dcrat | 79dd01cce6f984152a8e07f6bbc447387a355794bc717a1348644f8b57565a98

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13/01/2025, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TANOMIlauncher.exe.bin.exe
Size

1.6MB
MD5

e4d5bf96ef8643dcfd7a7f54e572cf59
SHA1

b80bc4046716b909a2f0692faef8d037a61cb9ee
SHA256

79dd01cce6f984152a8e07f6bbc447387a355794bc717a1348644f8b57565a98
SHA512

6704a1d6da446ab58717dc154180d817d4d3561a4e369d7f066421302c514950a51dd6104ec1e1b180488f7262c2bff00c02438aabc5e74e00e554e2290e1822
SSDEEP

24576:yTbBv5rUTxMWorF6OswaKn31LdWnriW26/kSBn3vwof0XcpDAFsGo5kCfBC2MRy:UBaM3ZdjV4nri+FT0XPQLCBRy

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\cmd.exe\", \"C:\\Program Files\\Google\\Chrome\\explorer.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\cmd.exe\", \"C:\\Program Files\\Google\\Chrome\\explorer.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\extensions\\Idle.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\cmd.exe\", \"C:\\Program Files\\Google\\Chrome\\explorer.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\extensions\\Idle.exe\", \"C:\\Windows\\Resources\\Themes\\Aero\\de-DE\\wininit.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\cmd.exe\", \"C:\\Program Files\\Google\\Chrome\\explorer.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\lua\\extensions\\Idle.exe\", \"C:\\Windows\\Resources\\Themes\\Aero\\de-DE\\wininit.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\bridgeChainBlockreviewWin\\DrivermonitorNetdhcp.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\System.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\System.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\cmd.exe\""	DrivermonitorNetdhcp.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	5004	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	5004	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	5004	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	5004	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	5004	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	5004	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	5004	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	5004	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	5004	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	5004	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	5004	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	5004	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	5004	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	5004	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	5004	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	5004	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	5004	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	5004	schtasks.exe	33

Executes dropped EXE 2 IoCs

pid	Process
2896	DrivermonitorNetdhcp.exe
2676	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2156	cmd.exe
2156	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Resources\\Themes\\Aero\\de-DE\\wininit.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DrivermonitorNetdhcp = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bridgeChainBlockreviewWin\\DrivermonitorNetdhcp.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Photo Viewer\\de-DE\\System.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Windows Photo Viewer\\de-DE\\System.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\cmd.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\extensions\\Idle.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\Resources\\Themes\\Aero\\de-DE\\wininit.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Windows Sidebar\\fr-FR\\cmd.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Google\\Chrome\\explorer.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Google\\Chrome\\explorer.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\extensions\\Idle.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DrivermonitorNetdhcp = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bridgeChainBlockreviewWin\\DrivermonitorNetdhcp.exe\""	DrivermonitorNetdhcp.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC718FB3E9A79D4639BBCC38DB8FF14263.TMP	csc.exe
File created	\??\c:\Windows\System32\hi5-9c.exe	csc.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\de-DE\System.exe	DrivermonitorNetdhcp.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\27d1bcfc3c54e0	DrivermonitorNetdhcp.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\Idle.exe	DrivermonitorNetdhcp.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\6ccacd8608530f	DrivermonitorNetdhcp.exe
File created	C:\Program Files\Google\Chrome\explorer.exe	DrivermonitorNetdhcp.exe
File created	C:\Program Files\Google\Chrome\7a0fd90576e088	DrivermonitorNetdhcp.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\cmd.exe	DrivermonitorNetdhcp.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\ebf1f9fa8afd6d	DrivermonitorNetdhcp.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Themes\Aero\de-DE\wininit.exe	DrivermonitorNetdhcp.exe
File opened for modification	C:\Windows\Resources\Themes\Aero\de-DE\wininit.exe	DrivermonitorNetdhcp.exe
File created	C:\Windows\Resources\Themes\Aero\de-DE\56085415360792	DrivermonitorNetdhcp.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-20000_31bf3856ad364e35_6.1.7600.16385_none_ad98ceff003dce19\smss.exe	DrivermonitorNetdhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TANOMIlauncher.exe.bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4456	schtasks.exe
2196	schtasks.exe
2804	schtasks.exe
3360	schtasks.exe
5068	schtasks.exe
5096	schtasks.exe
580	schtasks.exe
2540	schtasks.exe
2040	schtasks.exe
3148	schtasks.exe
2760	schtasks.exe
1600	schtasks.exe
432	schtasks.exe
2840	schtasks.exe
5040	schtasks.exe
2668	schtasks.exe
1540	schtasks.exe
3456	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2896	DrivermonitorNetdhcp.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe
2676	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	DrivermonitorNetdhcp.exe
Token: SeDebugPrivilege	2676	explorer.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 2440	432	TANOMIlauncher.exe.bin.exe	29
PID 432 wrote to memory of 2440	432	TANOMIlauncher.exe.bin.exe	29
PID 432 wrote to memory of 2440	432	TANOMIlauncher.exe.bin.exe	29
PID 432 wrote to memory of 2440	432	TANOMIlauncher.exe.bin.exe	29
PID 432 wrote to memory of 2440	432	TANOMIlauncher.exe.bin.exe	29
PID 432 wrote to memory of 2440	432	TANOMIlauncher.exe.bin.exe	29
PID 432 wrote to memory of 2440	432	TANOMIlauncher.exe.bin.exe	29
PID 2440 wrote to memory of 2156	2440	WScript.exe	30
PID 2440 wrote to memory of 2156	2440	WScript.exe	30
PID 2440 wrote to memory of 2156	2440	WScript.exe	30
PID 2440 wrote to memory of 2156	2440	WScript.exe	30
PID 2440 wrote to memory of 2156	2440	WScript.exe	30
PID 2440 wrote to memory of 2156	2440	WScript.exe	30
PID 2440 wrote to memory of 2156	2440	WScript.exe	30
PID 2156 wrote to memory of 2896	2156	cmd.exe	32
PID 2156 wrote to memory of 2896	2156	cmd.exe	32
PID 2156 wrote to memory of 2896	2156	cmd.exe	32
PID 2156 wrote to memory of 2896	2156	cmd.exe	32
PID 2896 wrote to memory of 1920	2896	DrivermonitorNetdhcp.exe	37
PID 2896 wrote to memory of 1920	2896	DrivermonitorNetdhcp.exe	37
PID 2896 wrote to memory of 1920	2896	DrivermonitorNetdhcp.exe	37
PID 1920 wrote to memory of 2612	1920	csc.exe	39
PID 1920 wrote to memory of 2612	1920	csc.exe	39
PID 1920 wrote to memory of 2612	1920	csc.exe	39
PID 2896 wrote to memory of 3608	2896	DrivermonitorNetdhcp.exe	55
PID 2896 wrote to memory of 3608	2896	DrivermonitorNetdhcp.exe	55
PID 2896 wrote to memory of 3608	2896	DrivermonitorNetdhcp.exe	55
PID 3608 wrote to memory of 3736	3608	cmd.exe	57
PID 3608 wrote to memory of 3736	3608	cmd.exe	57
PID 3608 wrote to memory of 3736	3608	cmd.exe	57
PID 3608 wrote to memory of 3764	3608	cmd.exe	58
PID 3608 wrote to memory of 3764	3608	cmd.exe	58
PID 3608 wrote to memory of 3764	3608	cmd.exe	58
PID 3608 wrote to memory of 2676	3608	cmd.exe	59
PID 3608 wrote to memory of 2676	3608	cmd.exe	59
PID 3608 wrote to memory of 2676	3608	cmd.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TANOMIlauncher.exe.bin.exe
"C:\Users\Admin\AppData\Local\Temp\TANOMIlauncher.exe.bin.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin\3gKZAXCAg1FGbpHNytlddzV22hguHiZY84812G8yGhM.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin\KfNj92OB2q89BQqYS4KdyWp300Lk8au5.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin\DrivermonitorNetdhcp.exe
      "C:\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin/DrivermonitorNetdhcp.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\huzybm33\huzybm33.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7FDA.tmp" "c:\Windows\System32\CSC718FB3E9A79D4639BBCC38DB8FF14263.TMP"
        6⤵
        
        PID:2612
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xd0v39EVNx.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3608
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3736
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3764
      - C:\Program Files\Google\Chrome\explorer.exe
        
        "C:\Program Files\Google\Chrome\explorer.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\lua\extensions\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\extensions\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\lua\extensions\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Themes\Aero\de-DE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Resources\Themes\Aero\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DrivermonitorNetdhcpD" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin\DrivermonitorNetdhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DrivermonitorNetdhcp" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin\DrivermonitorNetdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DrivermonitorNetdhcpD" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin\DrivermonitorNetdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES7FDA.tmp

Filesize
1KB

MD5
b194192318a34a53da3314829cc61e9d

SHA1
ecb1ce10327faef80d4d59e7e70f3f06a059dc79

SHA256
28b2746a4b763fd46133b803cb086146f952ff8b3eb88f6eaa5fac5bf1ef006a

SHA512
5e92772f9abb61c4474bb52ca1595e3266cae92e70fd343c99dc8e90d543a06b7795321def01e98c4455515315de2281adf6a3b305390e3cf091a9075c470ee4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin\3gKZAXCAg1FGbpHNytlddzV22hguHiZY84812G8yGhM.vbe

Filesize
239B

MD5
bfa798b1e505fdf4c3d5935690d520c1

SHA1
c0f49114a795b2475d0b8b22b0a55455a50d29e5

SHA256
dbf18fbdbc65ebf9ef0fe14d2241f00c03dd2a1666e49ddb47c4871c67db2e8d

SHA512
cf512995697de828d6bdb198d0e38c3173ea486e266744eded48541a128cfafb690324c7ff21c921854c78ea43a471bd286625af0307f4974ef24b875daf0460

Download Submit
C:\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin\KfNj92OB2q89BQqYS4KdyWp300Lk8au5.bat

Filesize
90B

MD5
ca4c23f79ee470ef660f3c2c7fa64e86

SHA1
b7de68c9d60b668a1d92d32b61c676f99c605f8d

SHA256
6af8a46b462cb8d14dbd4d0fd0cb753341bbf1bd4eee84c97a87a6ef9e5ed739

SHA512
46a2eef31a505e43fb2f42b7901169ee04213da51a0e51b9004743cf04171d0727279ace095bf0e256a65c8ed27ff1438722079216a9b8f46ee95edaab78056c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xd0v39EVNx.bat

Filesize
219B

MD5
ec6e2cbfbd3152403fdc7d5873dbed4e

SHA1
0b7d63f4e1dca065f8f320b64a5033154a438066

SHA256
79321ded0211492adec71bd04e93d207ead1cbf4b7e1166b2a5b110ed0367cc4

SHA512
7e58952e190408a8abbbe5450988ce474aff6170e78762765063ea2d8720b2715224b7d66976fc55295f7543b66046ffd0da03cd843595588164b4d02db81bdb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\huzybm33\huzybm33.0.cs

Filesize
386B

MD5
32057b88ef387b79f4d2d67f17247657

SHA1
8e0975905214325338634a1a70d33cc1af15e1c0

SHA256
f0912cd7e7f73abd6b2ce88801b7fe93a7555d9020884e1b0921109f0251e00e

SHA512
48233927e142051d2708eda52a44699de74f09af04b7f42404a638fff36b5aeaf6a8c9cca73be2123a0617154f122b38acfede8e031b9e32799c822ba4b7d051

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\huzybm33\huzybm33.cmdline

Filesize
235B

MD5
d528749900ebf0afc2b8247ac08404ca

SHA1
a27f7c1608722f94ba9ac54e08895db54c39cd25

SHA256
7458b5b56ad3b0529cacb52dfe74df4061c5d6cc95a88bd9e82f09b7bec68506

SHA512
dc64fcf2a00cb12f69ee3066285316585428cd3601dde16f0629594e68d43236e301cd6ad7a0a173b724594a4068aa9abb6e7edae0c27108d2597b196cc37c8c

Download Submit
\??\c:\Windows\System32\CSC718FB3E9A79D4639BBCC38DB8FF14263.TMP

Filesize
1KB

MD5
60a1ebb8f840aad127346a607d80fc19

SHA1
c8b7e9ad601ac19ab90b3e36f811960e8badf354

SHA256
9d6a9d38b7a86cc88e551a0c1172a3fb387b1a5f928ac13993ec3387d39cc243

SHA512
44830cefb264bac520174b4b884312dd0393be33a193d4f0fee3cc3c14deb86ca39e43ef281232f9169fd204d19b22e8a7aad72fa448ca52d5cbc3ee1dbb18a4

Download Submit
\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin\DrivermonitorNetdhcp.exe

Filesize
1.3MB

MD5
f7ed452b6b36fe1a6ad40017405f95a2

SHA1
de073fdf34b56af4f03d0ec8a2d221cbf4d0c5d4

SHA256
509a80dd4d58739d863b7fefbbfce44c3588119e9b5a258e0cbf58ac4bc8fb04

SHA512
a51f7e2028ff8016ab9dddfd0f5a320e9b3516ea32476a7bc82f9d3f33339fe2aa104bb48b630f3081deda2146a58164705af150519eb5ec1b6ecb3b8e0e6635

Download Submit
memory/2676-3605-0x0000000000E70000-0x0000000000E78000-memory.dmp

Filesize
32KB

Download
memory/2896-68-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-78-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-32-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-46-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-30-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-26-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-24-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-22-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-20-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-18-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-15-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-58-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-65-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-36-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-72-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-76-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-74-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-70-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-66-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-44-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-62-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-60-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-56-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-54-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-52-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-50-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-48-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-42-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-40-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-3572-0x0000000000160000-0x000000000016E000-memory.dmp

Filesize
56KB

Download
memory/2896-3574-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2896-38-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-34-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-28-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-16-0x000000001AFA0000-0x000000001B145000-memory.dmp

Filesize
1.6MB

Download
memory/2896-14-0x000000001AFA0000-0x000000001B14A000-memory.dmp

Filesize
1.7MB

Download
memory/2896-13-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download