dcrat | a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7

Analysis

max time kernel
95s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
Size

1.7MB
MD5

60aee14b66a5385404c52533841731f2
SHA1

5fdc7a1d3e168b2b7e2824cd3b50570b03a5d03f
SHA256

a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7
SHA512

5a3eb9d974f43e0a81187d76a779b5995d3645291f15f31fbda165e3c668980d01bed1f3f42561d0a62930e5e09af01a7229dde939e50ad9cc3ce1c413d8dc75
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	3800	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	3800	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	3800	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	3800	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	3800	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	3800	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	3800	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	3800	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	3800	schtasks.exe	83

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1196-1-0x0000000000990000-0x0000000000B46000-memory.dmp	dcrat
behavioral2/files/0x0008000000023ca5-31.dat	dcrat
behavioral2/files/0x0009000000023ca6-63.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1332	powershell.exe
220	powershell.exe
2696	powershell.exe
3968	powershell.exe
4868	powershell.exe
1876	powershell.exe
4664	powershell.exe
2288	powershell.exe
1664	powershell.exe
1512	powershell.exe
4196	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 2 IoCs

pid	Process
2388	fontdrvhost.exe
3496	fontdrvhost.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\lsass.exe	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File created	C:\Program Files\VideoLAN\6203df4a6bafc7	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\microsoft.system.package.metadata\upfc.exe	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File opened for modification	C:\Program Files\VideoLAN\RCX94EF.tmp	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File opened for modification	C:\Program Files\VideoLAN\RCX94F0.tmp	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxMetadata\System.exe	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File created	C:\Program Files\VideoLAN\lsass.exe	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\addins\System.exe	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File created	C:\Windows\addins\27d1bcfc3c54e0	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File opened for modification	C:\Windows\addins\RCX9977.tmp	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File opened for modification	C:\Windows\addins\RCX99E5.tmp	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File opened for modification	C:\Windows\addins\System.exe	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1116	schtasks.exe
3744	schtasks.exe
3992	schtasks.exe
1272	schtasks.exe
1268	schtasks.exe
4932	schtasks.exe
1892	schtasks.exe
1900	schtasks.exe
3528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
4664	powershell.exe
4664	powershell.exe
3968	powershell.exe
3968	powershell.exe
1512	powershell.exe
1512	powershell.exe
220	powershell.exe
220	powershell.exe
2288	powershell.exe
2288	powershell.exe
4868	powershell.exe
4868	powershell.exe
4196	powershell.exe
4196	powershell.exe
1332	powershell.exe
1332	powershell.exe
2696	powershell.exe
2696	powershell.exe
1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1876	powershell.exe
1876	powershell.exe
1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1664	powershell.exe
1664	powershell.exe
1512	powershell.exe
2288	powershell.exe
4664	powershell.exe
4196	powershell.exe
3968	powershell.exe
2696	powershell.exe
1876	powershell.exe
4868	powershell.exe
220	powershell.exe
1332	powershell.exe
1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1664	powershell.exe
2388	fontdrvhost.exe
2388	fontdrvhost.exe
2388	fontdrvhost.exe
2388	fontdrvhost.exe
2388	fontdrvhost.exe
2388	fontdrvhost.exe
2388	fontdrvhost.exe
2388	fontdrvhost.exe
3496	fontdrvhost.exe
3496	fontdrvhost.exe
3496	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
Token: SeDebugPrivilege	4664	powershell.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2388	fontdrvhost.exe
Token: SeDebugPrivilege	3496	fontdrvhost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 1664	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	94
PID 1196 wrote to memory of 1664	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	94
PID 1196 wrote to memory of 3968	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	95
PID 1196 wrote to memory of 3968	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	95
PID 1196 wrote to memory of 1512	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	96
PID 1196 wrote to memory of 1512	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	96
PID 1196 wrote to memory of 2288	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	97
PID 1196 wrote to memory of 2288	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	97
PID 1196 wrote to memory of 2696	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	98
PID 1196 wrote to memory of 2696	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	98
PID 1196 wrote to memory of 220	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	99
PID 1196 wrote to memory of 220	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	99
PID 1196 wrote to memory of 4664	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	100
PID 1196 wrote to memory of 4664	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	100
PID 1196 wrote to memory of 1332	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	101
PID 1196 wrote to memory of 1332	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	101
PID 1196 wrote to memory of 4868	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	103
PID 1196 wrote to memory of 4868	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	103
PID 1196 wrote to memory of 1876	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	104
PID 1196 wrote to memory of 1876	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	104
PID 1196 wrote to memory of 4196	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	106
PID 1196 wrote to memory of 4196	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	106
PID 1196 wrote to memory of 2388	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	116
PID 1196 wrote to memory of 2388	1196	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	116
PID 2388 wrote to memory of 4108	2388	fontdrvhost.exe	117
PID 2388 wrote to memory of 4108	2388	fontdrvhost.exe	117
PID 2388 wrote to memory of 1236	2388	fontdrvhost.exe	118
PID 2388 wrote to memory of 1236	2388	fontdrvhost.exe	118
PID 4108 wrote to memory of 3496	4108	WScript.exe	121
PID 4108 wrote to memory of 3496	4108	WScript.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
"C:\Users\Admin\AppData\Local\Temp\a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4196
- C:\Recovery\WindowsRE\fontdrvhost.exe
  "C:\Recovery\WindowsRE\fontdrvhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a974bc78-b0fa-4f15-bb11-7419d72e61b4.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Recovery\WindowsRE\fontdrvhost.exe
      C:\Recovery\WindowsRE\fontdrvhost.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3496
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b04b1a8c-4f8a-4207-a545-e0e0a9d52aef.vbs"
    3⤵
    PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\addins\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX92DB.tmp

Filesize
1.7MB

MD5
60aee14b66a5385404c52533841731f2

SHA1
5fdc7a1d3e168b2b7e2824cd3b50570b03a5d03f

SHA256
a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7

SHA512
5a3eb9d974f43e0a81187d76a779b5995d3645291f15f31fbda165e3c668980d01bed1f3f42561d0a62930e5e09af01a7229dde939e50ad9cc3ce1c413d8dc75

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4yz3fikn.rkb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a974bc78-b0fa-4f15-bb11-7419d72e61b4.vbs

Filesize
713B

MD5
8d5c6d6a1abbc714ec8dd6a03142a0e5

SHA1
1c9f43726753d702e3e207fd1129a9d79e2b3e40

SHA256
a89a8f963d0ace32a3e439561618916b002f7ec3be5006cae6f3646b465a78c3

SHA512
027f8180ef292e989614d2083bc3c9d865077ccea9e8242bd872a2713bfdbc7af1204658b71b02b1ab399828ee95106320a7a7364f6710066c527b1f5f666e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\b04b1a8c-4f8a-4207-a545-e0e0a9d52aef.vbs

Filesize
489B

MD5
565732c8ca3da73174722a76b9450630

SHA1
7eedd4581e075b542c5fd567b238cb8af9dd1b22

SHA256
f95ad24d68d246689ec573015c53891ab8342c8b2b23be60c116d34f17ad644f

SHA512
b98327b09042f5734e0258c4f04087441f29155aec8142ba6fc53d5a815b4b2e3d76770154fdb38204d927f0cfa42ff979c1e0a8b9b89b9e4e16ad505965bc5d

Download Submit
C:\Windows\addins\System.exe

Filesize
1.7MB

MD5
078926568806facc8e90541443246d9b

SHA1
d63ba82b8ba10c8544a2cba26d8f4ee34a8723d8

SHA256
fc05a0c140a4e64ade369579f6369317f51a02ce0ee2b1f6dae69c09852d2539

SHA512
2347d7412b2caaa649da624558c0cb4df3bb01c0c060a8da1711b39fdf370e1a89ce77a235457159939ecdf63e54b344fb656bb022ec0f8bd05316dfaad5584b

Download Submit
memory/1196-18-0x000000001C1D0000-0x000000001C1DC000-memory.dmp

Filesize
48KB

Download
memory/1196-9-0x0000000002F10000-0x0000000002F20000-memory.dmp

Filesize
64KB

Download
memory/1196-14-0x000000001C1E0000-0x000000001C1EC000-memory.dmp

Filesize
48KB

Download
memory/1196-15-0x000000001B850000-0x000000001B85A000-memory.dmp

Filesize
40KB

Download
memory/1196-19-0x00007FFA5DF40000-0x00007FFA5EA01000-memory.dmp

Filesize
10.8MB

Download
memory/1196-0-0x00007FFA5DF43000-0x00007FFA5DF45000-memory.dmp

Filesize
8KB

Download
memory/1196-22-0x00007FFA5DF40000-0x00007FFA5EA01000-memory.dmp

Filesize
10.8MB

Download
memory/1196-17-0x000000001C180000-0x000000001C18C000-memory.dmp

Filesize
48KB

Download
memory/1196-16-0x000000001C170000-0x000000001C178000-memory.dmp

Filesize
32KB

Download
memory/1196-11-0x0000000002F00000-0x0000000002F08000-memory.dmp

Filesize
32KB

Download
memory/1196-10-0x0000000002EF0000-0x0000000002EFC000-memory.dmp

Filesize
48KB

Download
memory/1196-13-0x000000001B840000-0x000000001B84C000-memory.dmp

Filesize
48KB

Download
memory/1196-1-0x0000000000990000-0x0000000000B46000-memory.dmp

Filesize
1.7MB

Download
memory/1196-226-0x00007FFA5DF40000-0x00007FFA5EA01000-memory.dmp

Filesize
10.8MB

Download
memory/1196-7-0x0000000002EC0000-0x0000000002ED6000-memory.dmp

Filesize
88KB

Download
memory/1196-8-0x0000000002EE0000-0x0000000002EF2000-memory.dmp

Filesize
72KB

Download
memory/1196-5-0x0000000002D40000-0x0000000002D48000-memory.dmp

Filesize
32KB

Download
memory/1196-6-0x0000000002EB0000-0x0000000002EC0000-memory.dmp

Filesize
64KB

Download
memory/1196-4-0x000000001B7F0000-0x000000001B840000-memory.dmp

Filesize
320KB

Download
memory/1196-3-0x0000000001210000-0x000000000122C000-memory.dmp

Filesize
112KB

Download
memory/1196-2-0x00007FFA5DF40000-0x00007FFA5EA01000-memory.dmp

Filesize
10.8MB

Download
memory/2288-117-0x0000018BC0A90000-0x0000018BC0AB2000-memory.dmp

Filesize
136KB

Download