Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 17:50
Behavioral task
behavioral1
Sample
93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe
Resource
win10v2004-20241007-en
General
-
Target
93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe
-
Size
1.1MB
-
MD5
a4ea523b57cc90848732ee08117646d0
-
SHA1
a9706d93616af18f00027c6d9c29b6b877497c1e
-
SHA256
93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d
-
SHA512
b280ef14615e5ebd8aece055c6a1eed253a68b47c26df4e92ed16df054db86d838495056806ff87893e04717e939983aae05dcf4c90eb1c5d2176728a0716a05
-
SSDEEP
24576:AMYPCI+q+U4cIG409ozWucypk1Nd4AX+iB/YjuM6kyh+i:ABPZ0Kr1FXHB/guM6k+V
Malware Config
Signatures
-
DcRat 53 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 4024 schtasks.exe 4344 schtasks.exe 4784 schtasks.exe 3028 schtasks.exe 2056 schtasks.exe 2260 schtasks.exe 3360 schtasks.exe 3988 schtasks.exe 1408 schtasks.exe 2568 schtasks.exe 2704 schtasks.exe 1564 schtasks.exe 5068 schtasks.exe 4164 schtasks.exe 372 schtasks.exe 1344 schtasks.exe 1604 schtasks.exe 3008 schtasks.exe 1120 schtasks.exe 3352 schtasks.exe 4288 schtasks.exe 1304 schtasks.exe 3308 schtasks.exe 5016 schtasks.exe 1952 schtasks.exe 1892 schtasks.exe 1912 schtasks.exe 1852 schtasks.exe 3156 schtasks.exe 4240 schtasks.exe 2668 schtasks.exe 2384 schtasks.exe 4976 schtasks.exe 1476 schtasks.exe 3300 schtasks.exe 1432 schtasks.exe 2064 schtasks.exe 872 schtasks.exe 4840 schtasks.exe 3520 schtasks.exe 3320 schtasks.exe 4060 schtasks.exe 2584 schtasks.exe 4204 schtasks.exe 1044 schtasks.exe 1976 schtasks.exe 3964 schtasks.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\9e8d7a4ca61bd9 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 3168 schtasks.exe 1796 schtasks.exe 1772 schtasks.exe 2124 schtasks.exe -
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 17 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\Idle.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\Idle.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\Idle.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Microsoft\\Storage Health\\SearchApp.exe\", \"C:\\Users\\Default\\Pictures\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\Downloaded Program Files\\SearchApp.exe\", \"C:\\Users\\Default User\\MusNotification.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\Idle.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\System.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\Idle.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\Idle.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\Idle.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\Idle.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Admin\\winlogon.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\Idle.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\Idle.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\dllhost.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\Idle.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Microsoft\\Storage Health\\SearchApp.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\Idle.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Microsoft\\Storage Health\\SearchApp.exe\", \"C:\\Users\\Default\\Pictures\\smss.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\Idle.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Microsoft\\Storage Health\\SearchApp.exe\", \"C:\\Users\\Default\\Pictures\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Admin\\winlogon.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\Idle.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\System.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Default User\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Microsoft\\Storage Health\\SearchApp.exe\", \"C:\\Users\\Default\\Pictures\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\Downloaded Program Files\\SearchApp.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe -
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1952 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1304 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4344 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3988 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5016 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3168 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4164 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4204 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4024 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 372 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4240 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3964 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1344 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3360 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 872 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3352 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4784 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3028 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4840 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3520 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1476 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3308 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5068 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4060 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3300 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4288 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2584 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1120 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3320 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1432 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3156 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2568 3128 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 3128 schtasks.exe 85 -
resource yara_rule behavioral2/memory/4732-1-0x0000000000940000-0x0000000000A6E000-memory.dmp dcrat behavioral2/files/0x000a000000023b80-17.dat dcrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe -
Executes dropped EXE 1 IoCs
pid Process 248 RuntimeBroker.exe -
Adds Run key to start application 2 TTPs 30 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\Idle.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\dllhost.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\System.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\Idle.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\All Users\\Microsoft\\Storage Health\\SearchApp.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\Downloaded Program Files\\SearchApp.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\dllhost.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default\\Pictures\\smss.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\Downloaded Program Files\\SearchApp.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\winlogon.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Admin\\winlogon.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\System.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\it-IT\\RuntimeBroker.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default User\\RuntimeBroker.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Default\\Pictures\\smss.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\All Users\\Microsoft\\Storage Health\\SearchApp.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Users\\Default User\\MusNotification.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Users\\Default User\\MusNotification.exe\"" 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe -
Drops file in Program Files directory 9 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\9e8d7a4ca61bd9 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Program Files\VideoLAN\VLC\locale\Idle.exe 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Program Files\VideoLAN\VLC\locale\6ccacd8608530f 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Program Files\Windows NT\TableTextService\en-US\5940a34987c991 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\System.exe 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\27d1bcfc3c54e0 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Downloaded Program Files\SearchApp.exe 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe File created C:\Windows\Downloaded Program Files\38384e6a620884 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4344 schtasks.exe 2124 schtasks.exe 1852 schtasks.exe 3964 schtasks.exe 3360 schtasks.exe 2056 schtasks.exe 1120 schtasks.exe 2384 schtasks.exe 1304 schtasks.exe 1796 schtasks.exe 5016 schtasks.exe 4164 schtasks.exe 2260 schtasks.exe 5068 schtasks.exe 1976 schtasks.exe 1952 schtasks.exe 1604 schtasks.exe 3988 schtasks.exe 1912 schtasks.exe 3168 schtasks.exe 4784 schtasks.exe 3028 schtasks.exe 4840 schtasks.exe 3156 schtasks.exe 1772 schtasks.exe 4204 schtasks.exe 372 schtasks.exe 4060 schtasks.exe 4976 schtasks.exe 1564 schtasks.exe 4240 schtasks.exe 2064 schtasks.exe 872 schtasks.exe 3300 schtasks.exe 1892 schtasks.exe 2584 schtasks.exe 1432 schtasks.exe 2568 schtasks.exe 3352 schtasks.exe 3520 schtasks.exe 1476 schtasks.exe 3308 schtasks.exe 4288 schtasks.exe 3008 schtasks.exe 4024 schtasks.exe 2704 schtasks.exe 1344 schtasks.exe 1044 schtasks.exe 1408 schtasks.exe 2668 schtasks.exe 3320 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4732 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 4732 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 4732 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 4732 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 4732 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 4732 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 4732 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 4732 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 4732 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 4732 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 248 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4732 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe Token: SeDebugPrivilege 248 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4732 wrote to memory of 248 4732 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 138 PID 4732 wrote to memory of 248 4732 93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe 138 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe"C:\Users\Admin\AppData\Local\Temp\93e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d.exe"1⤵
- DcRat
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Default User\RuntimeBroker.exe"C:\Users\Default User\RuntimeBroker.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:248
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\locale\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\locale\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\Storage Health\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Storage Health\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\Storage Health\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Pictures\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Pictures\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Pictures\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\SearchApp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\MusNotification.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\Default User\MusNotification.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\MusNotification.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5a4ea523b57cc90848732ee08117646d0
SHA1a9706d93616af18f00027c6d9c29b6b877497c1e
SHA25693e88c0eeb14a25944205694761570f5e1700e260910134faf82eafe33d0ee1d
SHA512b280ef14615e5ebd8aece055c6a1eed253a68b47c26df4e92ed16df054db86d838495056806ff87893e04717e939983aae05dcf4c90eb1c5d2176728a0716a05