dcrat | ec9fa98b9c0a55ad5d3b51bf6148b6e2041d1a14c36b4ad98caa9438bc3854e9

Analysis

max time kernel
105s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff1699c2d9f4f22e51e270417a93a15a.exe
Size

849KB
MD5

ff1699c2d9f4f22e51e270417a93a15a
SHA1

9f17a9e3c2d549d24fa993c723a3ad50b7f60ba6
SHA256

5569d2a749ae8057fb0b05849ad9bf5cef65f28c081cae2a2ddc8ae1e7c76528
SHA512

dc7fac70d397ad94321b1b81c2d53cfe4bc6d444e4f7a5a5f6804ab1529ca6ed41cd1a16675738ce2f083e291bdd4f7efe3053cff61ce4287a5fc719a90c910d
SSDEEP

12288:o6NE5ig5Fttrh5PxjUm5SvDdLILaBFkjKuAMx6A5gtbGk84Ca04jtiPBgGKYTx:o6N297PxbsKtC5AHgk

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5676	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5604	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5908	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6060	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5768	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5408	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5424	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5432	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5152	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6104	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5516	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	4048	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	4048	schtasks.exe	88

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral20/memory/6080-1-0x0000000000A70000-0x0000000000B4A000-memory.dmp	dcrat
behavioral20/files/0x0007000000024214-18.dat	dcrat
behavioral20/files/0x0009000000024208-95.dat	dcrat
behavioral20/files/0x000b000000024218-151.dat	dcrat
behavioral20/files/0x000800000002423d-270.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	ff1699c2d9f4f22e51e270417a93a15a.exe

Executes dropped EXE 1 IoCs

pid	Process
4588	dwm.exe

Drops file in Program Files directory 50 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\backgroundTaskHost.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\886983d96e3d3e	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\edge_BITS_4380_292599033\RCX497D.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCX50C7.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\edge_BITS_4752_1501088294\winlogon.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\MusNotification.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files\edge_BITS_4512_300620500\backgroundTaskHost.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\MusNotification.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\edge_BITS_4380_292599033\backgroundTaskHost.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\dotnet\backgroundTaskHost.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\edge_BITS_4752_1501088294\RCX554E.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fontdrvhost.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files\edge_BITS_4752_1501088294\cc11b995f2a76d	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files\Windows Media Player\en-US\886983d96e3d3e	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCX5755.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\edge_BITS_4512_300620500\backgroundTaskHost.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\dotnet\RCX4EB2.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\csrss.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\RCX52CC.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\RCX52CD.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX595A.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\Registry.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\csrss.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\csrss.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\ff1699c2d9f4f22e51e270417a93a15a.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\RCX50B6.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\edge_BITS_4752_1501088294\RCX554F.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX5FE8.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\RCX62D8.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files\edge_BITS_4512_300620500\eddb19405b7ce1	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files\edge_BITS_4380_292599033\eddb19405b7ce1	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files (x86)\Windows Mail\Registry.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\edge_BITS_4512_300620500\RCX3990.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\edge_BITS_4380_292599033\RCX497E.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\RCX5754.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX595B.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\RCX626A.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files\edge_BITS_4380_292599033\backgroundTaskHost.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files\dotnet\eddb19405b7ce1	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\f8a1ec94918eb0	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files (x86)\Windows Mail\ee2ad38f3d4382	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files\Windows Media Player\en-US\csrss.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\edge_BITS_4512_300620500\RCX3991.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files\dotnet\RCX4EB1.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX5FE7.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files\edge_BITS_4752_1501088294\winlogon.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\aa97147c4c782d	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files (x86)\Windows Mail\fontdrvhost.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Program Files (x86)\Windows Mail\5b884080fd4f94	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\ff1699c2d9f4f22e51e270417a93a15a.exe	ff1699c2d9f4f22e51e270417a93a15a.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Branding\Basebrd\en-US\dwm.exe	ff1699c2d9f4f22e51e270417a93a15a.exe
File created	C:\Windows\Branding\Basebrd\en-US\6cb0b6c459d5d3	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\RCX5BDC.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\RCX5BDD.tmp	ff1699c2d9f4f22e51e270417a93a15a.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\dwm.exe	ff1699c2d9f4f22e51e270417a93a15a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ff1699c2d9f4f22e51e270417a93a15a.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4640	schtasks.exe
3420	schtasks.exe
5432	schtasks.exe
6104	schtasks.exe
4452	schtasks.exe
4580	schtasks.exe
1744	schtasks.exe
1152	schtasks.exe
5768	schtasks.exe
1192	schtasks.exe
1188	schtasks.exe
4988	schtasks.exe
3572	schtasks.exe
4864	schtasks.exe
4544	schtasks.exe
5676	schtasks.exe
5424	schtasks.exe
4472	schtasks.exe
4396	schtasks.exe
2024	schtasks.exe
4548	schtasks.exe
5152	schtasks.exe
1160	schtasks.exe
4596	schtasks.exe
5908	schtasks.exe
3024	schtasks.exe
3668	schtasks.exe
5516	schtasks.exe
4612	schtasks.exe
1972	schtasks.exe
4428	schtasks.exe
1240	schtasks.exe
4744	schtasks.exe
4480	schtasks.exe
5604	schtasks.exe
980	schtasks.exe
5408	schtasks.exe
540	schtasks.exe
4720	schtasks.exe
4620	schtasks.exe
1548	schtasks.exe
4664	schtasks.exe
1036	schtasks.exe
4996	schtasks.exe
6060	schtasks.exe
1520	schtasks.exe
3184	schtasks.exe
1544	schtasks.exe
628	schtasks.exe
4812	schtasks.exe
4496	schtasks.exe
3852	schtasks.exe
4684	schtasks.exe
4712	schtasks.exe
3972	schtasks.exe
4796	schtasks.exe
4520	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
6080	ff1699c2d9f4f22e51e270417a93a15a.exe
4588	dwm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	6080	ff1699c2d9f4f22e51e270417a93a15a.exe
Token: SeDebugPrivilege	4588	dwm.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 6080 wrote to memory of 4588	6080	ff1699c2d9f4f22e51e270417a93a15a.exe	152
PID 6080 wrote to memory of 4588	6080	ff1699c2d9f4f22e51e270417a93a15a.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ff1699c2d9f4f22e51e270417a93a15a.exe
"C:\Users\Admin\AppData\Local\Temp\ff1699c2d9f4f22e51e270417a93a15a.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6080
- C:\Windows\Branding\Basebrd\en-US\dwm.exe
  "C:\Windows\Branding\Basebrd\en-US\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4512_300620500\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4512_300620500\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4512_300620500\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Recent\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Recent\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\ebea8a0c5b7ebb8dc5b60da7\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4380_292599033\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4380_292599033\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\edge_BITS_4380_292599033\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\87efddaf44110a3d80760c508da79ad7\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\87efddaf44110a3d80760c508da79ad7\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\dotnet\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Program Files\dotnet\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\uninstall\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\uninstall\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ff1699c2d9f4f22e51e270417a93a15af" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\ff1699c2d9f4f22e51e270417a93a15a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ff1699c2d9f4f22e51e270417a93a15a" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\ff1699c2d9f4f22e51e270417a93a15a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ff1699c2d9f4f22e51e270417a93a15af" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\ff1699c2d9f4f22e51e270417a93a15a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4752_1501088294\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4752_1501088294\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4752_1501088294\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\Basebrd\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\Basebrd\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\87efddaf44110a3d80760c508da79ad7\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\87efddaf44110a3d80760c508da79ad7\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\87efddaf44110a3d80760c508da79ad7\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\87efddaf44110a3d80760c508da79ad7\fontdrvhost.exe

Filesize
849KB

MD5
6f4e7912eef62c3e0cb5531793f3da16

SHA1
89b0a902b50714baf650d523e8ebe04f23627a2c

SHA256
3211b96b7553b2c6e78075e4d28c494ae65f98ebb28ecbd4e750498e65089a93

SHA512
21f278abfd42f5556439fa4db91e54648d2b3d19eb59a5f40454b6ba3eee3158fd3b337b4dc3f547b812556cbbb82a3204090d7c53185ca1ede53aa37e726462

Download Submit
C:\Program Files\Windows Media Player\en-US\csrss.exe

Filesize
849KB

MD5
b420e90667f234dbea69c021bbf92aef

SHA1
0cb5d3b5db50b53b0579cbdb8dd78d12452fcef0

SHA256
e1b06ac2b297800527ac28c04b7dc5448335f44cdb138c2957045078ded7e330

SHA512
18551067b51a818ecb30dfae200b8896feb661729c54cf2ae921a30d0ccbff88520993d9bbc3077c82bbaa08717fafe3bddf5abea02006498b9de7e6c4c3b16a

Download Submit
C:\Recovery\WindowsRE\services.exe

Filesize
849KB

MD5
ff1699c2d9f4f22e51e270417a93a15a

SHA1
9f17a9e3c2d549d24fa993c723a3ad50b7f60ba6

SHA256
5569d2a749ae8057fb0b05849ad9bf5cef65f28c081cae2a2ddc8ae1e7c76528

SHA512
dc7fac70d397ad94321b1b81c2d53cfe4bc6d444e4f7a5a5f6804ab1529ca6ed41cd1a16675738ce2f083e291bdd4f7efe3053cff61ce4287a5fc719a90c910d

Download Submit
C:\Recovery\WindowsRE\wininit.exe

Filesize
849KB

MD5
31ff7d9447247ca5e4d9fe7fd11a6ebc

SHA1
d6f066e663fd37df09ceba238edfadf9790be3fc

SHA256
5c488ade9b7df082f9839806fcbb593c99f2f73b0539bdc52bcd4e82691fd439

SHA512
b7acae7312fc7c1c27019560ef9ca627c24fc623abde32b5d954be1660490718ad78b17dca62cb6e78d649e10cafba5f0cdd99dcd34286b4d0155866e93c6a2d

Download Submit
memory/6080-4-0x000000001BD40000-0x000000001BD90000-memory.dmp

Filesize
320KB

Download
memory/6080-8-0x000000001B6A0000-0x000000001B6B0000-memory.dmp

Filesize
64KB

Download
memory/6080-9-0x000000001B6B0000-0x000000001B6BC000-memory.dmp

Filesize
48KB

Download
memory/6080-7-0x000000001B680000-0x000000001B688000-memory.dmp

Filesize
32KB

Download
memory/6080-6-0x000000001B660000-0x000000001B676000-memory.dmp

Filesize
88KB

Download
memory/6080-0-0x00007FF96B973000-0x00007FF96B975000-memory.dmp

Filesize
8KB

Download
memory/6080-5-0x000000001B650000-0x000000001B660000-memory.dmp

Filesize
64KB

Download
memory/6080-3-0x0000000002CC0000-0x0000000002CDC000-memory.dmp

Filesize
112KB

Download
memory/6080-2-0x00007FF96B970000-0x00007FF96C431000-memory.dmp

Filesize
10.8MB

Download
memory/6080-214-0x00007FF96B973000-0x00007FF96B975000-memory.dmp

Filesize
8KB

Download
memory/6080-226-0x00007FF96B970000-0x00007FF96C431000-memory.dmp

Filesize
10.8MB

Download
memory/6080-1-0x0000000000A70000-0x0000000000B4A000-memory.dmp

Filesize
872KB

Download
memory/6080-333-0x00007FF96B970000-0x00007FF96C431000-memory.dmp

Filesize
10.8MB

Download