dcrat | e276411989e7564bf768901faff735fb27f8965be3944bc375b2b749aec450a0

Analysis

max time kernel
78s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AIMWARE.exe
Size

5.0MB
MD5

f8feaec1783bc248b0353f68485aff64
SHA1

992edd7ce1421af5adaab756440f35c7fbac5dd0
SHA256

5c749f72885b58055103294609da1fdb353c754a5c92c7cfacd4a9154ba092c1
SHA512

a8fbb73a28da813f1434685083ae0198cf61ce747e14a88ead68bd87f75b216284027ff4e7926eb8828e92c4001a109a5d890d5350e74df5a5fce2461a156456
SSDEEP

98304:IwbrPKbZPs4NDyTVu7DIdMitTS4c1ktbUArj12KYJ9j/:XKdlgjztTBtbUArjn69r

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	4736	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	4736	schtasks.exe	88

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	comcontainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	comcontainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	comcontainer.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000a000000023b8a-13.dat	dcrat
behavioral1/memory/2896-16-0x0000000000E00000-0x0000000001186000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	AIMWARE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	comcontainer.exe

Executes dropped EXE 3 IoCs

pid	Process
2896	comcontainer.exe
2000	Idle.exe
1676	Idle.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	comcontainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	comcontainer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2588	AIMWARE.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\taskhostw.exe	comcontainer.exe
File created	C:\Program Files\VideoLAN\VLC\ea9f0e6c9e2dcd	comcontainer.exe
File created	C:\Program Files\Windows Defender\fr-FR\Registry.exe	comcontainer.exe
File created	C:\Program Files\Windows Defender\fr-FR\ee2ad38f3d4382	comcontainer.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\RuntimeBroker.exe	comcontainer.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\9e8d7a4ca61bd9	comcontainer.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\dllhost.exe	comcontainer.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\5940a34987c991	comcontainer.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\PLA\67691a6fac4ae7	comcontainer.exe
File created	C:\Windows\ServiceState\EventLog\TextInputHost.exe	comcontainer.exe
File created	C:\Windows\PLA\comcontainer.exe	comcontainer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AIMWARE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	AIMWARE.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	comcontainer.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	Idle.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1736	schtasks.exe
5016	schtasks.exe
440	schtasks.exe
2260	schtasks.exe
2724	schtasks.exe
4672	schtasks.exe
3320	schtasks.exe
4224	schtasks.exe
2680	schtasks.exe
1424	schtasks.exe
4872	schtasks.exe
3584	schtasks.exe
4748	schtasks.exe
3996	schtasks.exe
1772	schtasks.exe
5092	schtasks.exe
3916	schtasks.exe
3184	schtasks.exe
1348	schtasks.exe
732	schtasks.exe
2548	schtasks.exe
3976	schtasks.exe
4064	schtasks.exe
3624	schtasks.exe
2728	schtasks.exe
60	schtasks.exe
2520	schtasks.exe
3672	schtasks.exe
4644	schtasks.exe
5064	schtasks.exe
4708	schtasks.exe
4864	schtasks.exe
3640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2896	comcontainer.exe
2896	comcontainer.exe
2896	comcontainer.exe
2896	comcontainer.exe
2896	comcontainer.exe
2000	Idle.exe
1676	Idle.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	comcontainer.exe
Token: SeDebugPrivilege	2000	Idle.exe
Token: SeDebugPrivilege	1676	Idle.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2588	AIMWARE.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 3308	2588	AIMWARE.exe	83
PID 2588 wrote to memory of 3308	2588	AIMWARE.exe	83
PID 2588 wrote to memory of 3308	2588	AIMWARE.exe	83
PID 3308 wrote to memory of 4384	3308	WScript.exe	85
PID 3308 wrote to memory of 4384	3308	WScript.exe	85
PID 3308 wrote to memory of 4384	3308	WScript.exe	85
PID 4384 wrote to memory of 2896	4384	cmd.exe	87
PID 4384 wrote to memory of 2896	4384	cmd.exe	87
PID 2896 wrote to memory of 2420	2896	comcontainer.exe	123
PID 2896 wrote to memory of 2420	2896	comcontainer.exe	123
PID 2420 wrote to memory of 1064	2420	cmd.exe	125
PID 2420 wrote to memory of 1064	2420	cmd.exe	125
PID 2420 wrote to memory of 2000	2420	cmd.exe	127
PID 2420 wrote to memory of 2000	2420	cmd.exe	127
PID 2000 wrote to memory of 3080	2000	Idle.exe	129
PID 2000 wrote to memory of 3080	2000	Idle.exe	129
PID 2000 wrote to memory of 4932	2000	Idle.exe	130
PID 2000 wrote to memory of 4932	2000	Idle.exe	130
PID 3080 wrote to memory of 1676	3080	WScript.exe	147
PID 3080 wrote to memory of 1676	3080	WScript.exe	147
PID 1676 wrote to memory of 2040	1676	Idle.exe	149
PID 1676 wrote to memory of 2040	1676	Idle.exe	149
PID 1676 wrote to memory of 4020	1676	Idle.exe	150
PID 1676 wrote to memory of 4020	1676	Idle.exe	150

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	comcontainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	comcontainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	comcontainer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AIMWARE.exe
"C:\Users\Admin\AppData\Local\Temp\AIMWARE.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ComponentWinmonitor\Z19ODYYX01Aa54IrGXL6pUFb6.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ComponentWinmonitor\a2MV9O.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\ComponentWinmonitor\comcontainer.exe
      "C:\ComponentWinmonitor\comcontainer.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2896
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XqtKKvBlr2.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2420
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1064
      - C:\Recovery\WindowsRE\Idle.exe
        
        "C:\Recovery\WindowsRE\Idle.exe"
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f785bcaf-7b5c-488c-a013-7b3160bd4676.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Recovery\WindowsRE\Idle.exe
        
        C:\Recovery\WindowsRE\Idle.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d17156e0-ffac-46c2-b5cb-ee82916dd663.vbs"
        9⤵
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a090a42-3758-4de9-8332-1d0c02ef444b.vbs"
        9⤵
        
        PID:4020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4875e26-2c11-4516-95ff-8a7f1df2696b.vbs"
        7⤵
        
        PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\ComponentWinmonitor\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\ComponentWinmonitor\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\ComponentWinmonitor\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\ComponentWinmonitor\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ComponentWinmonitor\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\ComponentWinmonitor\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\SendTo\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\SendTo\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\SendTo\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\fr-FR\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\fr-FR\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre-1.8\lib\deploy\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\deploy\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre-1.8\lib\deploy\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comcontainerc" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\comcontainer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comcontainer" /sc ONLOGON /tr "'C:\Windows\PLA\comcontainer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comcontainerc" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\comcontainer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ComponentWinmonitor\Z19ODYYX01Aa54IrGXL6pUFb6.vbe

Filesize
202B

MD5
839baa0b3e6009e6c80bbc02e6e15244

SHA1
0b279c8bb02590d7893c6d29887fa4716d754e0a

SHA256
6e6d6d39afb3a2c6ce2834609bf26640fe7ac986ba62c9f09cb1a9b8d21544c4

SHA512
c2c612cf7bbedc294f2d32cf6a452f645ad7a146eabe753f59cedfcd1fe7b3dfdb412ec0e35667ddae2e4f1e0fbd67505b0069e0bdf2d55bf0a259da51ba6e9f

Download Submit
C:\ComponentWinmonitor\a2MV9O.bat

Filesize
41B

MD5
c1b081133fb14466238bb9f9aae50e32

SHA1
e134cb5da8356dfefafa7133fd925bde4b573cc4

SHA256
5fa7f56d6458805827d5b4dcd012a21febb0ddf52a7379cd6aa788643076e2d9

SHA512
9d49210c4ecda8c46e8ce8744fa6a3191931611ae9b3b51e02f37e754dedcfc07c0634f0d710ca7402ef70506f8e3ca35eab1c47d1e78f916313e86bd089d0c3

Download Submit
C:\ComponentWinmonitor\comcontainer.exe

Filesize
3.5MB

MD5
c1030bc6505e4f13d4e87bb8465db0e9

SHA1
d3f807d8eb826cdf752d133e8f57fe9ed89bb3e6

SHA256
10d21bac6e8b785e5089b97e9e027e98a16b76305b35e9c44427bf8080847ec8

SHA512
e0b483661899514cd4480c735a744e1f644d559fc6d29af1fe4f88962a2b7ea8903e1b652c3d3bd898696c32f82034c63599757c7cc7c8ebbfde4f7122086d62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XqtKKvBlr2.bat

Filesize
195B

MD5
621b6f19e114b256cd36860b01086b53

SHA1
bcaddf9325b6d273374c7c44b64c4bd0cc36a342

SHA256
eb3138a19174b0c2b237846357246873f2b58030015a1476f7716f5d364d61cc

SHA512
d95853c17d4082b5f9e1d9aa1acbc66d8d70497a6e337cd3f8336c1e25acfd4c89bcc4990a1b18379ea400001d1995c461a8b342ee6c2cd3aca58885241c43f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d17156e0-ffac-46c2-b5cb-ee82916dd663.vbs

Filesize
706B

MD5
4def15d0bf9152d8281887547e127a74

SHA1
994539f4641af36b3e987be433ebfe0b3092c1a1

SHA256
a5168003359b8a3150442fcc1b6a81097641836d2a234aeb644ab7452c74877f

SHA512
c8b727165671dd4bd6fb002bad700f7a82002d7d8453950b170a607885d7ac462970a846d96da49275bafdcb73637bda931bb160f232d9f2e44b7b47ae7ac5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4875e26-2c11-4516-95ff-8a7f1df2696b.vbs

Filesize
482B

MD5
ab70f38a6a084eab62413c3d02de0067

SHA1
b988d1dbb806972ef4359db7149fe68174aa199b

SHA256
07f6c12265b6afd5bc6a3d22be09a9f6688624af00379b22a2b53a90fe6b7e06

SHA512
fce30aee16220d5945078db30fb57f59fc354718fdc305ea5d6e9491d9c487c81a2810366e2c7e955edf8ed1b0794544ac5eb1460dc3ded2449839d21415640b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f785bcaf-7b5c-488c-a013-7b3160bd4676.vbs

Filesize
706B

MD5
a77aad8aaf08167a07774405b7ab2bb4

SHA1
00be037bebc31d345915bf82c5ca2f40bba622f6

SHA256
710dcb6f6722d4784ba2d886132588fc12fbc884acbd1ede8ef4c0815a127d9c

SHA512
b66e1a25e0ee1b918c3e3a6c8a09937ba751fac45d12b6052df1812467edff6b1e302ad8a6333493b39f525caf30823c7cca36fa5a1b88005987b7fc87d195df

Download Submit
memory/1676-77-0x000000001B190000-0x000000001B1A2000-memory.dmp

Filesize
72KB

Download
memory/2000-64-0x000000001B2D0000-0x000000001B2E2000-memory.dmp

Filesize
72KB

Download
memory/2588-0-0x0000000000100000-0x0000000000556000-memory.dmp

Filesize
4.3MB

Download
memory/2588-10-0x0000000000100000-0x0000000000556000-memory.dmp

Filesize
4.3MB

Download
memory/2896-24-0x000000001BD00000-0x000000001BD12000-memory.dmp

Filesize
72KB

Download
memory/2896-31-0x000000001C740000-0x000000001C74A000-memory.dmp

Filesize
40KB

Download
memory/2896-22-0x000000001BE90000-0x000000001BEE6000-memory.dmp

Filesize
344KB

Download
memory/2896-25-0x000000001CBD0000-0x000000001D0F8000-memory.dmp

Filesize
5.2MB

Download
memory/2896-26-0x000000001C6A0000-0x000000001C6A8000-memory.dmp

Filesize
32KB

Download
memory/2896-27-0x000000001C6B0000-0x000000001C706000-memory.dmp

Filesize
344KB

Download
memory/2896-28-0x000000001C700000-0x000000001C708000-memory.dmp

Filesize
32KB

Download
memory/2896-29-0x000000001C710000-0x000000001C71A000-memory.dmp

Filesize
40KB

Download
memory/2896-30-0x000000001C720000-0x000000001C72E000-memory.dmp

Filesize
56KB

Download
memory/2896-23-0x000000001BCF0000-0x000000001BCFC000-memory.dmp

Filesize
48KB

Download
memory/2896-32-0x000000001C750000-0x000000001C75C000-memory.dmp

Filesize
48KB

Download
memory/2896-21-0x000000001BCE0000-0x000000001BCEA000-memory.dmp

Filesize
40KB

Download
memory/2896-20-0x000000001BCC0000-0x000000001BCD6000-memory.dmp

Filesize
88KB

Download
memory/2896-19-0x00000000033A0000-0x00000000033A8000-memory.dmp

Filesize
32KB

Download
memory/2896-18-0x000000001BD10000-0x000000001BD60000-memory.dmp

Filesize
320KB

Download
memory/2896-17-0x000000001BCA0000-0x000000001BCBC000-memory.dmp

Filesize
112KB

Download
memory/2896-16-0x0000000000E00000-0x0000000001186000-memory.dmp

Filesize
3.5MB

Download
memory/2896-15-0x00007FFA20193000-0x00007FFA20195000-memory.dmp

Filesize
8KB

Download