dcrat | 7ddbec7fac00ec5624f45da5879ebfa97d95b21c7842cbaa1058daa46a47bd41

Analysis

max time kernel
103s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c45000d07293154a655ba52ffb7bab99.exe
Size

849KB
MD5

c45000d07293154a655ba52ffb7bab99
SHA1

4b4fbc2c00cf6c6c6fcea58074213c4f0606b80a
SHA256

f639fc426671cba387b08b8c14743bccfd9d13866982573a1ed2e150967c17ac
SHA512

2805351e0080a62061efb9bc7e3d953221df1180edfcf1142b59302a0afbcf3332a8855deaa9f147ebb11789a3cdbadf6073306000d03698537813bf579df674
SSDEEP

12288:I6NE5ig5Fttrh5PxjUm5SvDdLILaBFkjKuAMx6A5gtbGk84Ca04jtiPBgGKYTx:I6N297PxbsKtC5AHgk

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5312	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5448	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5844	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5820	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5952	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5188	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	4480	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	4480	schtasks.exe	89

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral10/memory/4212-1-0x00000000004B0000-0x000000000058A000-memory.dmp	dcrat
behavioral10/files/0x0007000000024295-18.dat	dcrat
behavioral10/files/0x000a0000000227d3-83.dat	dcrat
behavioral10/files/0x0006000000022b91-106.dat	dcrat
behavioral10/files/0x0008000000022b94-137.dat	dcrat
behavioral10/files/0x0004000000022bbb-162.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	c45000d07293154a655ba52ffb7bab99.exe

Executes dropped EXE 1 IoCs

pid	Process
5816	c45000d07293154a655ba52ffb7bab99.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\edge_BITS_4376_116299090\services.exe	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Program Files\edge_BITS_4376_1459281234\e77d3f30b5f080	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\edge_BITS_4376_116299090\services.exe	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX69A3.tmp	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\edge_BITS_4376_1459281234\RCX738E.tmp	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\edge_BITS_4376_1459281234\c45000d07293154a655ba52ffb7bab99.exe	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\PdfPreview\55b276f4edf653	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\PdfPreview\RCX5F0B.tmp	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\edge_BITS_4376_116299090\RCX651B.tmp	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\edge_BITS_4376_116299090\RCX6599.tmp	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RuntimeBroker.exe	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\PdfPreview\StartMenuExperienceHost.exe	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\PdfPreview\StartMenuExperienceHost.exe	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Program Files\edge_BITS_4376_116299090\c5b4cb5e9653cc	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Program Files\Windows Portable Devices\RuntimeBroker.exe	c45000d07293154a655ba52ffb7bab99.exe
File created	C:\Program Files\edge_BITS_4376_1459281234\c45000d07293154a655ba52ffb7bab99.exe	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\PdfPreview\RCX5F0A.tmp	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX6A11.tmp	c45000d07293154a655ba52ffb7bab99.exe
File opened for modification	C:\Program Files\edge_BITS_4376_1459281234\RCX738F.tmp	c45000d07293154a655ba52ffb7bab99.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	c45000d07293154a655ba52ffb7bab99.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4788	schtasks.exe
4092	schtasks.exe
4740	schtasks.exe
4640	schtasks.exe
2912	schtasks.exe
3568	schtasks.exe
1348	schtasks.exe
2336	schtasks.exe
4508	schtasks.exe
3796	schtasks.exe
5188	schtasks.exe
1236	schtasks.exe
2256	schtasks.exe
4764	schtasks.exe
4664	schtasks.exe
5312	schtasks.exe
2992	schtasks.exe
2988	schtasks.exe
2948	schtasks.exe
4848	schtasks.exe
5448	schtasks.exe
1572	schtasks.exe
4908	schtasks.exe
2660	schtasks.exe
376	schtasks.exe
5952	schtasks.exe
1056	schtasks.exe
4492	schtasks.exe
5820	schtasks.exe
4488	schtasks.exe
4672	schtasks.exe
1164	schtasks.exe
5844	schtasks.exe
4888	schtasks.exe
1692	schtasks.exe
964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4212	c45000d07293154a655ba52ffb7bab99.exe
4212	c45000d07293154a655ba52ffb7bab99.exe
4212	c45000d07293154a655ba52ffb7bab99.exe
4212	c45000d07293154a655ba52ffb7bab99.exe
4212	c45000d07293154a655ba52ffb7bab99.exe
4212	c45000d07293154a655ba52ffb7bab99.exe
4212	c45000d07293154a655ba52ffb7bab99.exe
4212	c45000d07293154a655ba52ffb7bab99.exe
4212	c45000d07293154a655ba52ffb7bab99.exe
4212	c45000d07293154a655ba52ffb7bab99.exe
4212	c45000d07293154a655ba52ffb7bab99.exe
4212	c45000d07293154a655ba52ffb7bab99.exe
4212	c45000d07293154a655ba52ffb7bab99.exe
4212	c45000d07293154a655ba52ffb7bab99.exe
4212	c45000d07293154a655ba52ffb7bab99.exe
4212	c45000d07293154a655ba52ffb7bab99.exe
4212	c45000d07293154a655ba52ffb7bab99.exe
4212	c45000d07293154a655ba52ffb7bab99.exe
4212	c45000d07293154a655ba52ffb7bab99.exe
5816	c45000d07293154a655ba52ffb7bab99.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4212	c45000d07293154a655ba52ffb7bab99.exe
Token: SeDebugPrivilege	5816	c45000d07293154a655ba52ffb7bab99.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 5816	4212	c45000d07293154a655ba52ffb7bab99.exe	132
PID 4212 wrote to memory of 5816	4212	c45000d07293154a655ba52ffb7bab99.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c45000d07293154a655ba52ffb7bab99.exe
"C:\Users\Admin\AppData\Local\Temp\c45000d07293154a655ba52ffb7bab99.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212
- C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\c45000d07293154a655ba52ffb7bab99.exe
  "C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\c45000d07293154a655ba52ffb7bab99.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\PdfPreview\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\PdfPreview\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\PdfPreview\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c45000d07293154a655ba52ffb7bab99c" /sc MINUTE /mo 10 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\c45000d07293154a655ba52ffb7bab99.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c45000d07293154a655ba52ffb7bab99" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\c45000d07293154a655ba52ffb7bab99.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c45000d07293154a655ba52ffb7bab99c" /sc MINUTE /mo 9 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\c45000d07293154a655ba52ffb7bab99.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4376_116299090\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4376_116299090\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4376_116299090\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c45000d07293154a655ba52ffb7bab99c" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4376_1459281234\c45000d07293154a655ba52ffb7bab99.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c45000d07293154a655ba52ffb7bab99" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4376_1459281234\c45000d07293154a655ba52ffb7bab99.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c45000d07293154a655ba52ffb7bab99c" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4376_1459281234\c45000d07293154a655ba52ffb7bab99.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Application Data\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Portable Devices\RuntimeBroker.exe

Filesize
849KB

MD5
dcda1f11da69e8580c450ac32fe89a16

SHA1
88d3133e61a897262eaf9e213096cd83cce3ea82

SHA256
180352b1cf8532e93eaabf43d4e16ec9ac4d5bf1d8cedd009adbd15ac08f43c2

SHA512
4cd17eb247e19fc00c3ec1bd906536059e66758a48e45395c697df2949e9aa8ed05c07c3de582e94fc7a57e2f1518c4bffff97aae7ba35a77ede3a2669ce49d3

Download Submit
C:\Program Files\edge_BITS_4376_116299090\services.exe

Filesize
849KB

MD5
dee3d5a358b08e294b943856b8514228

SHA1
08d301992ebcbaf6de02ea556684c670d03d921d

SHA256
ac3b232d68b3030001d5e8135056de5c4672c0640c208edca7253fc2e019146b

SHA512
1bca504227d96d7ceed92edcc76f6a5d7c9b253b29e435de65cb312cb6440bb6c4fc532747c9d5b6ab62497b03fe82112de176d7872789461d4ae9e75522ab6f

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
849KB

MD5
c45000d07293154a655ba52ffb7bab99

SHA1
4b4fbc2c00cf6c6c6fcea58074213c4f0606b80a

SHA256
f639fc426671cba387b08b8c14743bccfd9d13866982573a1ed2e150967c17ac

SHA512
2805351e0080a62061efb9bc7e3d953221df1180edfcf1142b59302a0afbcf3332a8855deaa9f147ebb11789a3cdbadf6073306000d03698537813bf579df674

Download Submit
C:\Recovery\WindowsRE\sihost.exe

Filesize
849KB

MD5
02ba13d98cfddd317331e6fc94278d97

SHA1
3ef535931ec084738e655882768403b8704ef56b

SHA256
26bfff61b64d9ca5017b7175ec93822b7150b23ed976d7b1a184d32d9375f9da

SHA512
ddbffe320cd51baa7d4c423c4318ba1d4846ecec6f3a9f8887bf3783924e742e085e73cff956078067f66cae4adc849934c699698510bdac7826991b01e6ffd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\c45000d07293154a655ba52ffb7bab99.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Default\AppData\Roaming\explorer.exe

Filesize
849KB

MD5
489a52a43858a311983c6deb9ce97757

SHA1
826e3fecb6ea6afc5740374973f796d662a80cd9

SHA256
bceb40ada298e3b58f69bb23c43e48d450ac661427ff966993bda05fea4af138

SHA512
17a99c4cc05a6186c3aeca1e1ee02d371683b6044e6e7a99848b9893b131584efb94e863c398220698724779be8d99a1a490840c867f30a57971e747725ccc46

Download Submit
memory/4212-5-0x0000000001180000-0x0000000001190000-memory.dmp

Filesize
64KB

Download
memory/4212-8-0x00000000011F0000-0x0000000001200000-memory.dmp

Filesize
64KB

Download
memory/4212-7-0x00000000011E0000-0x00000000011E8000-memory.dmp

Filesize
32KB

Download
memory/4212-9-0x0000000001200000-0x000000000120C000-memory.dmp

Filesize
48KB

Download
memory/4212-6-0x00000000011C0000-0x00000000011D6000-memory.dmp

Filesize
88KB

Download
memory/4212-4-0x0000000001210000-0x0000000001260000-memory.dmp

Filesize
320KB

Download
memory/4212-0-0x00007FF9D6623000-0x00007FF9D6625000-memory.dmp

Filesize
8KB

Download
memory/4212-3-0x00000000011A0000-0x00000000011BC000-memory.dmp

Filesize
112KB

Download
memory/4212-2-0x00007FF9D6620000-0x00007FF9D70E1000-memory.dmp

Filesize
10.8MB

Download
memory/4212-216-0x00007FF9D6623000-0x00007FF9D6625000-memory.dmp

Filesize
8KB

Download
memory/4212-1-0x00000000004B0000-0x000000000058A000-memory.dmp

Filesize
872KB

Download
memory/4212-229-0x00007FF9D6620000-0x00007FF9D70E1000-memory.dmp

Filesize
10.8MB

Download