dcrat | 5de218dd00c5b6536a8ea373bbe9b9f2079f788a113b847fbd5c39932170a6e6

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Size

999KB
MD5

7c3748401169a78459eb9603ff69e2b2
SHA1

1a5d82422f062f1ce5d6eb3cb41c56d066f7981f
SHA256

d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d
SHA512

ec52f803bd6ff1fbcec6da1624a5fb93ebba87742fd3191b27fdf8e77bc7cbc8217542eacffb1f1f2c323a3956ef3037ef47595c9a00e43951172171275abc12
SSDEEP

12288:/9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:/9pP5WS3lrMNyC9TJPCXBi

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 10 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\System.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\System.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\System.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\900323d723f1dd1206\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\60739cf6f660743813\\SearchApp.exe\", \"C:\\900323d723f1dd1206\\services.exe\", \"C:\\900323d723f1dd1206\\RuntimeBroker.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\System.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\900323d723f1dd1206\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\60739cf6f660743813\\SearchApp.exe\", \"C:\\900323d723f1dd1206\\services.exe\", \"C:\\900323d723f1dd1206\\RuntimeBroker.exe\", \"C:\\Windows\\InputMethod\\CHT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\RuntimeBroker.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\System.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\900323d723f1dd1206\\System.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\System.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\900323d723f1dd1206\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\System.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\900323d723f1dd1206\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\60739cf6f660743813\\SearchApp.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\System.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\900323d723f1dd1206\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\60739cf6f660743813\\SearchApp.exe\", \"C:\\900323d723f1dd1206\\services.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\System.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\900323d723f1dd1206\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\60739cf6f660743813\\SearchApp.exe\", \"C:\\900323d723f1dd1206\\services.exe\", \"C:\\900323d723f1dd1206\\RuntimeBroker.exe\", \"C:\\Windows\\InputMethod\\CHT\\RuntimeBroker.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Videos\\System.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\900323d723f1dd1206\\System.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\60739cf6f660743813\\SearchApp.exe\", \"C:\\900323d723f1dd1206\\services.exe\", \"C:\\900323d723f1dd1206\\RuntimeBroker.exe\", \"C:\\Windows\\InputMethod\\CHT\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\RuntimeBroker.exe\", \"C:\\900323d723f1dd1206\\dllhost.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Process spawned unexpected child process 40 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6040	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5804	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5824	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5296	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5744	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5820	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5588	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5772	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5908	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5816	4528	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5304	4528	schtasks.exe	86

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Executes dropped EXE 1 IoCs

pid	Process
5800	SearchApp.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\900323d723f1dd1206\\dllhost.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\900323d723f1dd1206\\System.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\900323d723f1dd1206\\services.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Public\\Videos\\System.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\60739cf6f660743813\\SearchApp.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\900323d723f1dd1206\\RuntimeBroker.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\InputMethod\\CHT\\RuntimeBroker.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\RuntimeBroker.exe\""	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\9e8d7a4ca61bd9	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX9666.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX9667.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\InputMethod\CHT\RuntimeBroker.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File created	C:\Windows\InputMethod\CHT\9e8d7a4ca61bd9	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\InputMethod\CHT\RCX93E4.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\InputMethod\CHT\RCX9452.tmp	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
File opened for modification	C:\Windows\InputMethod\CHT\RuntimeBroker.exe	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 40 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3088	schtasks.exe
4904	schtasks.exe
5824	schtasks.exe
976	schtasks.exe
4796	schtasks.exe
4832	schtasks.exe
5908	schtasks.exe
4828	schtasks.exe
5028	schtasks.exe
5304	schtasks.exe
4176	schtasks.exe
1632	schtasks.exe
2648	schtasks.exe
3500	schtasks.exe
4024	schtasks.exe
3924	schtasks.exe
4860	schtasks.exe
3016	schtasks.exe
4632	schtasks.exe
4760	schtasks.exe
920	schtasks.exe
5820	schtasks.exe
5772	schtasks.exe
4648	schtasks.exe
4736	schtasks.exe
5744	schtasks.exe
4848	schtasks.exe
4244	schtasks.exe
6040	schtasks.exe
1100	schtasks.exe
4588	schtasks.exe
3664	schtasks.exe
5588	schtasks.exe
4952	schtasks.exe
5816	schtasks.exe
5804	schtasks.exe
3996	schtasks.exe
4708	schtasks.exe
1724	schtasks.exe
5296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1076	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1076	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1076	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1076	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1076	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1076	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
1076	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1076	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
Token: SeDebugPrivilege	5800	SearchApp.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 2528	1076	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	133
PID 1076 wrote to memory of 2528	1076	d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe	133
PID 2528 wrote to memory of 5260	2528	cmd.exe	135
PID 2528 wrote to memory of 5260	2528	cmd.exe	135
PID 2528 wrote to memory of 5800	2528	cmd.exe	138
PID 2528 wrote to memory of 5800	2528	cmd.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe
"C:\Users\Admin\AppData\Local\Temp\d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z0umrEhMBq.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5260
- - C:\60739cf6f660743813\SearchApp.exe
    "C:\60739cf6f660743813\SearchApp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONSTART /tr "'C:\Users\Public\Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONSTART /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc MINUTE /mo 11 /tr "'C:\900323d723f1dd1206\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\900323d723f1dd1206\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONSTART /tr "'C:\900323d723f1dd1206\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\900323d723f1dd1206\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONSTART /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc MINUTE /mo 5 /tr "'C:\60739cf6f660743813\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\60739cf6f660743813\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONSTART /tr "'C:\60739cf6f660743813\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\60739cf6f660743813\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc MINUTE /mo 14 /tr "'C:\900323d723f1dd1206\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\900323d723f1dd1206\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONSTART /tr "'C:\900323d723f1dd1206\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\900323d723f1dd1206\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 10 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONSTART /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 8 /tr "'C:\Windows\InputMethod\CHT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONSTART /tr "'C:\Windows\InputMethod\CHT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\InputMethod\CHT\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONSTART /tr "'C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc MINUTE /mo 14 /tr "'C:\900323d723f1dd1206\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\900323d723f1dd1206\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONSTART /tr "'C:\900323d723f1dd1206\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\900323d723f1dd1206\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\60739cf6f660743813\SearchApp.exe

Filesize
999KB

MD5
7c3748401169a78459eb9603ff69e2b2

SHA1
1a5d82422f062f1ce5d6eb3cb41c56d066f7981f

SHA256
d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d

SHA512
ec52f803bd6ff1fbcec6da1624a5fb93ebba87742fd3191b27fdf8e77bc7cbc8217542eacffb1f1f2c323a3956ef3037ef47595c9a00e43951172171275abc12

Download Submit
C:\900323d723f1dd1206\services.exe

Filesize
999KB

MD5
06bd4aeef22087e66ac6a8db057384b0

SHA1
70b97f8fcf423f2b2cab15339bdd5bafa84df0f1

SHA256
a440a0a3b4fafcc78cbf56e35ad7da68bbf6589cec19a6625d017975a5be0050

SHA512
e2efd5106682e6151d3c1d35d2240d61e83de9234508c6672dfb4fd2c361dbf67fd8abe518d38f6df6cb8bbba148abe1b0415c230921a0274fb7ab5a2433d3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0umrEhMBq.bat

Filesize
199B

MD5
1131dae32431d842686984c8bc319251

SHA1
4d0a25d31c390c1f27920524f594866f4eb3d7d7

SHA256
91a956b75374a7c6f96245fd14f541c7e83beabcea515ebf8328e00dbdb1eaf2

SHA512
9b048e0e7dd7486e5e8ad6cc29907c19a7cf4769984cf4305c48077bc91fdd560a09b32ab4be2a6f79f69c4e449a1f75d8b54516f9cc1173bd5308869514d44a

Download Submit
C:\Windows\InputMethod\CHT\RuntimeBroker.exe

Filesize
999KB

MD5
a876ca5ef94d8395c8edb16b50bd889f

SHA1
52324f5b6390d38f0be0b48ea787c96c372a77a9

SHA256
b38e8edb79abbe26096b475cb20ec015af6423ca2a61d817e957e78a27d90e11

SHA512
929f73b94c4a85b70183c53211d8c857c4af4f259003a671cbf8f6578f4d681621271299ec81e47942fac9315c6867bff3d3aeb69a5b90827adc84e8440de83f

Download Submit
memory/1076-4-0x000000001B1C0000-0x000000001B210000-memory.dmp

Filesize
320KB

Download
memory/1076-5-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/1076-7-0x000000001B060000-0x000000001B070000-memory.dmp

Filesize
64KB

Download
memory/1076-6-0x0000000000DD0000-0x0000000000DE0000-memory.dmp

Filesize
64KB

Download
memory/1076-8-0x000000001B070000-0x000000001B07C000-memory.dmp

Filesize
48KB

Download
memory/1076-9-0x000000001B080000-0x000000001B08E000-memory.dmp

Filesize
56KB

Download
memory/1076-10-0x000000001B090000-0x000000001B09C000-memory.dmp

Filesize
48KB

Download
memory/1076-11-0x000000001B0A0000-0x000000001B0AC000-memory.dmp

Filesize
48KB

Download
memory/1076-0-0x00007FF9AFEF3000-0x00007FF9AFEF5000-memory.dmp

Filesize
8KB

Download
memory/1076-3-0x0000000000DA0000-0x0000000000DBC000-memory.dmp

Filesize
112KB

Download
memory/1076-2-0x00007FF9AFEF0000-0x00007FF9B09B1000-memory.dmp

Filesize
10.8MB

Download
memory/1076-159-0x00007FF9AFEF0000-0x00007FF9B09B1000-memory.dmp

Filesize
10.8MB

Download
memory/1076-1-0x0000000000340000-0x0000000000440000-memory.dmp

Filesize
1024KB

Download