dcrat | 4944035addbf7b1db7cf58fca9cda3050fbf87c3b5ca18dc124ceae5767a8bea

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74f1fcf96c9e31f50f6d83072ec68d07.exe
Size

19KB
MD5

74f1fcf96c9e31f50f6d83072ec68d07
SHA1

f05ada88e038fef51b6f0840084cd0f155faaa0e
SHA256

4944035addbf7b1db7cf58fca9cda3050fbf87c3b5ca18dc124ceae5767a8bea
SHA512

2816798078e430930c77c7d992924a07159dea089d1462bc17833b197545af5eebbaecca23869b1b880128bf82c4a0ab815c490c7a08ca6ed7e48099ef479074
SSDEEP

384:uJMu1ZUZebwYr/lfbX6b+f9daNutwoLmdKkd/rwmW:E11Zzb1bQ+fXaNOST/rU

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	4032	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	4032	schtasks.exe	92

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0008000000023cd1-7.dat	dcrat
behavioral2/files/0x0007000000023cd8-23.dat	dcrat
behavioral2/memory/2232-25-0x0000000000CA0000-0x0000000000D82000-memory.dmp	dcrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WinLatency.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	74f1fcf96c9e31f50f6d83072ec68d07.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	rdsytgsm.emq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
4992	rdsytgsm.emq.exe
2232	WinLatency.exe
2084	Registry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
6	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\fr-FR\WmiPrvSE.exe	WinLatency.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\Registry.exe	WinLatency.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\ee2ad38f3d4382	WinLatency.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\ee2ad38f3d4382	WinLatency.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\04c1e7795967e4	WinLatency.exe
File created	C:\Program Files\Windows Defender\en-US\ea1d8f6d871115	WinLatency.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\29c1c3cc0f7685	WinLatency.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe	WinLatency.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\24dbde2999530e	WinLatency.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Registry.exe	WinLatency.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TrustedInstaller.exe	WinLatency.exe
File created	C:\Program Files\Windows Defender\en-US\upfc.exe	WinLatency.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\upfc.exe	WinLatency.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\SearchApp.exe	WinLatency.exe
File created	C:\Windows\Fonts\38384e6a620884	WinLatency.exe
File created	C:\Windows\ServiceProfiles\LocalService\Music\5940a34987c991	WinLatency.exe
File created	C:\Windows\IdentityCRL\production\55b276f4edf653	WinLatency.exe
File created	C:\Windows\fr-FR\121e5b5079f7c0	WinLatency.exe
File created	C:\Windows\AppReadiness\ebf1f9fa8afd6d	WinLatency.exe
File created	C:\Windows\Branding\Basebrd\cmd.exe	WinLatency.exe
File created	C:\Windows\Branding\Basebrd\ebf1f9fa8afd6d	WinLatency.exe
File created	C:\Windows\AppReadiness\cmd.exe	WinLatency.exe
File created	C:\Windows\IdentityCRL\production\StartMenuExperienceHost.exe	WinLatency.exe
File created	C:\Windows\fr-FR\sysmon.exe	WinLatency.exe
File created	C:\Windows\RemotePackages\WmiPrvSE.exe	WinLatency.exe
File created	C:\Windows\RemotePackages\24dbde2999530e	WinLatency.exe
File created	C:\Windows\ServiceProfiles\LocalService\Music\dllhost.exe	WinLatency.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74f1fcf96c9e31f50f6d83072ec68d07.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rdsytgsm.emq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	rdsytgsm.emq.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	Registry.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3388	schtasks.exe
5060	schtasks.exe
3292	schtasks.exe
4664	schtasks.exe
4972	schtasks.exe
404	schtasks.exe
4956	schtasks.exe
3488	schtasks.exe
2872	schtasks.exe
3532	schtasks.exe
2396	schtasks.exe
928	schtasks.exe
3672	schtasks.exe
2744	schtasks.exe
732	schtasks.exe
3772	schtasks.exe
624	schtasks.exe
1096	schtasks.exe
2044	schtasks.exe
212	schtasks.exe
908	schtasks.exe
2692	schtasks.exe
4464	schtasks.exe
4936	schtasks.exe
4048	schtasks.exe
448	schtasks.exe
1288	schtasks.exe
1480	schtasks.exe
2652	schtasks.exe
3864	schtasks.exe
848	schtasks.exe
1556	schtasks.exe
2784	schtasks.exe
3652	schtasks.exe
1560	schtasks.exe
756	schtasks.exe
4296	schtasks.exe
4988	schtasks.exe
3096	schtasks.exe
372	schtasks.exe
4768	schtasks.exe
3512	schtasks.exe
4156	schtasks.exe
2876	schtasks.exe
1268	schtasks.exe
4888	schtasks.exe
744	schtasks.exe
3148	schtasks.exe
4484	schtasks.exe
3732	schtasks.exe
4412	schtasks.exe
2340	schtasks.exe
864	schtasks.exe
2352	schtasks.exe
540	schtasks.exe
4244	schtasks.exe
2252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2232	WinLatency.exe
2232	WinLatency.exe
2232	WinLatency.exe
2232	WinLatency.exe
2232	WinLatency.exe
2232	WinLatency.exe
2232	WinLatency.exe
2232	WinLatency.exe
2232	WinLatency.exe
2232	WinLatency.exe
2232	WinLatency.exe
2232	WinLatency.exe
2232	WinLatency.exe
2232	WinLatency.exe
2232	WinLatency.exe
2084	Registry.exe
2084	Registry.exe
2084	Registry.exe
2084	Registry.exe
2084	Registry.exe
2084	Registry.exe
2084	Registry.exe
2084	Registry.exe
2084	Registry.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2084	Registry.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	74f1fcf96c9e31f50f6d83072ec68d07.exe
Token: SeDebugPrivilege	2232	WinLatency.exe
Token: SeDebugPrivilege	2084	Registry.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 4992	2008	74f1fcf96c9e31f50f6d83072ec68d07.exe	86
PID 2008 wrote to memory of 4992	2008	74f1fcf96c9e31f50f6d83072ec68d07.exe	86
PID 2008 wrote to memory of 4992	2008	74f1fcf96c9e31f50f6d83072ec68d07.exe	86
PID 4992 wrote to memory of 4076	4992	rdsytgsm.emq.exe	87
PID 4992 wrote to memory of 4076	4992	rdsytgsm.emq.exe	87
PID 4992 wrote to memory of 4076	4992	rdsytgsm.emq.exe	87
PID 4076 wrote to memory of 4892	4076	WScript.exe	95
PID 4076 wrote to memory of 4892	4076	WScript.exe	95
PID 4076 wrote to memory of 4892	4076	WScript.exe	95
PID 4892 wrote to memory of 2232	4892	cmd.exe	98
PID 4892 wrote to memory of 2232	4892	cmd.exe	98
PID 2232 wrote to memory of 2084	2232	WinLatency.exe	157
PID 2232 wrote to memory of 2084	2232	WinLatency.exe	157
PID 2084 wrote to memory of 428	2084	Registry.exe	158
PID 2084 wrote to memory of 428	2084	Registry.exe	158
PID 2084 wrote to memory of 2092	2084	Registry.exe	159
PID 2084 wrote to memory of 2092	2084	Registry.exe	159

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\74f1fcf96c9e31f50f6d83072ec68d07.exe
"C:\Users\Admin\AppData\Local\Temp\74f1fcf96c9e31f50f6d83072ec68d07.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\rdsytgsm.emq.exe
  "C:\Users\Admin\AppData\Local\Temp\rdsytgsm.emq.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WinSattl\9Jks4Q9248ljrax16iPG1ojfLKPqxh.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Users\Admin\AppData\Local\Temp\WinSattl\WinLatency.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WinSattl\WinLatency.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Program Files\VideoLAN\VLC\skins\fonts\Registry.exe
        
        "C:\Program Files\VideoLAN\VLC\skins\fonts\Registry.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38326f7f-7cfc-4cf8-9d0c-2ba78e6e8191.vbs"
        7⤵
        
        PID:428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2713d1ac-688f-4e75-a59f-348ebcd13c24.vbs"
        7⤵
        
        PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\en-US\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\en-US\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\LocalService\Music\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\LocalService\Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Fonts\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\IdentityCRL\production\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\production\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\IdentityCRL\production\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Application Data\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Application Data\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Application Data\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\fr-FR\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\RemotePackages\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\Basebrd\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\Basebrd\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\AppReadiness\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\AppReadiness\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\AppReadiness\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2713d1ac-688f-4e75-a59f-348ebcd13c24.vbs

Filesize
506B

MD5
8d4555af9ef0f8c6333c6bfdf38b459c

SHA1
621ec4b4b1a987d112be29fe3c62a9d6a2da0d25

SHA256
a979aefeeebc7f3177a667407f62f4a7e6318b68de7c7b2a5afe6434fd544280

SHA512
ad6bc945ced73569beb7459827a0576ac05b824c9a89d7d0ac6d2202857f16597b801400f531a94b7e9bfac8f846a825fac5542055fc4271a9ef1f1cf8c9e523

Download Submit
C:\Users\Admin\AppData\Local\Temp\38326f7f-7cfc-4cf8-9d0c-2ba78e6e8191.vbs

Filesize
730B

MD5
0cbbd75b6d6d4aac9df33b906cfb8a9d

SHA1
1fec84f8abc42ac3f5e49dcd42471d4a50db417f

SHA256
33451ade0edd0c7da8eb785b1fafb0cb9c4ed9e6981254ea323733a597be1034

SHA512
20d9bc0424c65af963ae0f58eff166938dcc22bddf581ac7e325597ca920e13b2bbe2e316d7dd555d37b3c1262c9cebe8a9420ff78c0663b0a9c7b62fb8c0a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinSattl\9Jks4Q9248ljrax16iPG1ojfLKPqxh.bat

Filesize
32B

MD5
379e341777be6ff907435c23e8820088

SHA1
e14dd5b865c6b697c2a76ba49ac90a1b98986bb0

SHA256
c63d7ef8bbd2e8fa2c18fc52fbef8150ea31bd89e0f793a08f60b0468ed50df6

SHA512
df6551d2719418fe3b1f564d59139cf67e5b3a878a3179dbd6fca90d699646e18817bbe62ccba456cbe5d8c67ee9b493abfc85afbaf36a9846bf79dbdf9b2738

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinSattl\H4iFvhalfT9t12Rug.vbe

Filesize
219B

MD5
7e92ca966c14c0e729731a0afa60e5c2

SHA1
ae5c63fa752839a794e46112cd780120f352ee71

SHA256
acd2acbb0fd9b50b061a8252f85f8e2ebba9f32a1f74d157b5061e6e7ceed384

SHA512
aab41b66c085dfb53b472bd8ef3b987b667df6c8f819396aec44f99cfbb20731f6e90b931eb3d5c2c1eb0d9c7ee0bec5465536c3397f6f0b90c719dfc694a715

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinSattl\WinLatency.exe

Filesize
872KB

MD5
b26ea50de8f1da57b78e045ec904e19a

SHA1
8137c1fe0633482dd4c42bf2abb7c3b042877e38

SHA256
78fee25cc75affb005b5ca205328f5e0e44ba153e018fad0a7720c96940f5b9f

SHA512
29b76a3a8cb0435013e46198bab2755f3de84473cfc8a8b3d26dd3e2b05eec0bb1409e9cb43235d4fd6bbe5d30c1978f58acba89d9172e575d94262dc11d1ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdsytgsm.emq.exe

Filesize
1.2MB

MD5
24ab440ae1ee72bb5abb8c40dbc4ff4c

SHA1
3f2331bcebb4bda4a9ecf80f448112c044af0aa7

SHA256
b9f480785e10ba5dfc0cc4975393f93f00de372e77d667c4be323c7da20c6841

SHA512
2b48f5cf2622f3db2010c21df840b4382b6bfbd3ff83e7f0fe6ac7a3f3374054df29b77183d8fed10113928fd2f2abd64a2966f8d714de983759b5d33ecdc62e

Download Submit
memory/2008-11-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2008-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/2008-2-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/2008-1-0x0000000000F70000-0x0000000000F7E000-memory.dmp

Filesize
56KB

Download
memory/2232-25-0x0000000000CA0000-0x0000000000D82000-memory.dmp

Filesize
904KB

Download
memory/2232-26-0x0000000002E00000-0x0000000002E08000-memory.dmp

Filesize
32KB

Download
memory/2232-27-0x000000001BAA0000-0x000000001BAAA000-memory.dmp

Filesize
40KB

Download