dcrat | 52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288

Analysis

max time kernel
100s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2025 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
Size

1.2MB
MD5

fed24fca9235528a9e0a686ff60b723d
SHA1

e497808ca573e7dfd2e4d99d2c085ab9724707e0
SHA256

52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288
SHA512

2c1699f394a6c8708cd13f53e7df631b7548d72bb46b035963044c1f6c73b84ebba1e1adc02fe5f22d2aae31470bc9e61cce623cbdee3682c54b387befb7b999
SSDEEP

12288:90b329aw7HMGuBrwRCRa+XplQBuK7hEefjf05gRyC7Z3M6xqPhbqOEJv005vnhJb:98yaw7HMHXRa+y7htfxRr2EgKt0O8C3

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	4556	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	4556	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4632-1-0x00000000005D0000-0x000000000070C000-memory.dmp	dcrat
behavioral2/files/0x0008000000023c4e-17.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe

Executes dropped EXE 1 IoCs

pid	Process
5000	wininit.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fontdrvhost.exe	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\uk-UA\System.exe	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Program Files (x86)\Windows Media Player\uk-UA\27d1bcfc3c54e0	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Program Files (x86)\WindowsPowerShell\dllhost.exe	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\5940a34987c991	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Program Files\Java\9e8d7a4ca61bd9	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Program Files\WindowsApps\dllhost.exe	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Program Files\dotnet\e6c9b481da804f	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Program Files (x86)\WindowsPowerShell\5940a34987c991	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File opened for modification	C:\Program Files\Java\RuntimeBroker.exe	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Program Files\Windows Defender\it-IT\dwm.exe	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Program Files\dotnet\OfficeClickToRun.exe	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\121e5b5079f7c0	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Program Files\Java\RuntimeBroker.exe	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\6cb0b6c459d5d3	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\9e8d7a4ca61bd9	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\dllhost.exe	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Program Files\Windows Defender\it-IT\6cb0b6c459d5d3	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Help\Help\SearchApp.exe	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Windows\Help\Help\38384e6a620884	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Windows\OCR\es-es\sysmon.exe	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Windows\Offline Web Pages\Registry.exe	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
File created	C:\Windows\Offline Web Pages\ee2ad38f3d4382	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000_Classes\Local Settings	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
912	schtasks.exe
2884	schtasks.exe
4860	schtasks.exe
4704	schtasks.exe
4108	schtasks.exe
1196	schtasks.exe
1908	schtasks.exe
4180	schtasks.exe
2308	schtasks.exe
4780	schtasks.exe
5076	schtasks.exe
5032	schtasks.exe
1924	schtasks.exe
1516	schtasks.exe
4920	schtasks.exe
2132	schtasks.exe
2204	schtasks.exe
4924	schtasks.exe
1780	schtasks.exe
1000	schtasks.exe
4484	schtasks.exe
2984	schtasks.exe
3304	schtasks.exe
4192	schtasks.exe
5012	schtasks.exe
3272	schtasks.exe
4420	schtasks.exe
4476	schtasks.exe
544	schtasks.exe
2880	schtasks.exe
2144	schtasks.exe
4120	schtasks.exe
3092	schtasks.exe
2996	schtasks.exe
736	schtasks.exe
2760	schtasks.exe
1360	schtasks.exe
1652	schtasks.exe
760	schtasks.exe
436	schtasks.exe
4684	schtasks.exe
3028	schtasks.exe
864	schtasks.exe
2732	schtasks.exe
3200	schtasks.exe
3740	schtasks.exe
876	schtasks.exe
1372	schtasks.exe
3460	schtasks.exe
4732	schtasks.exe
2152	schtasks.exe
2032	schtasks.exe
992	schtasks.exe
5088	schtasks.exe
1820	schtasks.exe
3004	schtasks.exe
3224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe
5000	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
Token: SeDebugPrivilege	5000	wininit.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4632 wrote to memory of 2600	4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe	144
PID 4632 wrote to memory of 2600	4632	52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe	144
PID 2600 wrote to memory of 2836	2600	cmd.exe	146
PID 2600 wrote to memory of 2836	2600	cmd.exe	146
PID 2600 wrote to memory of 5000	2600	cmd.exe	149
PID 2600 wrote to memory of 5000	2600	cmd.exe	149

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe
"C:\Users\Admin\AppData\Local\Temp\52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KB7qYZtOsW.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2836
- - C:\Users\Default User\wininit.exe
    "C:\Users\Default User\wininit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Java\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\Help\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Help\Help\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\Help\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\it-IT\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\dotnet\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KB7qYZtOsW.bat

Filesize
198B

MD5
2c3ffd48e5937b1ce158f8c7a3593ac6

SHA1
740027de6ff92907b8ae04e87d0d1f3aa102e90a

SHA256
f01afd1ca9c5aa8d1263ec275e38a7317e905aeb34e3dae692419c71e5734da9

SHA512
3a0a0f694a8e18bac9560c954e71bc9cb79368d9b72ab8d169779d6eaa060e8d8b958b59c5aaf1ac5a1a385e67cd0828454b52997b7072374be77e8f56ef5da8

Download Submit
C:\Users\Default\wininit.exe

Filesize
1.2MB

MD5
fed24fca9235528a9e0a686ff60b723d

SHA1
e497808ca573e7dfd2e4d99d2c085ab9724707e0

SHA256
52fd5f4ce18c0d8ee4fce41364371d39bf024d3be241cc4f765a6c73cff1d288

SHA512
2c1699f394a6c8708cd13f53e7df631b7548d72bb46b035963044c1f6c73b84ebba1e1adc02fe5f22d2aae31470bc9e61cce623cbdee3682c54b387befb7b999

Download Submit
memory/4632-0-0x00007FFA2A253000-0x00007FFA2A255000-memory.dmp

Filesize
8KB

Download
memory/4632-1-0x00000000005D0000-0x000000000070C000-memory.dmp

Filesize
1.2MB

Download
memory/4632-2-0x00007FFA2A250000-0x00007FFA2AD11000-memory.dmp

Filesize
10.8MB

Download
memory/4632-3-0x0000000002920000-0x000000000292E000-memory.dmp

Filesize
56KB

Download
memory/4632-4-0x0000000002930000-0x000000000294C000-memory.dmp

Filesize
112KB

Download
memory/4632-6-0x000000001B330000-0x000000001B33C000-memory.dmp

Filesize
48KB

Download
memory/4632-5-0x000000001B8A0000-0x000000001B8F0000-memory.dmp

Filesize
320KB

Download
memory/4632-7-0x000000001BC10000-0x000000001BC1E000-memory.dmp

Filesize
56KB

Download
memory/4632-8-0x000000001B340000-0x000000001B34C000-memory.dmp

Filesize
48KB

Download
memory/4632-52-0x00007FFA2A250000-0x00007FFA2AD11000-memory.dmp

Filesize
10.8MB

Download