dcrat | 55edcf08f8521a9cddde8570baaac0ab8ef6e640e96c834db0e5c12f5b9c68fe

Analysis

max time kernel
103s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Size

1.1MB
MD5

f3873b73a0b2ef5c54ba8ed8a571bc14
SHA1

404a503b0a98f21c4adc006ebd7a51466aa1e52d
SHA256

e38968cd849bfac11b8dc61f6945e406dc8fefed82db482d87579b61649cd08f
SHA512

02f343a965daa821e8f14fda3cc296beb8dac814b6618c20506c5afd9625c8108f868463b9318ace1c6e5600abecf1236751846794879bc465c08e3dfa22515a
SSDEEP

12288:96NE5eSwJu37+GXJpkaI7ShG54v4ahgVY3whNG8/LI6i4ejmtnbAouuFteLBdBN9:96NReJXJIwvJgVQSoPEzKkLXa

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\RuntimeBroker.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\fontdrvhost.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\fontdrvhost.exe\", \"C:\\4d7dcf6448637544ea7e961be1ad\\csrss.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\fontdrvhost.exe\", \"C:\\4d7dcf6448637544ea7e961be1ad\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Windows\\Fonts\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\RuntimeBroker.exe\", \"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\fontdrvhost.exe\", \"C:\\4d7dcf6448637544ea7e961be1ad\\csrss.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\Users\\Public\\Documents\\My Music\\OfficeClickToRun.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5212	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5748	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5152	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5496	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	1868	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	1868	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral26/memory/4696-1-0x0000000000570000-0x000000000069C000-memory.dmp	dcrat
behavioral26/files/0x00050000000227be-26.dat	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	f3873b73a0b2ef5c54ba8ed8a571bc14.exe

Executes dropped EXE 2 IoCs

pid	Process
4784	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
392	OfficeClickToRun.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\fontdrvhost.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\4d7dcf6448637544ea7e961be1ad\\csrss.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\4d7dcf6448637544ea7e961be1ad\\csrss.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Public\\Documents\\My Music\\OfficeClickToRun.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Fonts\\dllhost.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Fonts\\dllhost.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\RuntimeBroker.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\RuntimeBroker.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Security\\BrowserCore\\en-US\\fontdrvhost.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Public\\Documents\\My Music\\OfficeClickToRun.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\""	f3873b73a0b2ef5c54ba8ed8a571bc14.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Security\BrowserCore\en-US\5b884080fd4f94	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\088424020bedd6	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\9e8d7a4ca61bd9	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\RCXA1A2.tmp	f3873b73a0b2ef5c54ba8ed8a571bc14.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\dllhost.exe	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
File created	C:\Windows\Fonts\dllhost.exe	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
File created	C:\Windows\Fonts\5940a34987c991	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
File opened for modification	C:\Windows\Fonts\RCX9F9D.tmp	f3873b73a0b2ef5c54ba8ed8a571bc14.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4240	schtasks.exe
4380	schtasks.exe
4536	schtasks.exe
3860	schtasks.exe
4524	schtasks.exe
2768	schtasks.exe
4244	schtasks.exe
5496	schtasks.exe
940	schtasks.exe
5212	schtasks.exe
3900	schtasks.exe
4504	schtasks.exe
5748	schtasks.exe
5152	schtasks.exe
468	schtasks.exe
3856	schtasks.exe
4172	schtasks.exe
4916	schtasks.exe
2228	schtasks.exe
3896	schtasks.exe
2200	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4696	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
4784	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
4784	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
4784	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
392	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4696	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Token: SeDebugPrivilege	4784	f3873b73a0b2ef5c54ba8ed8a571bc14.exe
Token: SeDebugPrivilege	392	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 4784	4696	f3873b73a0b2ef5c54ba8ed8a571bc14.exe	100
PID 4696 wrote to memory of 4784	4696	f3873b73a0b2ef5c54ba8ed8a571bc14.exe	100
PID 4784 wrote to memory of 392	4784	f3873b73a0b2ef5c54ba8ed8a571bc14.exe	114
PID 4784 wrote to memory of 392	4784	f3873b73a0b2ef5c54ba8ed8a571bc14.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe
"C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe
  "C:\Users\Admin\AppData\Local\Temp\f3873b73a0b2ef5c54ba8ed8a571bc14.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Users\Public\Documents\My Music\OfficeClickToRun.exe
    "C:\Users\Public\Documents\My Music\OfficeClickToRun.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\4d7dcf6448637544ea7e961be1ad\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\4d7dcf6448637544ea7e961be1ad\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Music\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Music\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\System.exe

Filesize
1.1MB

MD5
f3873b73a0b2ef5c54ba8ed8a571bc14

SHA1
404a503b0a98f21c4adc006ebd7a51466aa1e52d

SHA256
e38968cd849bfac11b8dc61f6945e406dc8fefed82db482d87579b61649cd08f

SHA512
02f343a965daa821e8f14fda3cc296beb8dac814b6618c20506c5afd9625c8108f868463b9318ace1c6e5600abecf1236751846794879bc465c08e3dfa22515a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f3873b73a0b2ef5c54ba8ed8a571bc14.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8651dc5980c60d5fc9efb2ba2d74320fcf09dd1b4.5.33labrador55b829c6e7a180740212f4a04459251de059830a

Filesize
480B

MD5
72eee02dfc5fb1064d6550c696a00ece

SHA1
62b70a5fa90583ff784b4c1f7342e29cde06bd9e

SHA256
c16865dc6ae2b788c66b2938f5a91f1bb08eaf19b4af230791e2857485bd873e

SHA512
ba831b5e1835a3f570b69d68de4f9327b73f995f6db4d153e83393901b0c4a52c62b313494f508356cec6eab0928fe77910feb7d0559a417e7bae12e56c890f4

Download Submit
memory/392-81-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

Filesize
72KB

Download
memory/4696-7-0x00000000028D0000-0x00000000028E2000-memory.dmp

Filesize
72KB

Download
memory/4696-13-0x000000001B9B0000-0x000000001B9BE000-memory.dmp

Filesize
56KB

Download
memory/4696-6-0x000000001B2D0000-0x000000001B2E6000-memory.dmp

Filesize
88KB

Download
memory/4696-4-0x000000001B860000-0x000000001B8B0000-memory.dmp

Filesize
320KB

Download
memory/4696-8-0x000000001B310000-0x000000001B320000-memory.dmp

Filesize
64KB

Download
memory/4696-9-0x000000001B2F0000-0x000000001B2FC000-memory.dmp

Filesize
48KB

Download
memory/4696-10-0x000000001B300000-0x000000001B312000-memory.dmp

Filesize
72KB

Download
memory/4696-11-0x000000001C060000-0x000000001C588000-memory.dmp

Filesize
5.2MB

Download
memory/4696-14-0x000000001B9C0000-0x000000001B9CC000-memory.dmp

Filesize
48KB

Download
memory/4696-0-0x00007FFC19ED3000-0x00007FFC19ED5000-memory.dmp

Filesize
8KB

Download
memory/4696-12-0x000000001B340000-0x000000001B348000-memory.dmp

Filesize
32KB

Download
memory/4696-5-0x00000000028C0000-0x00000000028D0000-memory.dmp

Filesize
64KB

Download
memory/4696-3-0x00000000028A0000-0x00000000028BC000-memory.dmp

Filesize
112KB

Download
memory/4696-49-0x00007FFC19ED0000-0x00007FFC1A991000-memory.dmp

Filesize
10.8MB

Download
memory/4696-1-0x0000000000570000-0x000000000069C000-memory.dmp

Filesize
1.2MB

Download
memory/4696-2-0x00007FFC19ED0000-0x00007FFC1A991000-memory.dmp

Filesize
10.8MB

Download
memory/4784-51-0x000000001C170000-0x000000001C182000-memory.dmp

Filesize
72KB

Download
memory/4784-50-0x000000001B9E0000-0x000000001B9F2000-memory.dmp

Filesize
72KB

Download