Overview

overview

10

Static

static

10

26e4874d6c...c0.exe

windows7-x64

10

26e4874d6c...c0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-02-2025 23:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26e4874d6cade038fd82d89d732abe0eb6f26d6e0a5e5e24af8d36000f9abfc0.exe

  • Size

    2.2MB

  • MD5

    baad2dc104aaba3159da075a87cb606e

  • SHA1

    a3346f43df91c6df1cec3b048a14246d6e65bc46

  • SHA256

    26e4874d6cade038fd82d89d732abe0eb6f26d6e0a5e5e24af8d36000f9abfc0

  • SHA512

    4d629a023232b64db7489f2cba745466bf07dbf2813492c603f8594695fd187edff0002d9aad09ccae051a4e00c105c0094c4a37483220ce1509aa9e9d967475

  • SSDEEP

    49152:ssSHlG56vO0T3/Nh/ptuw/C3TqGaDxr1NcWTMUvifq:sLlK6d3/Nh/bV/Oq3Dxp2RUGq

Score
10/10
dcratdefense_evasioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 19 IoCs
    persistence
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    defense_evasiontrojan
  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 38 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    defense_evasiontrojan
  • Drops file in Program Files directory 26 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • System policy modification 1 TTPs 9 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\26e4874d6cade038fd82d89d732abe0eb6f26d6e0a5e5e24af8d36000f9abfc0.exe
    "C:\Users\Admin\AppData\Local\Temp\26e4874d6cade038fd82d89d732abe0eb6f26d6e0a5e5e24af8d36000f9abfc0.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Drops file in Drivers directory
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4444
    • C:\Program Files\7-Zip\Lang\RuntimeBroker.exe
      "C:\Program Files\7-Zip\Lang\RuntimeBroker.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4140
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\609db333-0b41-4606-960e-beeb73a572cb.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3360
        • C:\Program Files\7-Zip\Lang\RuntimeBroker.exe
          "C:\Program Files\7-Zip\Lang\RuntimeBroker.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4608
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d226ea99-6bfb-4d9a-bcab-bb4a65555d42.vbs"
            5⤵
              PID:3620
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d348fe08-f1f5-45a3-8275-7e802fc65bb2.vbs"
              5⤵
                PID:836
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f4c55ee-19f1-4435-a667-a55c41c285ed.vbs"
            3⤵
              PID:4900
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2312
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1976
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2176
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4844
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1120
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4832
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\Device Stage\explorer.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4572
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Device Stage\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2428
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\Device Stage\explorer.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3768
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2716
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2200
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\backgroundTaskHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4996
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3348
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\backgroundTaskHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2328
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:368
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4608
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2948
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\Branding\shellbrd\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2584
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Branding\shellbrd\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:844
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\shellbrd\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1012
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4116
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2636
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Cookies\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3972
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2236
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1352
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2020
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2416
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:112
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:232
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4696
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:852
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4648
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\SppExtComObj.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4928
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Cursors\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3384
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1620
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\SendTo\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3076
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4188
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SendTo\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2280
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3632
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3116
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2184
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Pictures\Saved Pictures\winlogon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4360
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Saved Pictures\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2832
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Pictures\Saved Pictures\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:776
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Crashpad\attachments\sppsvc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4940
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1956
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\attachments\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2680
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "26e4874d6cade038fd82d89d732abe0eb6f26d6e0a5e5e24af8d36000f9abfc02" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\26e4874d6cade038fd82d89d732abe0eb6f26d6e0a5e5e24af8d36000f9abfc0.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4108
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "26e4874d6cade038fd82d89d732abe0eb6f26d6e0a5e5e24af8d36000f9abfc0" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\26e4874d6cade038fd82d89d732abe0eb6f26d6e0a5e5e24af8d36000f9abfc0.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4840
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "26e4874d6cade038fd82d89d732abe0eb6f26d6e0a5e5e24af8d36000f9abfc02" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\26e4874d6cade038fd82d89d732abe0eb6f26d6e0a5e5e24af8d36000f9abfc0.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4088
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1132
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4084
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2248
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5112
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1128
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4388

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Winlogon Helper DLL

        1
        T1547.004

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Abuse Elevation Control Mechanism

        1
        T1548

        Bypass User Account Control

        1
        T1548.002

        Impair Defenses

        1
        T1562

        Disable or Modify Tools

        1
        T1562.001

        Modify Registry

        4
        T1112

        Credential Access

        Discovery

        Query Registry

        2
        T1012

        System Information Discovery

        3
        T1082

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Recovery\WindowsRE\26e4874d6cade038fd82d89d732abe0eb6f26d6e0a5e5e24af8d36000f9abfc0.exe
          Filesize

          2.2MB

          MD5

          233fc9bca83114a2bb58ebb45fb52d05

          SHA1

          33e213539ea6c50b6454108e7358f16f35a83030

          SHA256

          01c353d9cf703214166550e919690a9abf57d638f4f8dbeb9bf736df7e9119d3

          SHA512

          da1e7e831c19b5634184bba30e528f46fd6153c9148c254c9380fc9b93ffd9165a117820288844da98d1e77a683fb84ad27f160dd34318387f8140bf5f1055bf

          Download Submit

        • C:\Recovery\WindowsRE\Idle.exe
          Filesize

          2.2MB

          MD5

          ecbdd50584f428e76d88e4b4ebc6951a

          SHA1

          db6a469992be14b77e0dca6281b65bce63966089

          SHA256

          f2fc7364a64e0f8831d29443adeb5ddef52129569adc445e2653ef4bc351b27e

          SHA512

          2b4c5dd6a743fb55bdbc32964b7cdad5cbe2745f00ea71f8ea30408dea8dbc583bc797461b82d1b4f2fb265e29ff00a3d4db3f1727de34c766615f259656d6a6

          Download Submit

        • C:\Recovery\WindowsRE\System.exe
          Filesize

          2.2MB

          MD5

          f17fd8c8e40af56362a7b653a67385d4

          SHA1

          6131ab2b7ca3e5639130ce21c239b4a09d39387c

          SHA256

          c7b03eaa5883bac1efcd791e50fc91d2212ef49120b25c536a84b81b13a1255c

          SHA512

          9d333d6a3d042f0497f50a964daa29ed5272daf57bb68e768b5f95e90c591a4660bf440b81942666f274778efaf39b40087adae3b3344f91cb64cb6c90852988

          Download Submit

        • C:\Recovery\WindowsRE\dwm.exe
          Filesize

          2.2MB

          MD5

          f1fff42b0d8f5d493db880fcafb27179

          SHA1

          6e0fb9a4252891150f4a521bf6d27c2ce91c12ce

          SHA256

          fe047366e5e4a90180ce174308284df0da15e2d7945d84cfa87eb67b8347441b

          SHA512

          add554513f3cf1447ad074bc3f74bdfadd31a490ca2140457c2a49033937e6aa4d499a515723262fb1bfa2c349218db49dded5b45c1fb65869a5600c7a1b6678

          Download Submit

        • C:\Recovery\WindowsRE\taskhostw.exe
          Filesize

          2.2MB

          MD5

          ad7ec84f7efa1569e81a3ee4dd09cbc7

          SHA1

          b54a85969ccfdc4a963ca6d5af5905bc295454fd

          SHA256

          ee403193e979ec9da12b0e34b5443dc6f1105998b0df29a668b286961746ac48

          SHA512

          616e4bb54a3b27e1bffe7d553073ec128595c0047a1bbd8d40f5978c3972116512fe9951d98651280c3b07414994c4a2ce41c4dbd5dc5cf9a93a30d9d6dad15e

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
          Filesize

          1KB

          MD5

          49b64127208271d8f797256057d0b006

          SHA1

          b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

          SHA256

          2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

          SHA512

          f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\609db333-0b41-4606-960e-beeb73a572cb.vbs
          Filesize

          721B

          MD5

          eee121379de28435b6582a3d855fd9e4

          SHA1

          f08874f6ecda7fb7a47c518eecf2aadc64948381

          SHA256

          e692bf7ada5cf618c9177a0e52b7048067bd79fbb44f0a97ec818325aaa3e2a8

          SHA512

          b72398e57998dd7ad5045c13067a9c1784be2b885ff133aa829de1740f08b5437374b09ac3ba76dd53eb33662fb29f2414b8a0e65674210b8a36532248d8f152

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\6f4c55ee-19f1-4435-a667-a55c41c285ed.vbs
          Filesize

          497B

          MD5

          74a11fab89b258ce2ccaf6d74489de50

          SHA1

          f10ea38cb6f9535d97abe64e3de9eef636df5850

          SHA256

          c5f74752b8b497e8f7c569be11afc919aa983789bc632ecbbaa7b8469a54cc8b

          SHA512

          a4799fcf334a3f7aba121a85ae2690d4bb4c63f7e6d1df64e36a4cd0c6a1326be957455b57679d58e64f63c1b61af487adeeb9bfc8c4d64b5a7859759168c0af

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\d226ea99-6bfb-4d9a-bcab-bb4a65555d42.vbs
          Filesize

          721B

          MD5

          cdd0538c56cdcbe5557b412c3f15fc8c

          SHA1

          38a341afbe3bcbb598608df9f2558452a2e3cb9b

          SHA256

          b9887a09b05979425763c44567816016759ff9a394f56de28a9ecd309860374e

          SHA512

          3efb5f8d360e48f3829f1ac09f62ceaf3989954d7166e49ff5deef35f4c36eedcf02dee8722c90ce5b6de940591e8f149d35a25e089633fcec94d25477980a8a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\RuntimeBroker.exe
          Filesize

          2.2MB

          MD5

          998bf926669cb087602ed07145dd1728

          SHA1

          0d04ab0cc771374b584a0a82da4548741c53bc73

          SHA256

          ada2d3dcd735d2b315108c2c6f6ebe344b2fe8d40f2bd5dba713b3cb3e86b596

          SHA512

          b79cff28db8c3132ac9da43ba1aac1f8be15055a5fdd6936749218f26c09f0ad5da99eacb47435d29ee01796ac38c42371a6d4b4b9d855be00bd931cfac06f3b

          Download Submit

        • C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\dllhost.exe
          Filesize

          2.2MB

          MD5

          a593f0c1e9b54ae34ad696b4eeef396b

          SHA1

          47f722ccf048e55e843a5558a20d101799d98caf

          SHA256

          bb12c9433e8b8bfbe070dc4d97354ab476e98b402c39ea8d193930b231bfc232

          SHA512

          f631f403ce92ac1e5cb9b3a53de5a631a8300b35e64bbfe17fb4938a4f7a682f92756f783fea181a813717ab7a6d3d36ee6a40e544f87f7f7a365d2a457ff8e1

          Download Submit

        • C:\Windows\Prefetch\ReadyBoot\backgroundTaskHost.exe
          Filesize

          2.2MB

          MD5

          baad2dc104aaba3159da075a87cb606e

          SHA1

          a3346f43df91c6df1cec3b048a14246d6e65bc46

          SHA256

          26e4874d6cade038fd82d89d732abe0eb6f26d6e0a5e5e24af8d36000f9abfc0

          SHA512

          4d629a023232b64db7489f2cba745466bf07dbf2813492c603f8594695fd187edff0002d9aad09ccae051a4e00c105c0094c4a37483220ce1509aa9e9d967475

          Download Submit

        • C:\Windows\Prefetch\ReadyBoot\backgroundTaskHost.exe
          Filesize

          2.2MB

          MD5

          ef7b7de7d1480b5023206ed63b710ed2

          SHA1

          52573225dcb31970d49c9ada1b41b0c424fdc3e6

          SHA256

          2eb1830fa6c1e53a41131f5d1185ac11aae973f773378d2576ea9b0b5bf7357f

          SHA512

          d49985d000451cfc9c43c777f387a2a82cbcc2920287cc2e2828c3e467e758de3b805925ac7a5b80e0163676fb5bb645274eb92551d108f249c9600faebeac65

          Download Submit

        • memory/4444-12-0x000000001C300000-0x000000001C310000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4444-13-0x000000001C310000-0x000000001C31A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4444-15-0x000000001C380000-0x000000001C388000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4444-16-0x000000001C390000-0x000000001C39C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4444-17-0x000000001C3A0000-0x000000001C3A8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4444-19-0x000000001C3B0000-0x000000001C3C2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4444-20-0x000000001C910000-0x000000001CE38000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/4444-21-0x000000001C3E0000-0x000000001C3EC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4444-22-0x000000001C3F0000-0x000000001C3FC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4444-23-0x000000001C400000-0x000000001C40C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4444-25-0x000000001C520000-0x000000001C52E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4444-28-0x000000001C650000-0x000000001C65C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4444-27-0x000000001C640000-0x000000001C64E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4444-26-0x000000001C530000-0x000000001C538000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4444-30-0x000000001C670000-0x000000001C67C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4444-29-0x000000001C660000-0x000000001C668000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4444-24-0x000000001C510000-0x000000001C51A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4444-32-0x00007FFE1C490000-0x00007FFE1CF51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4444-34-0x00007FFE1C490000-0x00007FFE1CF51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4444-14-0x000000001C320000-0x000000001C32C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4444-0-0x00007FFE1C493000-0x00007FFE1C495000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4444-11-0x000000001C2F0000-0x000000001C2F8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4444-7-0x000000001BC90000-0x000000001BC98000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4444-155-0x00007FFE1C493000-0x00007FFE1C495000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4444-8-0x000000001BCA0000-0x000000001BCB0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4444-167-0x00007FFE1C490000-0x00007FFE1CF51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4444-10-0x000000001C2E0000-0x000000001C2EC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4444-9-0x000000001BCB0000-0x000000001BCC6000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4444-202-0x00007FFE1C490000-0x00007FFE1CF51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4444-6-0x000000001C330000-0x000000001C380000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4444-226-0x00007FFE1C490000-0x00007FFE1CF51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4444-5-0x000000001BB20000-0x000000001BB3C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/4444-356-0x00007FFE1C490000-0x00007FFE1CF51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4444-4-0x000000001BB10000-0x000000001BB1E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4444-3-0x00000000031D0000-0x00000000031DE000-memory.dmp

          Filesize

          56KB

          Download

        • memory/4444-2-0x00007FFE1C490000-0x00007FFE1CF51000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4444-1-0x0000000000E30000-0x000000000105E000-memory.dmp

          Filesize

          2.2MB

          Download