dcrat | aff3e08b50336ce6a1cfe39c45d32d918dc6f190662aef666addb193f44d47a8

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
Size

2.3MB
MD5

1a434ea125bf9175e6e56f6a47836059
SHA1

eb01f314197d77976e79044686d2065866bde70f
SHA256

76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f
SHA512

7f6fc96d4e9781fcfd711e31901be908eb464977e3b546c71a5362c2bf0618c93d384cc29fb1f123b53bdaa3e64c98a4207b90187e7803bd00311317e502244a
SSDEEP

49152:WSBvjC9Jp6faCaUlQqv76arSehigDHQYdC1M/:WSBv/aCBJS/qHQsj/

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5956	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5800	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5332	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6136	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5776	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5656	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1760	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	1760	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral24/memory/2512-1-0x00000000004B0000-0x0000000000700000-memory.dmp	dcrat
behavioral24/files/0x00070000000242aa-19.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe

Executes dropped EXE 1 IoCs

pid	Process
1388	dllhost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\488d7fc194dfb3	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
File created	C:\Program Files\Uninstall Information\ea9f0e6c9e2dcd	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
File created	C:\Program Files\Java\jre-1.8\explorer.exe	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
File created	C:\Program Files\Java\jre-1.8\7a0fd90576e088	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
File created	C:\Program Files (x86)\MSBuild\csrss.exe	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
File created	C:\Program Files (x86)\MSBuild\886983d96e3d3e	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
File created	C:\Program Files\Uninstall Information\taskhostw.exe	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\c5b4cb5e9653cc	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Globalization\ELS\29c1c3cc0f7685	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
File created	C:\Windows\Globalization\ELS\unsecapp.exe	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6136	schtasks.exe
4652	schtasks.exe
4748	schtasks.exe
4792	schtasks.exe
4988	schtasks.exe
5656	schtasks.exe
2352	schtasks.exe
3380	schtasks.exe
4896	schtasks.exe
4736	schtasks.exe
5112	schtasks.exe
4728	schtasks.exe
3264	schtasks.exe
2076	schtasks.exe
4760	schtasks.exe
4992	schtasks.exe
2448	schtasks.exe
3980	schtasks.exe
5800	schtasks.exe
3892	schtasks.exe
4752	schtasks.exe
4964	schtasks.exe
4692	schtasks.exe
4820	schtasks.exe
5084	schtasks.exe
5956	schtasks.exe
4920	schtasks.exe
1572	schtasks.exe
552	schtasks.exe
5332	schtasks.exe
4776	schtasks.exe
4412	schtasks.exe
5776	schtasks.exe
928	schtasks.exe
3276	schtasks.exe
3756	schtasks.exe
384	schtasks.exe
4960	schtasks.exe
4708	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe
1388	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1388	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
Token: SeDebugPrivilege	1388	dllhost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 1388	2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe	127
PID 2512 wrote to memory of 1388	2512	76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe
"C:\Users\Admin\AppData\Local\Temp\76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\d25f591a00514bc9ba8441\dllhost.exe
  "C:\d25f591a00514bc9ba8441\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\d25f591a00514bc9ba8441\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Start Menu\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f7" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f7" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\d25f591a00514bc9ba8441\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\7e20f84d5244aba7145631d4073af8\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\7e20f84d5244aba7145631d4073af8\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\Globalization\ELS\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\ELS\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\d25f591a00514bc9ba8441\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\d25f591a00514bc9ba8441\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\d25f591a00514bc9ba8441\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre-1.8\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre-1.8\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\d25f591a00514bc9ba8441\RuntimeBroker.exe

Filesize
2.3MB

MD5
1a434ea125bf9175e6e56f6a47836059

SHA1
eb01f314197d77976e79044686d2065866bde70f

SHA256
76c8d5e2491a4836fa8b56458d7b9e73a7e14b8a86b4ec2fd2ea2b0b5f19188f

SHA512
7f6fc96d4e9781fcfd711e31901be908eb464977e3b546c71a5362c2bf0618c93d384cc29fb1f123b53bdaa3e64c98a4207b90187e7803bd00311317e502244a

Download Submit
memory/1388-49-0x000000001BC90000-0x000000001BCE6000-memory.dmp

Filesize
344KB

Download
memory/2512-4-0x0000000002880000-0x00000000028D0000-memory.dmp

Filesize
320KB

Download
memory/2512-3-0x0000000002810000-0x000000000282C000-memory.dmp

Filesize
112KB

Download
memory/2512-5-0x0000000002830000-0x0000000002846000-memory.dmp

Filesize
88KB

Download
memory/2512-6-0x000000001B3E0000-0x000000001B436000-memory.dmp

Filesize
344KB

Download
memory/2512-0-0x00007FFF259B3000-0x00007FFF259B5000-memory.dmp

Filesize
8KB

Download
memory/2512-7-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/2512-9-0x00000000028D0000-0x00000000028DE000-memory.dmp

Filesize
56KB

Download
memory/2512-8-0x000000001C2F0000-0x000000001C818000-memory.dmp

Filesize
5.2MB

Download
memory/2512-10-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2512-2-0x00007FFF259B0000-0x00007FFF26471000-memory.dmp

Filesize
10.8MB

Download
memory/2512-48-0x00007FFF259B0000-0x00007FFF26471000-memory.dmp

Filesize
10.8MB

Download
memory/2512-1-0x00000000004B0000-0x0000000000700000-memory.dmp

Filesize
2.3MB

Download