dcrat | b92b26104f6813dbaccc15c7595e2cfb3f25a4206aa1b7957bbeac03d5958ef8

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b92b26104f6813dbaccc15c7595e2cfb3f25a4206aa1b7957bbeac03d5958ef8.exe
Size

1.1MB
MD5

a1d4782417480660db2ba6a327755b76
SHA1

ec3e6ab4b58ba02e47a187dbfa404a187140b3a3
SHA256

b92b26104f6813dbaccc15c7595e2cfb3f25a4206aa1b7957bbeac03d5958ef8
SHA512

50812782ea2fb0a5de109f6e9e5b64a8c6b2ff1102f573f63e75f42274075ab4c8999cf0a62d8ea7f73ee190fbedc2881380d77c4b56de2cd1f029939822461d
SSDEEP

24576:U2G/nvxW3Ww0tqoBuQ+I5p5qpLhu33BWwXqto:UbA30TYQ+8qpNWRDq2

Score

10^/10

dcrat discovery evasion infostealer rat

Malware Config

Signatures

DcRat 62 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		784	schtasks.exe
		1936	schtasks.exe
File created	C:\Program Files\7-Zip\5940a34987c991		WebReview.exe
		4992	schtasks.exe
		1888	schtasks.exe
		4232	schtasks.exe
		2728	schtasks.exe
		1752	schtasks.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\5b884080fd4f94		WebReview.exe
		4552	schtasks.exe
		1800	schtasks.exe
		4704	schtasks.exe
		2016	schtasks.exe
		4476	schtasks.exe
		4748	schtasks.exe
		4364	schtasks.exe
		5004	schtasks.exe
		2080	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		b92b26104f6813dbaccc15c7595e2cfb3f25a4206aa1b7957bbeac03d5958ef8.exe
		4188	schtasks.exe
		2292	schtasks.exe
		2072	schtasks.exe
		940	schtasks.exe
		220	schtasks.exe
		1492	schtasks.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\0a1fd5f707cd16		WebReview.exe
		3772	schtasks.exe
		3396	schtasks.exe
		4016	schtasks.exe
		3712	schtasks.exe
		532	schtasks.exe
		1188	schtasks.exe
		3852	schtasks.exe
		2036	schtasks.exe
		4344	schtasks.exe
		3920	schtasks.exe
		3520	schtasks.exe
		2228	schtasks.exe
		408	schtasks.exe
		4956	schtasks.exe
		4312	schtasks.exe
		1020	schtasks.exe
		2860	schtasks.exe
		3896	schtasks.exe
		2576	schtasks.exe
		4104	schtasks.exe
		2256	schtasks.exe
		4424	schtasks.exe
		4376	schtasks.exe
		1228	schtasks.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\5940a34987c991		WebReview.exe
		3948	schtasks.exe
		2196	schtasks.exe
		2168	schtasks.exe
		868	schtasks.exe
		3168	schtasks.exe
		4980	schtasks.exe
		2096	schtasks.exe
		2044	schtasks.exe
		4156	schtasks.exe
		4988	schtasks.exe
		3044	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	756	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	756	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b85-10.dat	dcrat
behavioral2/memory/1640-13-0x0000000000360000-0x0000000000436000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	b92b26104f6813dbaccc15c7595e2cfb3f25a4206aa1b7957bbeac03d5958ef8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WebReview.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WebReview.exe

Executes dropped EXE 3 IoCs

pid	Process
1640	WebReview.exe
336	WebReview.exe
1988	upfc.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dllhost.exe	WebReview.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe	WebReview.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\9e8d7a4ca61bd9	WebReview.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\0a1fd5f707cd16	WebReview.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe	WebReview.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\RuntimeBroker.exe	WebReview.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\56085415360792	WebReview.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\sppsvc.exe	WebReview.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\5940a34987c991	WebReview.exe
File created	C:\Program Files\Windows Defender\fr-FR\upfc.exe	WebReview.exe
File created	C:\Program Files\Windows Defender\fr-FR\ea1d8f6d871115	WebReview.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\wininit.exe	WebReview.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\9e8d7a4ca61bd9	WebReview.exe
File created	C:\Program Files\7-Zip\dllhost.exe	WebReview.exe
File created	C:\Program Files\7-Zip\5940a34987c991	WebReview.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe	WebReview.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\5b884080fd4f94	WebReview.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\Registry.exe	WebReview.exe
File created	C:\Windows\Cursors\ee2ad38f3d4382	WebReview.exe
File created	C:\Windows\InputMethod\SHARED\unsecapp.exe	WebReview.exe
File created	C:\Windows\InputMethod\SHARED\29c1c3cc0f7685	WebReview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b92b26104f6813dbaccc15c7595e2cfb3f25a4206aa1b7957bbeac03d5958ef8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	b92b26104f6813dbaccc15c7595e2cfb3f25a4206aa1b7957bbeac03d5958ef8.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	WebReview.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3664	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3520	schtasks.exe
2072	schtasks.exe
4104	schtasks.exe
1188	schtasks.exe
3044	schtasks.exe
4188	schtasks.exe
4980	schtasks.exe
2044	schtasks.exe
4704	schtasks.exe
3772	schtasks.exe
2728	schtasks.exe
2196	schtasks.exe
3920	schtasks.exe
4232	schtasks.exe
4992	schtasks.exe
2168	schtasks.exe
3168	schtasks.exe
868	schtasks.exe
3896	schtasks.exe
1020	schtasks.exe
2016	schtasks.exe
532	schtasks.exe
4956	schtasks.exe
1888	schtasks.exe
940	schtasks.exe
2080	schtasks.exe
4988	schtasks.exe
2228	schtasks.exe
4364	schtasks.exe
3396	schtasks.exe
4476	schtasks.exe
3712	schtasks.exe
408	schtasks.exe
2256	schtasks.exe
4016	schtasks.exe
5004	schtasks.exe
1492	schtasks.exe
4312	schtasks.exe
4424	schtasks.exe
1228	schtasks.exe
2036	schtasks.exe
784	schtasks.exe
220	schtasks.exe
1800	schtasks.exe
2096	schtasks.exe
4156	schtasks.exe
3948	schtasks.exe
4376	schtasks.exe
4748	schtasks.exe
4552	schtasks.exe
2860	schtasks.exe
1752	schtasks.exe
2292	schtasks.exe
3852	schtasks.exe
1936	schtasks.exe
4344	schtasks.exe
2576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1640	WebReview.exe
336	WebReview.exe
336	WebReview.exe
336	WebReview.exe
336	WebReview.exe
336	WebReview.exe
336	WebReview.exe
336	WebReview.exe
336	WebReview.exe
336	WebReview.exe
336	WebReview.exe
336	WebReview.exe
336	WebReview.exe
336	WebReview.exe
336	WebReview.exe
336	WebReview.exe
336	WebReview.exe
1988	upfc.exe
1988	upfc.exe
1988	upfc.exe
1988	upfc.exe
1988	upfc.exe
1988	upfc.exe
1988	upfc.exe
1988	upfc.exe
1988	upfc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	WebReview.exe
Token: SeDebugPrivilege	336	WebReview.exe
Token: SeDebugPrivilege	1988	upfc.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 1880	316	b92b26104f6813dbaccc15c7595e2cfb3f25a4206aa1b7957bbeac03d5958ef8.exe	84
PID 316 wrote to memory of 1880	316	b92b26104f6813dbaccc15c7595e2cfb3f25a4206aa1b7957bbeac03d5958ef8.exe	84
PID 316 wrote to memory of 1880	316	b92b26104f6813dbaccc15c7595e2cfb3f25a4206aa1b7957bbeac03d5958ef8.exe	84
PID 1880 wrote to memory of 1900	1880	WScript.exe	85
PID 1880 wrote to memory of 1900	1880	WScript.exe	85
PID 1880 wrote to memory of 1900	1880	WScript.exe	85
PID 1900 wrote to memory of 1640	1900	cmd.exe	87
PID 1900 wrote to memory of 1640	1900	cmd.exe	87
PID 1640 wrote to memory of 3036	1640	WebReview.exe	107
PID 1640 wrote to memory of 3036	1640	WebReview.exe	107
PID 1900 wrote to memory of 3664	1900	cmd.exe	109
PID 1900 wrote to memory of 3664	1900	cmd.exe	109
PID 1900 wrote to memory of 3664	1900	cmd.exe	109
PID 3036 wrote to memory of 2560	3036	cmd.exe	110
PID 3036 wrote to memory of 2560	3036	cmd.exe	110
PID 3036 wrote to memory of 336	3036	cmd.exe	111
PID 3036 wrote to memory of 336	3036	cmd.exe	111
PID 336 wrote to memory of 1988	336	WebReview.exe	151
PID 336 wrote to memory of 1988	336	WebReview.exe	151

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b92b26104f6813dbaccc15c7595e2cfb3f25a4206aa1b7957bbeac03d5958ef8.exe
"C:\Users\Admin\AppData\Local\Temp\b92b26104f6813dbaccc15c7595e2cfb3f25a4206aa1b7957bbeac03d5958ef8.exe"
1⤵
- DcRat
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:316
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\msServercomponentweb\LnKd9V5Ane60N.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\msServercomponentweb\A6MW0Y9mrWWMXc6x0fq3HB4apg3.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\msServercomponentweb\WebReview.exe
      "C:\msServercomponentweb\WebReview.exe"
      4⤵
      DcRat
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8gvyepI0e2.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2560
      - C:\msServercomponentweb\WebReview.exe
        
        "C:\msServercomponentweb\WebReview.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Program Files\Windows Defender\fr-FR\upfc.exe
        
        "C:\Program Files\Windows Defender\fr-FR\upfc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\msServercomponentweb\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\msServercomponentweb\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\msServercomponentweb\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\msServercomponentweb\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\msServercomponentweb\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\msServercomponentweb\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\msServercomponentweb\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\msServercomponentweb\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\msServercomponentweb\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\fr-FR\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\fr-FR\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Cursors\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Local Settings\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\msServercomponentweb\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\msServercomponentweb\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\msServercomponentweb\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Windows\InputMethod\SHARED\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\InputMethod\SHARED\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\PackageManifests\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\Speech_OneCore\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Speech_OneCore\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\Speech_OneCore\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WebReview.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Temp\8gvyepI0e2.bat

Filesize
202B

MD5
694b691efd4be39519b8ba02b19f90ac

SHA1
40231f39d98183381b35f86c0111a36924d98102

SHA256
1f058854f07e9ad0504e1bb6530dddf6cb20a6e1f77c0b16bfc80431367edc94

SHA512
232eedf5bd6726ec30d1fdcadf89ebc75c670f96f2f47f9833b3567ec8ac33203e62e48be5744c52df2c034793a8490a2d1d70b6ad4186b7bdcc84d7361c645d

Download Submit
C:\msServercomponentweb\A6MW0Y9mrWWMXc6x0fq3HB4apg3.bat

Filesize
151B

MD5
4b21c00379ad8ddc0506437738f1d391

SHA1
988b1e82626e496602e7b508310fb35fe5882447

SHA256
368d1d57f782f01c424052f5b10070c6a134b5afcf92ff942f15e25f7e812930

SHA512
13d4661b54741f0862025eee3b7009d6db2737bf817d41bc22414e7c821f9dd730981d9d64a0a421a8cc1056b87cf18172fbe02173ef17b248b1a5af454ee53d

Download Submit
C:\msServercomponentweb\LnKd9V5Ane60N.vbe

Filesize
224B

MD5
1d2a93f7694f3dd573699d3c8d77e7fc

SHA1
09151319bfbffce8b299894dea5fc5b7231213f2

SHA256
6bb6489da06439a8b904b93648e74fa7ffb68ff62442632ac4a003d70b9a2b89

SHA512
68d943a19b078bcb9923f299248d461730c52411eacfbc46f68112886ce8a1140de7ed5cb824b2dd5b6ac8ce77bda58a4d7e4e85f7667a592c5a7da7722392b7

Download Submit
C:\msServercomponentweb\WebReview.exe

Filesize
828KB

MD5
deb7ba77dcf2e54fb23d1a9b0e51088d

SHA1
6468abad160c22594fc014d948963ba4a8565074

SHA256
05b123c99c5736a62f1cfd6bc6a9335a533849fe663d875d20ece0caca82e077

SHA512
18cedb50ceab47fed77100586bbb68692d82e4d3afe59815e0fb0d7c88677362756d2bcdc3003f0e6e1b2a3edff36ac450a9864d4d64ef5218612bc86e538de2

Download Submit
memory/1640-12-0x00007FFC0E643000-0x00007FFC0E645000-memory.dmp

Filesize
8KB

Download
memory/1640-13-0x0000000000360000-0x0000000000436000-memory.dmp

Filesize
856KB

Download