dcrat | 715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
Size

829KB
MD5

4009f012c67a909b3e30c3b179db5c1c
SHA1

55c96f7b89a50031058cb0764885c49967394dfb
SHA256

715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76
SHA512

0c18cef0b27609265de49a761f026376a6811801233b323ed30781f1018a7a1855900c8edb63e417a27cb89b4d5a04671c53ea56bf1ed904ad07825ce8a5eef6
SSDEEP

12288:aGiX93/xLFsYqnIIktZs0CT2DfdGbLQ8JYL/XOaraRP3OZWw:aGit3/xLF6nlktZs0X2g/OaraF3OZWw

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	4300	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	4300	schtasks.exe	82

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1680-1-0x0000000000430000-0x0000000000506000-memory.dmp	dcrat
behavioral2/files/0x0007000000023ca4-11.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe

Executes dropped EXE 1 IoCs

pid	Process
1616	dllhost.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\5b884080fd4f94	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Program Files\Microsoft Office\RuntimeBroker.exe	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\66fc9ff0ee96c2	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\upfc.exe	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Registry.exe	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\38384e6a620884	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Program Files (x86)\Windows Mail\fontdrvhost.exe	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Program Files (x86)\Windows Mail\38384e6a620884	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Program Files (x86)\Windows Portable Devices\ee2ad38f3d4382	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5940a34987c991	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\ea1d8f6d871115	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Program Files\ModifiableWindowsApps\dllhost.exe	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Program Files\Microsoft Office\9e8d7a4ca61bd9	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Program Files (x86)\Windows Mail\SearchApp.exe	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Program Files\Common Files\DESIGNER\unsecapp.exe	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Program Files\Common Files\DESIGNER\29c1c3cc0f7685	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\Idle.exe	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Windows\de-DE\6ccacd8608530f	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Windows\WaaS\services\sihost.exe	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..ents-mdac-oledb-vbs_31bf3856ad364e35_10.0.19041.1_none_546bccb4dec17242\fontdrvhost.exe	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Windows\addins\fontdrvhost.exe	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
File created	C:\Windows\addins\5b884080fd4f94	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1084	schtasks.exe
4408	schtasks.exe
2844	schtasks.exe
4528	schtasks.exe
4536	schtasks.exe
892	schtasks.exe
3128	schtasks.exe
3472	schtasks.exe
2980	schtasks.exe
1536	schtasks.exe
4472	schtasks.exe
1472	schtasks.exe
1548	schtasks.exe
2336	schtasks.exe
2496	schtasks.exe
2768	schtasks.exe
2100	schtasks.exe
2360	schtasks.exe
3092	schtasks.exe
4184	schtasks.exe
3228	schtasks.exe
1468	schtasks.exe
1700	schtasks.exe
2200	schtasks.exe
2296	schtasks.exe
2424	schtasks.exe
1544	schtasks.exe
3872	schtasks.exe
3688	schtasks.exe
3612	schtasks.exe
5032	schtasks.exe
2824	schtasks.exe
2756	schtasks.exe
1416	schtasks.exe
3332	schtasks.exe
5092	schtasks.exe
3428	schtasks.exe
3636	schtasks.exe
228	schtasks.exe
2992	schtasks.exe
3008	schtasks.exe
3956	schtasks.exe
4856	schtasks.exe
4120	schtasks.exe
3244	schtasks.exe
4692	schtasks.exe
4240	schtasks.exe
4252	schtasks.exe
1576	schtasks.exe
2280	schtasks.exe
4616	schtasks.exe
3768	schtasks.exe
3616	schtasks.exe
3952	schtasks.exe
2088	schtasks.exe
1372	schtasks.exe
3220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
1616	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
Token: SeDebugPrivilege	1616	dllhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2348	1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe	140
PID 1680 wrote to memory of 2348	1680	715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe	140
PID 2348 wrote to memory of 3992	2348	cmd.exe	142
PID 2348 wrote to memory of 3992	2348	cmd.exe	142
PID 2348 wrote to memory of 1616	2348	cmd.exe	143
PID 2348 wrote to memory of 1616	2348	cmd.exe	143

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe
"C:\Users\Admin\AppData\Local\Temp\715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W7m84GbGHM.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3992
- - C:\Program Files (x86)\Windows Portable Devices\dllhost.exe
    "C:\Program Files (x86)\Windows Portable Devices\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\Templates\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Downloads\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\addins\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\DESIGNER\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\DESIGNER\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\Default User\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Multimedia Platform\SearchApp.exe

Filesize
829KB

MD5
4009f012c67a909b3e30c3b179db5c1c

SHA1
55c96f7b89a50031058cb0764885c49967394dfb

SHA256
715f3b9c490abf08c544ba284eccd6fa58aa6ee93dd810ce24000531b4ed3d76

SHA512
0c18cef0b27609265de49a761f026376a6811801233b323ed30781f1018a7a1855900c8edb63e417a27cb89b4d5a04671c53ea56bf1ed904ad07825ce8a5eef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\W7m84GbGHM.bat

Filesize
224B

MD5
49fbba4591792ff197f681f0e2e6a7cc

SHA1
4bf6ff51ed9fce292c8e1052aa2c580cebb24031

SHA256
efcf6114402afbd71c8d811060c887fea80d79f2449ca2788186f57b4d66d928

SHA512
daf6f6fbb8ff50c1c60b083fc4e92cf69bf6f132caebc113aa90833288aa3c5e328fd314aab1b0cc0e8688421f7bb3d5901d95af22cb4b8e56cad013a116dbf1

Download Submit
memory/1680-0-0x00007FFBAC563000-0x00007FFBAC565000-memory.dmp

Filesize
8KB

Download
memory/1680-1-0x0000000000430000-0x0000000000506000-memory.dmp

Filesize
856KB

Download
memory/1680-4-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download
memory/1680-46-0x00007FFBAC560000-0x00007FFBAD021000-memory.dmp

Filesize
10.8MB

Download