dcrat | 590c086f05d1e2c371e3291eda53303a4e83990f2046ae89d9e3352c7b833511

Analysis

max time kernel
19s
max time network
21s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

1.5MB
MD5

154029aecb8134930418ece2437864b8
SHA1

a43825d5c82e4266a37e60a746c31ab128b2a4a1
SHA256

394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617
SHA512

2cc0dd8965fb53479fed5107ec2b8ba90ae15dbbc22f1d0d7bffc573cf049d69ce745840fdaa582060940f5be8381cfd5ecec870943d6a3ddda95c9f32a9826c
SSDEEP

24576:u/R6JpYYCpuA5TwiNgFE/4vZy270wlc8cz4lc2zVg5OlyxJ:uZ6a8+DsZ5lyzIcUawly

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3496	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	3876	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	3876	schtasks.exe	84

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/4608-1-0x00000000000B0000-0x0000000000242000-memory.dmp	dcrat
behavioral1/files/0x0007000000023cc1-21.dat	dcrat
behavioral1/files/0x0008000000023cea-80.dat	dcrat
behavioral1/files/0x000200000001e746-116.dat	dcrat
behavioral1/files/0x0009000000023cc7-142.dat	dcrat
behavioral1/files/0x0008000000023cc1-165.dat	dcrat
behavioral1/files/0x000e000000023ceb-212.dat	dcrat
behavioral1/memory/5000-281-0x00000000007F0000-0x0000000000982000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Loader.exe

Executes dropped EXE 1 IoCs

pid	Process
5000	SppExtComObj.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\host\fxr\services.exe	Loader.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\5b884080fd4f94	Loader.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe	Loader.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe	Loader.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXC514.tmp	Loader.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\sihost.exe	Loader.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe	Loader.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\RCXD56C.tmp	Loader.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCXDADF.tmp	Loader.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\sihost.exe	Loader.exe
File created	C:\Program Files\VideoLAN\VLC\skins\ea9f0e6c9e2dcd	Loader.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\RCXC796.tmp	Loader.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXC9AC.tmp	Loader.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXCFF9.tmp	Loader.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCXDADE.tmp	Loader.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXD077.tmp	Loader.exe
File created	C:\Program Files\dotnet\host\fxr\c5b4cb5e9653cc	Loader.exe
File created	C:\Program Files\Common Files\DESIGNER\Registry.exe	Loader.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\27d1bcfc3c54e0	Loader.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Loader.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\RCXC797.tmp	Loader.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\RCXCBD1.tmp	Loader.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\66fc9ff0ee96c2	Loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\unsecapp.exe	Loader.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\Registry.exe	Loader.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\taskhostw.exe	Loader.exe
File created	C:\Program Files\Common Files\DESIGNER\ee2ad38f3d4382	Loader.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\services.exe	Loader.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\RCXD56B.tmp	Loader.exe
File created	C:\Program Files (x86)\Common Files\Services\unsecapp.exe	Loader.exe
File created	C:\Program Files (x86)\Common Files\Services\29c1c3cc0f7685	Loader.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXC513.tmp	Loader.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe	Loader.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\RCXCBD0.tmp	Loader.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe	Loader.exe
File created	C:\Program Files\VideoLAN\VLC\skins\taskhostw.exe	Loader.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\5b884080fd4f94	Loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXB74E.tmp	Loader.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXB7BC.tmp	Loader.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXC9AB.tmp	Loader.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXD2E9.tmp	Loader.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\MusNotification.exe	Loader.exe
File opened for modification	C:\Windows\PolicyDefinitions\RCXD86C.tmp	Loader.exe
File opened for modification	C:\Windows\PolicyDefinitions\StartMenuExperienceHost.exe	Loader.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\MusNotification.exe	Loader.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\aa97147c4c782d	Loader.exe
File created	C:\Windows\PolicyDefinitions\StartMenuExperienceHost.exe	Loader.exe
File created	C:\Windows\PolicyDefinitions\55b276f4edf653	Loader.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCXD2EA.tmp	Loader.exe
File opened for modification	C:\Windows\PolicyDefinitions\RCXD7EE.tmp	Loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Loader.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
832	schtasks.exe
1616	schtasks.exe
3304	schtasks.exe
4144	schtasks.exe
1460	schtasks.exe
1144	schtasks.exe
1088	schtasks.exe
876	schtasks.exe
4460	schtasks.exe
5016	schtasks.exe
2236	schtasks.exe
3536	schtasks.exe
5044	schtasks.exe
1132	schtasks.exe
4472	schtasks.exe
4476	schtasks.exe
4208	schtasks.exe
4564	schtasks.exe
956	schtasks.exe
2552	schtasks.exe
1444	schtasks.exe
3732	schtasks.exe
3780	schtasks.exe
1484	schtasks.exe
2036	schtasks.exe
2756	schtasks.exe
3360	schtasks.exe
2404	schtasks.exe
1952	schtasks.exe
1600	schtasks.exe
3988	schtasks.exe
3272	schtasks.exe
2640	schtasks.exe
4320	schtasks.exe
3384	schtasks.exe
3576	schtasks.exe
3496	schtasks.exe
4496	schtasks.exe
4292	schtasks.exe
1268	schtasks.exe
4652	schtasks.exe
2364	schtasks.exe
968	schtasks.exe
3344	schtasks.exe
3664	schtasks.exe
212	schtasks.exe
4400	schtasks.exe
2028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
4608	Loader.exe
5000	SppExtComObj.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	Loader.exe
Token: SeDebugPrivilege	5000	SppExtComObj.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 5000	4608	Loader.exe	137
PID 4608 wrote to memory of 5000	4608	Loader.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Recovery\WindowsRE\SppExtComObj.exe
  "C:\Recovery\WindowsRE\SppExtComObj.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Services\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Saved Games\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Saved Games\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\host\fxr\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\host\fxr\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\DESIGNER\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\DESIGNER\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\skins\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\skins\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\PolicyDefinitions\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCXDADE.tmp

Filesize
1.5MB

MD5
2911e59a12c508a05bca065482be40b3

SHA1
b7a01fd1f12ece0f559aa65e39e78917ac2fa449

SHA256
e3ed6c927d379df1dec84895d039bf11a4b014dce7596f9a67c7674ad657563e

SHA512
f18655276d937886623127e44690d9c4f5e176706efaf65fd11c352af5e59cfb477c74dca7a424a822be08301a9b0ea3db7e22b68134b231ed36717d3cd774b6

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXC9AB.tmp

Filesize
1.5MB

MD5
b717f612ff1674452074eacbd172db2e

SHA1
f17f5bb73e93f1190f77ac0278848ea9e09ad499

SHA256
dc9f8013c87e10e76dc9619333bbfb4083825fa8d3f9c6c74eb3fe15570c3daf

SHA512
e412dd083762456767b70f8d9fbcda52b74eee31fccbe070eab413a7fd883d1801055e5bc880780302b2959200f48723ebd0c9ea64fa54e9862921e97ed577ca

Download Submit
C:\Recovery\WindowsRE\RCXBA5E.tmp

Filesize
1.5MB

MD5
b66ab928d005c01e272ac126df443b9a

SHA1
aa31d93b26e4172953a46a3c9b68a3221e69220a

SHA256
6344d2c73350e07c8e30d64180483de154713efe517422b4b23d6a9de376901e

SHA512
2d738a0854c1e9e83f9a6e03978e9bb10ba33869f34cfe4cbfb85b22e478269b5f23b5f5f77509b5f4e40d20c242ae0779e308c460f45beb342002ec03afb53e

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.5MB

MD5
154029aecb8134930418ece2437864b8

SHA1
a43825d5c82e4266a37e60a746c31ab128b2a4a1

SHA256
394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617

SHA512
2cc0dd8965fb53479fed5107ec2b8ba90ae15dbbc22f1d0d7bffc573cf049d69ce745840fdaa582060940f5be8381cfd5ecec870943d6a3ddda95c9f32a9826c

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.5MB

MD5
b0b7ec8e933f3a2d41e94018c9d972c7

SHA1
02a10b875592ed1e41a12dd71851a75f2400a7d9

SHA256
6bd7359febdf6b40d816dcdd79eea7e08e8abf25a5a1f9827f7150eaaa815576

SHA512
558c5fcfc829008674ea75fe3c084c75aa5cc5dc646f6ec21f932a2957aa6549850704f8624a385ade2ee39580729d1838102ba5a1b92e423cd9a60421d06c91

Download Submit
C:\Recovery\WindowsRE\explorer.exe

Filesize
1.5MB

MD5
82ef4a0aa54e92d31b29e695814b42ef

SHA1
f6a2557abf85ca1c23a7664eeffb4c2ab48a91aa

SHA256
a04e8ce69ba5c3a0f315d9ba10097db379fdd7ebbe43d31ec415f983f1fec395

SHA512
983d79d19363d4cf32e6d28808be19cba225267813066119c6b47640b0efcaaee000a5b6d7e16128251164945151b1d34209e462db3062ec7fdb6219922601e0

Download Submit
memory/4608-4-0x000000001B030000-0x000000001B080000-memory.dmp

Filesize
320KB

Download
memory/4608-5-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/4608-8-0x0000000002470000-0x000000000247C000-memory.dmp

Filesize
48KB

Download
memory/4608-10-0x00000000025F0000-0x00000000025FE000-memory.dmp

Filesize
56KB

Download
memory/4608-9-0x00000000025E0000-0x00000000025EC000-memory.dmp

Filesize
48KB

Download
memory/4608-11-0x0000000002600000-0x000000000260E000-memory.dmp

Filesize
56KB

Download
memory/4608-12-0x0000000002610000-0x000000000261A000-memory.dmp

Filesize
40KB

Download
memory/4608-7-0x0000000000940000-0x0000000000950000-memory.dmp

Filesize
64KB

Download
memory/4608-0-0x00007FFD37FB3000-0x00007FFD37FB5000-memory.dmp

Filesize
8KB

Download
memory/4608-6-0x0000000002450000-0x0000000002466000-memory.dmp

Filesize
88KB

Download
memory/4608-3-0x0000000000900000-0x000000000091C000-memory.dmp

Filesize
112KB

Download
memory/4608-2-0x00007FFD37FB0000-0x00007FFD38A71000-memory.dmp

Filesize
10.8MB

Download
memory/4608-175-0x00007FFD37FB3000-0x00007FFD37FB5000-memory.dmp

Filesize
8KB

Download
memory/4608-198-0x00007FFD37FB0000-0x00007FFD38A71000-memory.dmp

Filesize
10.8MB

Download
memory/4608-1-0x00000000000B0000-0x0000000000242000-memory.dmp

Filesize
1.6MB

Download
memory/4608-282-0x00007FFD37FB0000-0x00007FFD38A71000-memory.dmp

Filesize
10.8MB

Download
memory/5000-281-0x00000000007F0000-0x0000000000982000-memory.dmp

Filesize
1.6MB

Download