dcrat | b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2025 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
Size

1.7MB
MD5

9c3b15ccc76653e0ce7efceb6682bcf3
SHA1

05a048dc3218e5cce7211a32a7d489c9d4a633a7
SHA256

b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422
SHA512

92bebc96768766fe74a5e00b46c701d60ed8ce760b077363f4a4f19a4950edc96bee66ec27feb79f999e54654dbbd8b5dee45aead361ca72b30436eea0899330
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	4852	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	4852	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	4852	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	4852	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	4852	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	4852	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4852	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	4852	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	4852	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	4852	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4852	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4852	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	4852	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	4852	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	4852	schtasks.exe	85

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3832-1-0x0000000000DB0000-0x0000000000F70000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cbe-30.dat	dcrat
behavioral2/files/0x0008000000023cc3-69.dat	dcrat
behavioral2/memory/396-230-0x00000000000C0000-0x0000000000280000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1292	powershell.exe
532	powershell.exe
2044	powershell.exe
648	powershell.exe
4888	powershell.exe
692	powershell.exe
512	powershell.exe
4432	powershell.exe
3956	powershell.exe
3608	powershell.exe
4900	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	services.exe

Executes dropped EXE 3 IoCs

pid	Process
396	services.exe
2348	services.exe
2220	services.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\9e8d7a4ca61bd9	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCXCEDB.tmp	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\RCXCEEC.tmp	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	services.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3844	schtasks.exe
1912	schtasks.exe
3456	schtasks.exe
2116	schtasks.exe
5104	schtasks.exe
1948	schtasks.exe
4864	schtasks.exe
4704	schtasks.exe
392	schtasks.exe
3664	schtasks.exe
4696	schtasks.exe
396	schtasks.exe
4032	schtasks.exe
5000	schtasks.exe
3988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
512	powershell.exe
512	powershell.exe
4888	powershell.exe
4888	powershell.exe
2044	powershell.exe
2044	powershell.exe
4432	powershell.exe
4432	powershell.exe
3956	powershell.exe
3956	powershell.exe
1292	powershell.exe
1292	powershell.exe
3608	powershell.exe
3608	powershell.exe
532	powershell.exe
532	powershell.exe
2044	powershell.exe
4900	powershell.exe
648	powershell.exe
4900	powershell.exe
648	powershell.exe
692	powershell.exe
692	powershell.exe
512	powershell.exe
4888	powershell.exe
4432	powershell.exe
692	powershell.exe
532	powershell.exe
4900	powershell.exe
3956	powershell.exe
648	powershell.exe
3608	powershell.exe
1292	powershell.exe
396	services.exe
396	services.exe
396	services.exe
396	services.exe
396	services.exe
396	services.exe
396	services.exe
396	services.exe
396	services.exe
396	services.exe
396	services.exe
396	services.exe
396	services.exe
396	services.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	396	services.exe
Token: SeDebugPrivilege	2348	services.exe
Token: SeDebugPrivilege	2220	services.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 512	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	109
PID 3832 wrote to memory of 512	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	109
PID 3832 wrote to memory of 1292	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	110
PID 3832 wrote to memory of 1292	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	110
PID 3832 wrote to memory of 532	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	111
PID 3832 wrote to memory of 532	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	111
PID 3832 wrote to memory of 4432	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	112
PID 3832 wrote to memory of 4432	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	112
PID 3832 wrote to memory of 2044	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	113
PID 3832 wrote to memory of 2044	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	113
PID 3832 wrote to memory of 3956	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	114
PID 3832 wrote to memory of 3956	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	114
PID 3832 wrote to memory of 3608	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	115
PID 3832 wrote to memory of 3608	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	115
PID 3832 wrote to memory of 4900	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	116
PID 3832 wrote to memory of 4900	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	116
PID 3832 wrote to memory of 4888	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	117
PID 3832 wrote to memory of 4888	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	117
PID 3832 wrote to memory of 648	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	118
PID 3832 wrote to memory of 648	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	118
PID 3832 wrote to memory of 692	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	119
PID 3832 wrote to memory of 692	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	119
PID 3832 wrote to memory of 1912	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	131
PID 3832 wrote to memory of 1912	3832	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	131
PID 1912 wrote to memory of 4736	1912	cmd.exe	133
PID 1912 wrote to memory of 4736	1912	cmd.exe	133
PID 1912 wrote to memory of 396	1912	cmd.exe	139
PID 1912 wrote to memory of 396	1912	cmd.exe	139
PID 396 wrote to memory of 4888	396	services.exe	141
PID 396 wrote to memory of 4888	396	services.exe	141
PID 396 wrote to memory of 3604	396	services.exe	142
PID 396 wrote to memory of 3604	396	services.exe	142
PID 4888 wrote to memory of 2348	4888	WScript.exe	149
PID 4888 wrote to memory of 2348	4888	WScript.exe	149
PID 2348 wrote to memory of 1408	2348	services.exe	151
PID 2348 wrote to memory of 1408	2348	services.exe	151
PID 2348 wrote to memory of 1056	2348	services.exe	152
PID 2348 wrote to memory of 1056	2348	services.exe	152
PID 1408 wrote to memory of 2220	1408	WScript.exe	162
PID 1408 wrote to memory of 2220	1408	WScript.exe	162
PID 2220 wrote to memory of 648	2220	services.exe	164
PID 2220 wrote to memory of 648	2220	services.exe	164
PID 2220 wrote to memory of 2120	2220	services.exe	165
PID 2220 wrote to memory of 2120	2220	services.exe	165

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
"C:\Users\Admin\AppData\Local\Temp\b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15xiJc00SX.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4736
- - C:\Recovery\WindowsRE\services.exe
    "C:\Recovery\WindowsRE\services.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1083e127-d189-4581-b6d5-7f9c2e4cb2f9.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cdc1ab5-89d6-4c2f-a963-1c4a98b96ecb.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Recovery\WindowsRE\services.exe
        
        C:\Recovery\WindowsRE\services.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a57aba49-91d3-4cd3-9da1-50ee2cfb2d66.vbs"
        8⤵
        
        PID:648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ccae78e-9f2c-470d-8a80-21f7589ebba8.vbs"
        8⤵
        
        PID:2120
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d0ffc15-8f2c-49c2-8df3-ecff50ad5ffe.vbs"
        6⤵
        
        PID:1056
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\484e79b0-bc7d-4300-9026-df42e4a6a6f1.vbs"
      4⤵
      PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\PrintHood\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\PrintHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\services.exe

Filesize
1.7MB

MD5
f8e9baafbf5fd20b7f1473c0734f2439

SHA1
9d2bec280563d792efabddeb61908b3a0128fd08

SHA256
7783f62e822bbe4dbcfc5ab04bc95fe819c7dc0e2ec903ed691a26fdaa7422de

SHA512
93bbe68c249aef092390fbac9454a3fa55c970e7d06153da4df9f38905919ba6768a4d8da1c26f1364f4367f72f3d822ebcb15ea4300cbcc7678e80ebdfc35d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
360B

MD5
ba3a040fbca8917e5194b2c9b280b1a6

SHA1
f419eed6a4fa9b378d1968ae45640c8b105daaee

SHA256
939d60b02a563c5247fa21b021c769b5345b6490be69ad51865bd83d50a3fe7f

SHA512
eae35fb047f46ad3023b8de61c0b07523d307f6c22e15fb025a9d0188e2eed6ae3dd1adf0d8dc895d10bf031f7dc039bea1c05a6f23c978814ca306e367a2c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1083e127-d189-4581-b6d5-7f9c2e4cb2f9.vbs

Filesize
709B

MD5
1ec0654859c706ca14392f881e639c6b

SHA1
76f41d6e92e68c84b3ef21a557fedc386796c730

SHA256
de2410a49e801ea80950b5574a9d95db663e96113acfc379f76e1fca274a83c6

SHA512
59a804391f8d787e987b3f88b92f9155dd1618465121edc009adffc0b3cb881ecbacec7f579552b50702a50940fa18ed08522808e6d7a4bcd06ab2b322568033

Download Submit
C:\Users\Admin\AppData\Local\Temp\15xiJc00SX.bat

Filesize
199B

MD5
bc988e583e14ecc1c11293feac6dff7b

SHA1
f69c5bd583ac92c09be6c8be9619b256ba5ef40d

SHA256
cc7859294a93e03fc694e38debaf6cc2900568fac35f804071e8caa9b86297b3

SHA512
b7ac6bca2dcda47a53358c4b2ffb005b62f8fbb7e14b3173169a2b26197ec7277751eb11c9469f9dc8d3a12e1909d62b4156966e1f034029da15cbe35a06bf66

Download Submit
C:\Users\Admin\AppData\Local\Temp\484e79b0-bc7d-4300-9026-df42e4a6a6f1.vbs

Filesize
486B

MD5
bcd8d3481605759095303743250f3434

SHA1
cc0f361803da0cb67671a3106022fd302e1e7198

SHA256
3259b64c6d8375905b92ea8bf946c5464eac5e995beb964c170aca2464d8ee32

SHA512
3e782a8efafb27a3057e9b448bd532a9699f843deca5e645348dac136559d1c291f1bcb21b29f28ad47b6c511c8f90643916480d6fd0212021e333689706a582

Download Submit
C:\Users\Admin\AppData\Local\Temp\9cdc1ab5-89d6-4c2f-a963-1c4a98b96ecb.vbs

Filesize
710B

MD5
55d1e6f9054205d56410845d6a65e808

SHA1
b703d248ee1335678e6e71d4ac8ba62b308fc2d4

SHA256
4866b8e7e39448912c455b8f1d89e3beb902903fd2b6c5957ee6abafc16143ee

SHA512
fda5d52dd30e4608727c3f10b4f3b61a8b4139713b9468990883e808318738dd0c55b61401f3522f2bf6a89c9d88c866533142a877d43b76e75df8c5251e365e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oyekjczf.s5x.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a57aba49-91d3-4cd3-9da1-50ee2cfb2d66.vbs

Filesize
710B

MD5
0a316c6ce65599a40727f8d92254a1b6

SHA1
0d25f0fe67ee209523ad7f5431e3f5818b08d02b

SHA256
361e32636d743e5448b5a86b03e15a1d086c008bf07ef98211ec47a24556c85d

SHA512
3b561446fe8066332b962f50b479a8d2194ed59ad5aae37c855dc225eb11f76457056b64d7d5d26133189edf7971b50151560c8d64c30011c1b2494e15906973

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RuntimeBroker.exe

Filesize
1.7MB

MD5
9c3b15ccc76653e0ce7efceb6682bcf3

SHA1
05a048dc3218e5cce7211a32a7d489c9d4a633a7

SHA256
b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422

SHA512
92bebc96768766fe74a5e00b46c701d60ed8ce760b077363f4a4f19a4950edc96bee66ec27feb79f999e54654dbbd8b5dee45aead361ca72b30436eea0899330

Download Submit
memory/396-230-0x00000000000C0000-0x0000000000280000-memory.dmp

Filesize
1.8MB

Download
memory/512-102-0x000001577BB70000-0x000001577BB92000-memory.dmp

Filesize
136KB

Download
memory/3832-10-0x000000001BC00000-0x000000001BC08000-memory.dmp

Filesize
32KB

Download
memory/3832-12-0x000000001BC10000-0x000000001BC22000-memory.dmp

Filesize
72KB

Download
memory/3832-23-0x00007FFCB1630000-0x00007FFCB20F1000-memory.dmp

Filesize
10.8MB

Download
memory/3832-19-0x000000001C530000-0x000000001C53C000-memory.dmp

Filesize
48KB

Download
memory/3832-14-0x000000001BC20000-0x000000001BC2C000-memory.dmp

Filesize
48KB

Download
memory/3832-15-0x000000001C3B0000-0x000000001C3BA000-memory.dmp

Filesize
40KB

Download
memory/3832-17-0x000000001C3D0000-0x000000001C3D8000-memory.dmp

Filesize
32KB

Download
memory/3832-112-0x00007FFCB1630000-0x00007FFCB20F1000-memory.dmp

Filesize
10.8MB

Download
memory/3832-16-0x000000001C3C0000-0x000000001C3CE000-memory.dmp

Filesize
56KB

Download
memory/3832-18-0x000000001C520000-0x000000001C52C000-memory.dmp

Filesize
48KB

Download
memory/3832-13-0x000000001C7E0000-0x000000001CD08000-memory.dmp

Filesize
5.2MB

Download
memory/3832-22-0x00007FFCB1630000-0x00007FFCB20F1000-memory.dmp

Filesize
10.8MB

Download
memory/3832-0-0x00007FFCB1633000-0x00007FFCB1635000-memory.dmp

Filesize
8KB

Download
memory/3832-9-0x000000001BBF0000-0x000000001BBFC000-memory.dmp

Filesize
48KB

Download
memory/3832-5-0x00000000031A0000-0x00000000031A8000-memory.dmp

Filesize
32KB

Download
memory/3832-6-0x00000000031B0000-0x00000000031C0000-memory.dmp

Filesize
64KB

Download
memory/3832-8-0x000000001BBE0000-0x000000001BBF0000-memory.dmp

Filesize
64KB

Download
memory/3832-7-0x00000000031C0000-0x00000000031D6000-memory.dmp

Filesize
88KB

Download
memory/3832-4-0x000000001BC30000-0x000000001BC80000-memory.dmp

Filesize
320KB

Download
memory/3832-3-0x0000000003180000-0x000000000319C000-memory.dmp

Filesize
112KB

Download
memory/3832-2-0x00007FFCB1630000-0x00007FFCB20F1000-memory.dmp

Filesize
10.8MB

Download
memory/3832-1-0x0000000000DB0000-0x0000000000F70000-memory.dmp

Filesize
1.8MB

Download