660-3-0x00007FFC03DE0000-0x00007FFC048A2000-memory.dmp

Filesize
10.8MB

Download
memory/1660-14-0x00007FFC03DE0000-0x00007FFC048A2000-memory.dmp

Filesize
10.8MB

Download