dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85edcd8fbc445760ff0796aa459e3c42.exe
Size

999KB
MD5

85edcd8fbc445760ff0796aa459e3c42
SHA1

bc63d62de0f20bee25246b808bf512371e9aa875
SHA256

8b7f417cdbc071fe2752a6c225154b943636ebd63674d591861251f5bdaaa292
SHA512

a192875edf98bd51e92a0a827c7b767041fa1c25595a70683f458971ff300a87404edfd9b1507220440f5e6c9704ebed07655498f27bee224d97dc56eb91525c
SSDEEP

12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\dwm.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\explorer.exe\", \"C:\\Windows\\Migration\\WTR\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dllhost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\dwm.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\explorer.exe\", \"C:\\Windows\\Migration\\WTR\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dllhost.exe\", \"C:\\Users\\Public\\Libraries\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\Idle.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\dwm.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\sppsvc.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\dwm.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\explorer.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\dwm.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\explorer.exe\", \"C:\\Windows\\Migration\\WTR\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dllhost.exe\", \"C:\\Users\\Public\\Libraries\\explorer.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\dwm.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\explorer.exe\", \"C:\\Windows\\Migration\\WTR\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dllhost.exe\", \"C:\\Users\\Public\\Libraries\\explorer.exe\", \"C:\\Program Files\\Windows Photo Viewer\\Idle.exe\", \"C:\\Users\\All Users\\spoolsv.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\dwm.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\dwm.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\explorer.exe\", \"C:\\Windows\\Migration\\WTR\\dwm.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\dwm.exe\", \"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\sppsvc.exe\", \"C:\\Program Files\\Windows Defender\\en-US\\explorer.exe\", \"C:\\Windows\\Migration\\WTR\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\explorer.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe

Executes dropped EXE 1 IoCs

pid	Process
2732	dwm.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\All Users\\spoolsv.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\dwm.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\18fc4542-69f6-11ef-a46c-62cb582c238c\\sppsvc.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\explorer.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\dllhost.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Public\\Libraries\\explorer.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Windows Photo Viewer\\Idle.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Defender\\en-US\\explorer.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Migration\\WTR\\dwm.exe\""	85edcd8fbc445760ff0796aa459e3c42.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\en-US\7a0fd90576e088	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\7a0fd90576e088	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files\Windows Photo Viewer\Idle.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\explorer.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXCDA5.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCXD48F.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\Idle.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files\Windows Defender\en-US\explorer.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\explorer.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Program Files\Windows Photo Viewer\6ccacd8608530f	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\RCXC96D.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\RCXC97E.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXCDA6.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\explorer.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCXD421.tmp	85edcd8fbc445760ff0796aa459e3c42.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\dwm.exe	85edcd8fbc445760ff0796aa459e3c42.exe
File created	C:\Windows\Migration\WTR\6cb0b6c459d5d3	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Windows\Migration\WTR\RCXCB91.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Windows\Migration\WTR\RCXCB92.tmp	85edcd8fbc445760ff0796aa459e3c42.exe
File opened for modification	C:\Windows\Migration\WTR\dwm.exe	85edcd8fbc445760ff0796aa459e3c42.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1804	schtasks.exe
2952	schtasks.exe
1756	schtasks.exe
1416	schtasks.exe
2980	schtasks.exe
2772	schtasks.exe
1568	schtasks.exe
2156	schtasks.exe
628	schtasks.exe
1132	schtasks.exe
1332	schtasks.exe
2784	schtasks.exe
2620	schtasks.exe
2028	schtasks.exe
1660	schtasks.exe
2612	schtasks.exe
2824	schtasks.exe
2332	schtasks.exe
2516	schtasks.exe
1212	schtasks.exe
2916	schtasks.exe
2664	schtasks.exe
1668	schtasks.exe
772	schtasks.exe
1084	schtasks.exe
820	schtasks.exe
2560	schtasks.exe
2944	schtasks.exe
2484	schtasks.exe
2760	schtasks.exe
2804	schtasks.exe
2264	schtasks.exe
2208	schtasks.exe
2844	schtasks.exe
2276	schtasks.exe
2152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1836	85edcd8fbc445760ff0796aa459e3c42.exe
1836	85edcd8fbc445760ff0796aa459e3c42.exe
1836	85edcd8fbc445760ff0796aa459e3c42.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	85edcd8fbc445760ff0796aa459e3c42.exe
Token: SeDebugPrivilege	2732	dwm.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 2892	1836	85edcd8fbc445760ff0796aa459e3c42.exe	68
PID 1836 wrote to memory of 2892	1836	85edcd8fbc445760ff0796aa459e3c42.exe	68
PID 1836 wrote to memory of 2892	1836	85edcd8fbc445760ff0796aa459e3c42.exe	68
PID 2892 wrote to memory of 1220	2892	cmd.exe	70
PID 2892 wrote to memory of 1220	2892	cmd.exe	70
PID 2892 wrote to memory of 1220	2892	cmd.exe	70
PID 2892 wrote to memory of 2732	2892	cmd.exe	71
PID 2892 wrote to memory of 2732	2892	cmd.exe	71
PID 2892 wrote to memory of 2732	2892	cmd.exe	71

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\85edcd8fbc445760ff0796aa459e3c42.exe
"C:\Users\Admin\AppData\Local\Temp\85edcd8fbc445760ff0796aa459e3c42.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JBhaqFKSfb.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1220
- - C:\Windows\Migration\WTR\dwm.exe
    "C:\Windows\Migration\WTR\dwm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONSTART /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONSTART /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\Program Files\Windows Defender\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\en-US\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONSTART /tr "'C:\Windows\Migration\WTR\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONSTART /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Libraries\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONSTART /tr "'C:\Users\Public\Libraries\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONSTART /tr "'C:\Program Files\Windows Photo Viewer\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONSTART /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\dwm.exe

Filesize
999KB

MD5
9f8ed4956291b912fd2bbf72102744d5

SHA1
bba7f5ce81c1b57ca26c115fe8f925cb91a941de

SHA256
d1c8d06527ffd3c4c9ace4ea69b456257790b8f7836de31a1deb6fa7f8aefb19

SHA512
86a20884c41b9028c7816cae7cfbe951276b60bc613ffe445607bed7b5f101051a9e0efbeaa6d243dfc33bce68f46ed5eb86eed0b932c56c0aff209f7414acc9

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe

Filesize
999KB

MD5
44cedcd15569a63b914a5f0d31131bf3

SHA1
3036455cd9f5250ce16f3053d15e73b1b2cf185c

SHA256
1370ddcbb0f5abd3916f07f075cacf82a3e0c249d8a4669c65c143d22e81f4c9

SHA512
b1a4e38781910ec1927762333cf529308afd7cd0384e702b7bd6bc6e6cf448b370daa6ef2141eee861efec1a650787c3fa4885443b37aea210ae177d9800ef67

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\de-DE\explorer.exe

Filesize
999KB

MD5
85edcd8fbc445760ff0796aa459e3c42

SHA1
bc63d62de0f20bee25246b808bf512371e9aa875

SHA256
8b7f417cdbc071fe2752a6c225154b943636ebd63674d591861251f5bdaaa292

SHA512
a192875edf98bd51e92a0a827c7b767041fa1c25595a70683f458971ff300a87404edfd9b1507220440f5e6c9704ebed07655498f27bee224d97dc56eb91525c

Download Submit
C:\Program Files\Windows Photo Viewer\Idle.exe

Filesize
999KB

MD5
247775476fc0c8221e059dd3141236e3

SHA1
a36c25d9067fa4bd98d9be74c9242207e8f3635c

SHA256
f099090709a44b3687e8c4e1c72a34c170a27793940ed22be05d433a89f6987c

SHA512
8c7fe9e0943a9fa7e023426c51f6fefc4316b74c5a2e71c053875ebc820d52e3bf3248295cd477a86095c848000031c0349288f2dc42c3f105ba290c43423aee

Download Submit
C:\ProgramData\spoolsv.exe

Filesize
999KB

MD5
4fe2c5ce54a2f99cf9d60e87a393a090

SHA1
99bea75add1bf4f3c7076f3c5726e47d4e408301

SHA256
16ee9cd79f51caad46cf15f8d9cdd4b8ea26845a440adbed930c453bef258a2e

SHA512
bf8a9ff5b62ef742c73128ce1863685609ef9ce62190a790d7972efaf3e15978070c182905c80bf1217f9971a4c27e3a630cfa2f86a1d94b5ce3402d7ada5529

Download Submit
C:\Users\Admin\AppData\Local\Temp\JBhaqFKSfb.bat

Filesize
196B

MD5
10a9fa407997587ef401f3a821e400cc

SHA1
7adec1842bf6687b9fae1a80f027834d979c1cc5

SHA256
3bd7fcbc19bd00ece6bdf737a1882945e0b43093e114cda7741d6d54a007b3ea

SHA512
febcff32d600af3a13f4738e4ab42905aefc2b68f28def0d2419c9850103e67301f0c473ebe85de5843b390f4924a3fb4aa33b129a9b0c5ff269f3381cbab44c

Download Submit
memory/1836-9-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/1836-10-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/1836-0-0x000007FEF5F83000-0x000007FEF5F84000-memory.dmp

Filesize
4KB

Download
memory/1836-5-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/1836-6-0x00000000001A0000-0x00000000001B0000-memory.dmp

Filesize
64KB

Download
memory/1836-8-0x0000000000470000-0x000000000047E000-memory.dmp

Filesize
56KB

Download
memory/1836-7-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/1836-3-0x0000000000160000-0x000000000017C000-memory.dmp

Filesize
112KB

Download
memory/1836-4-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/1836-2-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/1836-144-0x000007FEF5F80000-0x000007FEF696C000-memory.dmp

Filesize
9.9MB

Download
memory/1836-1-0x00000000012D0000-0x00000000013D0000-memory.dmp

Filesize
1024KB

Download
memory/2732-147-0x0000000001150000-0x0000000001250000-memory.dmp

Filesize
1024KB

Download