dcrat | 524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611

Analysis

max time kernel
117s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-01-2025 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Size

2.7MB
MD5

0f9e8c0ca92989e50a62c5ea1e47eb74
SHA1

6076489eb7df53fe1116b3dfd0ff5d87cdfeb3d6
SHA256

524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611
SHA512

8819dc1e48e2343d29ee0420a598ee4e062a19b36190af80a204f08a28cde1e3cbe097d438566d1b12cf3d37f1afb889060fb9b141840de1d005be5087302970
SSDEEP

49152:yqyJUSQelMhlk1w19BlUobhENGZXxRWi0UAuqYqqnc:PyJlQgGk1wPko1oO30UA7Yqq

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2760	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2760	schtasks.exe	31

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/740-1-0x0000000001200000-0x00000000014B4000-memory.dmp	dcrat
behavioral1/files/0x0005000000019467-28.dat	dcrat
behavioral1/files/0x000500000001a4d4-59.dat	dcrat
behavioral1/files/0x00090000000186f8-93.dat	dcrat
behavioral1/files/0x0008000000019438-114.dat	dcrat
behavioral1/files/0x00090000000194ef-139.dat	dcrat
behavioral1/memory/2784-210-0x0000000000260000-0x0000000000514000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2784	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXE358.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\wininit.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files\DVD Maker\csrss.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXE357.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXEE88.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXF514.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dwm.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files\DVD Maker\886983d96e3d3e	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXF513.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files\Uninstall Information\services.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files\Uninstall Information\c5b4cb5e9653cc	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\6cb0b6c459d5d3	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXE7EE.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\wininit.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files\DVD Maker\RCXF292.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\24dbde2999530e	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files\DVD Maker\RCXF293.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\42af1c969fbb7b	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXDC6E.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXE7ED.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dwm.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\RCXEE89.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\56085415360792	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File created	C:\Program Files\DVD Maker\csrss.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXDC6F.tmp	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files\Uninstall Information\services.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1316	schtasks.exe
2732	schtasks.exe
2892	schtasks.exe
1668	schtasks.exe
1824	schtasks.exe
1344	schtasks.exe
2848	schtasks.exe
448	schtasks.exe
2468	schtasks.exe
1924	schtasks.exe
2268	schtasks.exe
1088	schtasks.exe
1976	schtasks.exe
380	schtasks.exe
2028	schtasks.exe
2688	schtasks.exe
1840	schtasks.exe
1436	schtasks.exe
2792	schtasks.exe
2924	schtasks.exe
2884	schtasks.exe
1380	schtasks.exe
772	schtasks.exe
2852	schtasks.exe
824	schtasks.exe
1240	schtasks.exe
1532	schtasks.exe
2356	schtasks.exe
1416	schtasks.exe
2928	schtasks.exe
2624	schtasks.exe
2808	schtasks.exe
2236	schtasks.exe
2424	schtasks.exe
1424	schtasks.exe
2784	schtasks.exe
2628	schtasks.exe
1736	schtasks.exe
324	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
740	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
2784	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
2784	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
2784	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
2784	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
2784	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
2784	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
2784	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
2784	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
2784	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2784	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	740	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Token: SeDebugPrivilege	2784	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 2784	740	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe	71
PID 740 wrote to memory of 2784	740	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe	71
PID 740 wrote to memory of 2784	740	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe	71

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
"C:\Users\Admin\AppData\Local\Temp\524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:740
- C:\Users\Default User\524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe
  "C:\Users\Default User\524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\Local\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\AppData\Local\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d37206115" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611" /sc ONLOGON /tr "'C:\Users\Default User\524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d37206115" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe

Filesize
2.7MB

MD5
0f9e8c0ca92989e50a62c5ea1e47eb74

SHA1
6076489eb7df53fe1116b3dfd0ff5d87cdfeb3d6

SHA256
524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611

SHA512
8819dc1e48e2343d29ee0420a598ee4e062a19b36190af80a204f08a28cde1e3cbe097d438566d1b12cf3d37f1afb889060fb9b141840de1d005be5087302970

Download Submit
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe

Filesize
2.7MB

MD5
12b49eba876434bb735b20a7edcc21d0

SHA1
c325825cb4c9cb30b407579b744ea99e3b75777a

SHA256
323cbcc2be31917653b5b4185d95b7e6231863fb969798f1c3f49329440bc676

SHA512
1ccd88a5bfd10eacdb1270ec3096bf81959f75fc0d6763ae5290926cf3b4fa872af1ccc91e143ec5944490f0b226ab96c907a253fff0ae2c7ce3e20d31e9dcd5

Download Submit
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe

Filesize
2.7MB

MD5
c3b44979b7bcf90c5bf88f5dde05014e

SHA1
838367c9d0b8fb536ceeeb06cda62cd2082ddd1f

SHA256
13bdfdaa40a47478e9a607899124c69f2a6b580d8224de4b7b2a9383cbff254a

SHA512
dae1779eeb01f46efa2f79ac1f1e72fde3e1851e4908879abf2b4e9259b3225610c77b1814cf30eec49d8c99e92fc32b24c0a4719e77017e6885fe49b5ef5c6b

Download Submit
C:\Users\Default\524eadc0b5758167ac92dbfbf5b6119abefe8648eaf3c1171ab8a227d3720611.exe

Filesize
2.7MB

MD5
48b2c687b6fb4ce9b12f1f880e8ef31d

SHA1
cf57b2c4fc6020a220d40937f95c35bb39db1e58

SHA256
0814541aaee081267caa5accd70a17eb6253bf6f84ac631136a2001b68b12c32

SHA512
66d8f5e3e16a42b7c1942a181ac17ad964e18e3627f95188cc4260c279294ddffe72c19531a5f0c5d9d05aba47a79d6241514e9d43053b75960182d71e7a3e99

Download Submit
C:\Users\Default\AppData\Local\dllhost.exe

Filesize
2.7MB

MD5
19660aefd6038eff6dd6a7ffb5016b3f

SHA1
0c71e547c4953e789a597771fed1976733bd9e49

SHA256
f1b9e37981041d5af596f34eee4eb8fb533f45e52ed8a7e92fa490dbf3a85292

SHA512
10a6164311e71dbd225cec455adc44315651f2e4d7ae4073090dfe7dd650a1a7d245fc52cc243ebc125a19e806f434a722d0c78b7057ff5e4183cc2568ad2dc2

Download Submit
memory/740-7-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/740-16-0x00000000006A0000-0x00000000006AE000-memory.dmp

Filesize
56KB

Download
memory/740-0-0x000007FEF5FD3000-0x000007FEF5FD4000-memory.dmp

Filesize
4KB

Download
memory/740-8-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/740-9-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/740-10-0x0000000000DD0000-0x0000000000E26000-memory.dmp

Filesize
344KB

Download
memory/740-11-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/740-12-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/740-13-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/740-14-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download
memory/740-15-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/740-6-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/740-17-0x0000000000E20000-0x0000000000E2C000-memory.dmp

Filesize
48KB

Download
memory/740-18-0x0000000000F90000-0x0000000000F9A000-memory.dmp

Filesize
40KB

Download
memory/740-19-0x00000000010A0000-0x00000000010AC000-memory.dmp

Filesize
48KB

Download
memory/740-5-0x0000000000150000-0x0000000000158000-memory.dmp

Filesize
32KB

Download
memory/740-4-0x00000000001B0000-0x00000000001CC000-memory.dmp

Filesize
112KB

Download
memory/740-3-0x0000000000140000-0x000000000014E000-memory.dmp

Filesize
56KB

Download
memory/740-2-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

Filesize
9.9MB

Download
memory/740-1-0x0000000001200000-0x00000000014B4000-memory.dmp

Filesize
2.7MB

Download
memory/740-200-0x000007FEF5FD3000-0x000007FEF5FD4000-memory.dmp

Filesize
4KB

Download
memory/740-209-0x000007FEF5FD0000-0x000007FEF69BC000-memory.dmp

Filesize
9.9MB

Download
memory/2784-210-0x0000000000260000-0x0000000000514000-memory.dmp

Filesize
2.7MB

Download