dcrat | 394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617

Analysis

max time kernel
65s
max time network
53s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
Size

1.5MB
MD5

154029aecb8134930418ece2437864b8
SHA1

a43825d5c82e4266a37e60a746c31ab128b2a4a1
SHA256

394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617
SHA512

2cc0dd8965fb53479fed5107ec2b8ba90ae15dbbc22f1d0d7bffc573cf049d69ce745840fdaa582060940f5be8381cfd5ecec870943d6a3ddda95c9f32a9826c
SSDEEP

24576:u/R6JpYYCpuA5TwiNgFE/4vZy270wlc8cz4lc2zVg5OlyxJ:uZ6a8+DsZ5lyzIcUawly

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2880	schtasks.exe	30

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1340-1-0x0000000000B00000-0x0000000000C92000-memory.dmp	dcrat
behavioral1/files/0x000500000001a4db-20.dat	dcrat
behavioral1/files/0x000900000001a4e0-83.dat	dcrat
behavioral1/files/0x000d00000001a4e0-120.dat	dcrat
behavioral1/files/0x000b00000001a4f1-191.dat	dcrat
behavioral1/files/0x000b00000001c865-219.dat	dcrat
behavioral1/files/0x000e00000001c865-243.dat	dcrat
behavioral1/files/0x000f00000001c865-258.dat	dcrat
behavioral1/memory/1288-270-0x00000000008B0000-0x0000000000A42000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1288	smss.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\fr-FR\OSPPSVC.exe	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\en-US\RCXC0FE.tmp	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\lsm.exe	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\RCXD432.tmp	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File created	C:\Program Files\Windows Defender\fr-FR\cc11b995f2a76d	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RCXC301.tmp	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\RCXC779.tmp	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCXCB82.tmp	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\a306bf30740da3	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\RCXD431.tmp	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File created	C:\Program Files\Windows Defender\ja-JP\101b941d020240	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\RCXB968.tmp	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\RCXC778.tmp	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\RCXCBF0.tmp	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File created	C:\Program Files\Microsoft Games\Solitaire\en-US\spoolsv.exe	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File created	C:\Program Files\Microsoft Games\Solitaire\en-US\f3b6ecef712a24	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File created	C:\Program Files\Internet Explorer\es-ES\cc11b995f2a76d	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\winlogon.exe	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\OSPPSVC.exe	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File created	C:\Program Files\Internet Explorer\es-ES\winlogon.exe	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\RCXB212.tmp	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\smss.exe	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\en-US\spoolsv.exe	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RCXC302.tmp	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files\Internet Explorer\es-ES\winlogon.exe	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File created	C:\Program Files\VideoLAN\VLC\locale\smss.exe	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File created	C:\Program Files\VideoLAN\VLC\locale\69ddcba757bf72	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File created	C:\Program Files\Windows Defender\ja-JP\lsm.exe	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File created	C:\Program Files\DVD Maker\fr-FR\1610b97d3ab4a7	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\RCXB2BF.tmp	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File created	C:\Program Files\Windows Defender\fr-FR\winlogon.exe	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\RCXB969.tmp	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\en-US\RCXC0FD.tmp	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2372	schtasks.exe
788	schtasks.exe
2280	schtasks.exe
1832	schtasks.exe
2444	schtasks.exe
668	schtasks.exe
2540	schtasks.exe
1556	schtasks.exe
1788	schtasks.exe
2632	schtasks.exe
1616	schtasks.exe
2908	schtasks.exe
2752	schtasks.exe
2268	schtasks.exe
2392	schtasks.exe
2812	schtasks.exe
1088	schtasks.exe
2412	schtasks.exe
732	schtasks.exe
2292	schtasks.exe
3016	schtasks.exe
916	schtasks.exe
680	schtasks.exe
3060	schtasks.exe
1672	schtasks.exe
2192	schtasks.exe
840	schtasks.exe
2920	schtasks.exe
988	schtasks.exe
2352	schtasks.exe
2712	schtasks.exe
2748	schtasks.exe
2104	schtasks.exe
2216	schtasks.exe
2524	schtasks.exe
1528	schtasks.exe
2688	schtasks.exe
3036	schtasks.exe
2668	schtasks.exe
2164	schtasks.exe
2120	schtasks.exe
2452	schtasks.exe
2240	schtasks.exe
1744	schtasks.exe
1864	schtasks.exe
2996	schtasks.exe
2028	schtasks.exe
336	schtasks.exe
1924	schtasks.exe
568	schtasks.exe
1108	schtasks.exe
1724	schtasks.exe
2272	schtasks.exe
1800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1340	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
1340	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
1340	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
1340	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
1340	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
1340	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
1340	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
1340	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
1340	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
1340	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
1340	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
1288	smss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
Token: SeDebugPrivilege	1288	smss.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1288	1340	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe	86
PID 1340 wrote to memory of 1288	1340	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe	86
PID 1340 wrote to memory of 1288	1340	394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe
"C:\Users\Admin\AppData\Local\Temp\394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Program Files\VideoLAN\VLC\locale\smss.exe
  "C:\Program Files\VideoLAN\VLC\locale\smss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab36173" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab36173" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\locale\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\locale\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Desktop\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\Solitaire\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Solitaire\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Solitaire\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\es-ES\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Favorites\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Favorites\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Favorites\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\fr-FR\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\RCXB755.tmp

Filesize
1.5MB

MD5
b66ab928d005c01e272ac126df443b9a

SHA1
aa31d93b26e4172953a46a3c9b68a3221e69220a

SHA256
6344d2c73350e07c8e30d64180483de154713efe517422b4b23d6a9de376901e

SHA512
2d738a0854c1e9e83f9a6e03978e9bb10ba33869f34cfe4cbfb85b22e478269b5f23b5f5f77509b5f4e40d20c242ae0779e308c460f45beb342002ec03afb53e

Download Submit
C:\MSOCache\All Users\RCXD636.tmp

Filesize
1.5MB

MD5
feca288a8a905747130677b3c1682b2d

SHA1
877ac44ef2d681a91b36f6625150c4a7c319b7a2

SHA256
b014434f41ded5965add4a7d8454a6a7f0794199c9ee29d801230d45e3d32d93

SHA512
bcfcda44d03adf3940d4a6ef4fc7af3e3460e55e4f641e1a30101f9b071ec65c8d21cd07461332b297a03f4f65718a8ec9495cf27bf47f26afb834a9cacf1865

Download Submit
C:\Program Files\Windows Defender\fr-FR\winlogon.exe

Filesize
1.5MB

MD5
e255f31c7a6edff3e956eb3fd7f1708d

SHA1
c91c344b39c5932a785b5da9811d67ee86605087

SHA256
fa96170463fd3435a065ddfe6f6dab46e552e550dbadadb254a1f99ded3cd3da

SHA512
9b0009dcc4f3113f5f6ad9a90258e2768f3975942c4cb485d6a07c7e01440f43b83e6f79bca4d61db2019b321ae6dcc4771672ad623c51181c257ae1c564527f

Download Submit
C:\ProgramData\csrss.exe

Filesize
1.5MB

MD5
d8ca8f42b4a33058355eed4ad6e62893

SHA1
224611fb72d6a050d382125a86ca38c6b129dbc7

SHA256
2b4c777cb73c0bfeb92094fdf2b56eb01a27b25bbc72c9463c8774c2c7bc27f9

SHA512
b1196786a48fdf4759f383e84231eb41a8cbd6712bd6bf05dbe5aee234db2fe0ea29b3aa1625a6713a9005d9d39801642b52407e3d018d7b4d40ff3f413ab80d

Download Submit
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\RCXD22C.tmp

Filesize
1.5MB

MD5
fd755d7215edb1cfdff88bf716653140

SHA1
8fd7e543406864d9659602d4e4f83b9081d1314a

SHA256
8a6487e4088e4cca2e33fda8d69fdf1cf99b154b554524c6fe7bda04984307ea

SHA512
e80bccb85208fe8c2bd827f841d7ef2596868edfccd39bac0a20b6686e423eb5563c8ff195d558863959523e958a417ca79c05b390e3a768713733471cd4bd6c

Download Submit
C:\Users\Admin\Desktop\dllhost.exe

Filesize
1.5MB

MD5
8ffb45675d95937260106f82bbaa1ae0

SHA1
d7e37079cae2c6782adda097c20389b9f19c3240

SHA256
4fa6aac8fbe05c757176a1fa2c2070a5cc876934e98986f37e711551a5cdab1f

SHA512
17a060288084b85d1dea7f7a755b4d5aef8cf84ef4db6d3b32bd4be44c4346e257606227b8df42d04b6a76aae50708c585f91019217b4d2e1b7f2c77b6177c78

Download Submit
C:\Users\Admin\dwm.exe

Filesize
1.5MB

MD5
154029aecb8134930418ece2437864b8

SHA1
a43825d5c82e4266a37e60a746c31ab128b2a4a1

SHA256
394c5bdb282b16f8fc323f01c9a0ebe0a3824c95efbc082a5ae7b1d547ab3617

SHA512
2cc0dd8965fb53479fed5107ec2b8ba90ae15dbbc22f1d0d7bffc573cf049d69ce745840fdaa582060940f5be8381cfd5ecec870943d6a3ddda95c9f32a9826c

Download Submit
memory/1288-270-0x00000000008B0000-0x0000000000A42000-memory.dmp

Filesize
1.6MB

Download
memory/1340-10-0x00000000004E0000-0x00000000004EE000-memory.dmp

Filesize
56KB

Download
memory/1340-190-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

Filesize
4KB

Download
memory/1340-0-0x000007FEF5763000-0x000007FEF5764000-memory.dmp

Filesize
4KB

Download
memory/1340-11-0x0000000000A90000-0x0000000000A9A000-memory.dmp

Filesize
40KB

Download
memory/1340-8-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/1340-7-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/1340-6-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/1340-9-0x00000000004D0000-0x00000000004DE000-memory.dmp

Filesize
56KB

Download
memory/1340-5-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1340-215-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/1340-4-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/1340-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/1340-2-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download
memory/1340-1-0x0000000000B00000-0x0000000000C92000-memory.dmp

Filesize
1.6MB

Download
memory/1340-271-0x000007FEF5760000-0x000007FEF614C000-memory.dmp

Filesize
9.9MB

Download