dcrat | d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984

Analysis

max time kernel
95s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Size

2.7MB
MD5

183cb9283d9c8f6282283bd39f49d33c
SHA1

76674564064d31bb9d37f802bdec3821d4a55d89
SHA256

d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984
SHA512

14a40235310755e00bfa58a5169978b7fe40890e2f1149500f77780b82ef1aed1354daafb149de18deb3690bbc1b4f6e885be988e4163b6e3acdd16c30d28e22
SSDEEP

49152:Bfj5Pkja3lMPnl9LS7y5PEeQxtD5vLyCse5EPUC1SKGLFSjvzbN+/rV:BfBkyqPnDSOdEeQfocN8GLQLkz

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3392	2896	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2896	schtasks.exe	83

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/5084-1-0x0000000000B90000-0x0000000000E44000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cad-31.dat	dcrat
behavioral2/files/0x0008000000023cad-124.dat	dcrat
behavioral2/files/0x0009000000023cb1-133.dat	dcrat
behavioral2/files/0x000200000001e747-157.dat	dcrat
behavioral2/files/0x0009000000023cbb-168.dat	dcrat
behavioral2/files/0x000b000000023cc7-228.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe

Executes dropped EXE 1 IoCs

pid	Process
4108	services.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\dllhost.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCXC05B.tmp	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\csrss.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\886983d96e3d3e	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\taskhostw.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\5940a34987c991	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\c5b4cb5e9653cc	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCXC05A.tmp	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXCCF7.tmp	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\RCXCF99.tmp	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXD8D9.tmp	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\services.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\csrss.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\9e8d7a4ca61bd9	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\services.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCXCD75.tmp	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\RCXD017.tmp	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\dllhost.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXD8D8.tmp	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Speech\smss.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File created	C:\Windows\Speech\69ddcba757bf72	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Windows\Speech\RCXBB65.tmp	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Windows\Speech\RCXBB85.tmp	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
File opened for modification	C:\Windows\Speech\smss.exe	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4800	schtasks.exe
3940	schtasks.exe
4320	schtasks.exe
3092	schtasks.exe
2608	schtasks.exe
2152	schtasks.exe
2488	schtasks.exe
2428	schtasks.exe
1604	schtasks.exe
2852	schtasks.exe
4936	schtasks.exe
3416	schtasks.exe
1148	schtasks.exe
3628	schtasks.exe
4024	schtasks.exe
8	schtasks.exe
4000	schtasks.exe
1684	schtasks.exe
1796	schtasks.exe
1812	schtasks.exe
2760	schtasks.exe
2320	schtasks.exe
2516	schtasks.exe
4564	schtasks.exe
740	schtasks.exe
3724	schtasks.exe
4664	schtasks.exe
1664	schtasks.exe
3164	schtasks.exe
3660	schtasks.exe
2288	schtasks.exe
4212	schtasks.exe
2728	schtasks.exe
4828	schtasks.exe
3588	schtasks.exe
4116	schtasks.exe
1884	schtasks.exe
4436	schtasks.exe
3640	schtasks.exe
2556	schtasks.exe
3524	schtasks.exe
4940	schtasks.exe
3648	schtasks.exe
4640	schtasks.exe
3392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
5084	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
5084	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
5084	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
5084	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
5084	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
5084	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
5084	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
5084	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
5084	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
5084	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
5084	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
5084	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
4108	services.exe
4108	services.exe
4108	services.exe
4108	services.exe
4108	services.exe
4108	services.exe
4108	services.exe
4108	services.exe
4108	services.exe
4108	services.exe
4108	services.exe
4108	services.exe
4108	services.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4108	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Token: SeDebugPrivilege	4108	services.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 4868	5084	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe	134
PID 5084 wrote to memory of 4868	5084	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe	134
PID 4868 wrote to memory of 4100	4868	cmd.exe	136
PID 4868 wrote to memory of 4100	4868	cmd.exe	136
PID 4868 wrote to memory of 4108	4868	cmd.exe	144
PID 4868 wrote to memory of 4108	4868	cmd.exe	144

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe
"C:\Users\Admin\AppData\Local\Temp\d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C6P4FzNT8u.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4100
- - C:\Users\Public\Videos\services.exe
    "C:\Users\Public\Videos\services.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Speech\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\uninstall\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\uninstall\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Videos\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Application Data\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe

Filesize
2.7MB

MD5
bdbb75cc611ac51d683445abbd372b8f

SHA1
f3c645739b7d71c5c699421331037a9bd567f5e0

SHA256
c0f31b4960b8ce53ba29c8fbb957c7d6fd537e48b1370a29009ee9b97a70ec75

SHA512
629ff47153b044388892ef60438d6c085c2e042378dae099cd0ce2d5e4498b6db63623a559d527f9067be5a1770cad73a4559f15368442b6f726dbf2b1ccdcc9

Download Submit
C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\dllhost.exe

Filesize
2.7MB

MD5
fc5bbd7ba2b7c1b585c35b2cef23722b

SHA1
07b3a4308d2589badafb43581d63b762641c5870

SHA256
e7d4cfec1d2fb96418c7b15e0c9b107ed522b05fa018ef6d9931677e81e0ca42

SHA512
2a16e2b5e013819bf890dd7b4a5c014840190b4cfe0f881af6f263c661116064930ab4168abc327f803c11a6d39a5c46a672861901f67a368c22988c6ce6d099

Download Submit
C:\ProgramData\sppsvc.exe

Filesize
2.7MB

MD5
7e0f30c37204eb4c43fe721d005bd349

SHA1
8e4e118781182a3f0b982b92b9e901ed912c5935

SHA256
0ad97c22cb729963777899fef9fcc814e28d065af0226e7f2723f30f4db9b621

SHA512
a08461f0cc497513b1713269a8d5d065b6c3f7a5cda57dbb73356a93010e3f280b92f7b2b625bb6741d65de5ddec13f3990615658225717e5a45aac91c08072a

Download Submit
C:\Recovery\WindowsRE\System.exe

Filesize
2.7MB

MD5
870ba8677b4e067ceeba80615c9fcc98

SHA1
689e983e651064789817698df71cf816449b6345

SHA256
50dcfaa6e993f0827fbf9ebf6ac08159655a687acb79a7e0cfcb333b22222503

SHA512
09b2f193a666a5d305ded83442a6102545b5408688fe9a86509bb08d16aa89246adcad13d91254569d56e914df463a4684a3df4b384583cd29d10e8ddfc6f47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6P4FzNT8u.bat

Filesize
200B

MD5
ff08a96ae5a2abf1a0b3f9b9fc497b62

SHA1
9f59d08bd484b8c721fd25f9f6fe236fbe69356a

SHA256
d62f3c2c0bda230ed78d7cdcf3fe4b7b3fe209dab6b57185a71db2c5047fc25c

SHA512
b43384642befb03431cb3c8db422b8db8347cf7a6fb408043b8b8601a06690a5e87e9c55d4fd46dfda20869962b9d9e43e7a10697db84467a73f2b1677567226

Download Submit
C:\Users\Default\wininit.exe

Filesize
2.7MB

MD5
dfad1c462fabc0dcf7548d9a1048d5b8

SHA1
1596b2ab99d91db3a87df3251709999e54f3cfaa

SHA256
98361b17d3a9c3f2df6e6deda01972ef73df5ed2ca1a8e007b8bfa5ce5d0880c

SHA512
82982401df7e776814561a14a2d9e1fac1031bd17280de2976e993c4be29eabc60869e833722a2b07ce9a3793db8a101be5578de65dbd4b13ce24c5e5008a9dc

Download Submit
C:\Users\Public\Videos\services.exe

Filesize
2.7MB

MD5
183cb9283d9c8f6282283bd39f49d33c

SHA1
76674564064d31bb9d37f802bdec3821d4a55d89

SHA256
d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984

SHA512
14a40235310755e00bfa58a5169978b7fe40890e2f1149500f77780b82ef1aed1354daafb149de18deb3690bbc1b4f6e885be988e4163b6e3acdd16c30d28e22

Download Submit
memory/4108-242-0x000000001D5F0000-0x000000001D602000-memory.dmp

Filesize
72KB

Download
memory/5084-9-0x000000001BAC0000-0x000000001BAC8000-memory.dmp

Filesize
32KB

Download
memory/5084-18-0x000000001C200000-0x000000001C20C000-memory.dmp

Filesize
48KB

Download
memory/5084-6-0x0000000003070000-0x0000000003078000-memory.dmp

Filesize
32KB

Download
memory/5084-11-0x000000001BAE0000-0x000000001BAEA000-memory.dmp

Filesize
40KB

Download
memory/5084-12-0x000000001C180000-0x000000001C1D6000-memory.dmp

Filesize
344KB

Download
memory/5084-13-0x000000001BAF0000-0x000000001BAF8000-memory.dmp

Filesize
32KB

Download
memory/5084-14-0x000000001BB00000-0x000000001BB12000-memory.dmp

Filesize
72KB

Download
memory/5084-15-0x000000001C720000-0x000000001CC48000-memory.dmp

Filesize
5.2MB

Download
memory/5084-17-0x000000001C1F0000-0x000000001C1F8000-memory.dmp

Filesize
32KB

Download
memory/5084-21-0x000000001C230000-0x000000001C23A000-memory.dmp

Filesize
40KB

Download
memory/5084-20-0x000000001C220000-0x000000001C22C000-memory.dmp

Filesize
48KB

Download
memory/5084-22-0x000000001C240000-0x000000001C24C000-memory.dmp

Filesize
48KB

Download
memory/5084-19-0x000000001C210000-0x000000001C21E000-memory.dmp

Filesize
56KB

Download
memory/5084-8-0x000000001BAA0000-0x000000001BAB6000-memory.dmp

Filesize
88KB

Download
memory/5084-16-0x000000001BB10000-0x000000001BB18000-memory.dmp

Filesize
32KB

Download
memory/5084-0-0x00007FFFC1E73000-0x00007FFFC1E75000-memory.dmp

Filesize
8KB

Download
memory/5084-10-0x000000001BAD0000-0x000000001BAD8000-memory.dmp

Filesize
32KB

Download
memory/5084-7-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/5084-5-0x000000001C130000-0x000000001C180000-memory.dmp

Filesize
320KB

Download
memory/5084-4-0x000000001BA80000-0x000000001BA9C000-memory.dmp

Filesize
112KB

Download
memory/5084-171-0x00007FFFC1E73000-0x00007FFFC1E75000-memory.dmp

Filesize
8KB

Download
memory/5084-195-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/5084-3-0x0000000002EC0000-0x0000000002ECE000-memory.dmp

Filesize
56KB

Download
memory/5084-237-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/5084-2-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/5084-1-0x0000000000B90000-0x0000000000E44000-memory.dmp

Filesize
2.7MB

Download