dcrat | f441317d17e6b7c64e1bba5228b509142abe985bd47677a641c3e05f28886cf1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
Size

1.2MB
MD5

14fcd197cdb6cdb4c01ce23615c00e53
SHA1

010670457c082a750eca6d28568ed819b1f32559
SHA256

f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72
SHA512

a170f923fbd41d78f60a3ac06fb5b04e867955c07746063a28c861ce9f74c0460ea539f0e900234bbacb02d0485e4fd8355a0a6826d64fcdd8aef5b059997c7b
SSDEEP

24576:RHIfa4YPdvEo074Zxgzv4AkDKiK0AtSSIb3gqAIj:FIi4noPhUi/Atbc3i

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2028	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	2028	schtasks.exe

DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
rat

Processes:

resource yara_rule

behavioral2/memory/4648-1-0x0000000000180000-0x00000000002B8000-memory.dmp dcrat
C:\Program Files\Windows NT\Accessories\csrss.exe dcrat

resource	yara_rule
behavioral2/memory/4648-1-0x0000000000180000-0x00000000002B8000-memory.dmp	dcrat
C:\Program Files\Windows NT\Accessories\csrss.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe

Executes dropped EXE 1 IoCs

Processes:

sysmon.exe

pid process

4808 sysmon.exe

pid	process
4808	sysmon.exe

Drops file in Program Files directory 8 IoCs

Processes:

f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\9e8d7a4ca61bd9	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
File created	C:\Program Files (x86)\Internet Explorer\uk-UA\System.exe	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
File created	C:\Program Files (x86)\Internet Explorer\uk-UA\27d1bcfc3c54e0	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
File created	C:\Program Files\Windows NT\Accessories\csrss.exe	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
File created	C:\Program Files\Windows NT\Accessories\886983d96e3d3e	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
File created	C:\Program Files\7-Zip\Lang\RuntimeBroker.exe	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
File created	C:\Program Files\7-Zip\Lang\9e8d7a4ca61bd9	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe

Drops file in Windows directory 2 IoCs

Processes:

f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe

description	ioc	process
File created	C:\Windows\Web\f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
File created	C:\Windows\Web\8933f8fb254a0a	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
3276	schtasks.exe
1936	schtasks.exe
4016	schtasks.exe
4356	schtasks.exe
3608	schtasks.exe
1136	schtasks.exe
5080	schtasks.exe
2876	schtasks.exe
1076	schtasks.exe
1048	schtasks.exe
3904	schtasks.exe
3360	schtasks.exe
1572	schtasks.exe
4792	schtasks.exe
2464	schtasks.exe
1948	schtasks.exe
2236	schtasks.exe
828	schtasks.exe
2620	schtasks.exe
4524	schtasks.exe
2260	schtasks.exe
5100	schtasks.exe
3676	schtasks.exe
1384	schtasks.exe
2408	schtasks.exe
1448	schtasks.exe
736	schtasks.exe
224	schtasks.exe
3580	schtasks.exe
3128	schtasks.exe
2148	schtasks.exe
1724	schtasks.exe
920	schtasks.exe
3528	schtasks.exe
4576	schtasks.exe
2116	schtasks.exe
3784	schtasks.exe
1840	schtasks.exe
2452	schtasks.exe
4004	schtasks.exe
3800	schtasks.exe
4472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exesysmon.exe

pid	process
4648	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
4648	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
4648	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
4648	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
4648	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
4648	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
4648	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
4648	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
4648	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
4648	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
4808	sysmon.exe
4808	sysmon.exe
4808	sysmon.exe
4808	sysmon.exe
4808	sysmon.exe
4808	sysmon.exe
4808	sysmon.exe
4808	sysmon.exe
4808	sysmon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sysmon.exe

pid process

4808 sysmon.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exesysmon.exe

description pid process

Token: SeDebugPrivilege 4648 f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
Token: SeDebugPrivilege 4808 sysmon.exe

pid	process
4808	sysmon.exe

description	pid	process
Token: SeDebugPrivilege	4648	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
Token: SeDebugPrivilege	4808	sysmon.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe

description	pid	process	target process
PID 4648 wrote to memory of 4808	4648	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe	sysmon.exe
PID 4648 wrote to memory of 4808	4648	f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe
"C:\Users\Admin\AppData\Local\Temp\f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648

C:\Recovery\WindowsRE\sysmon.exe
"C:\Recovery\WindowsRE\sysmon.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\uk-UA\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Saved Games\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72f" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72" /sc ONLOGON /tr "'C:\Windows\Web\f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72f" /sc MINUTE /mo 6 /tr "'C:\Windows\Web\f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\Accessories\csrss.exe
Filesize
1.2MB

MD5
14fcd197cdb6cdb4c01ce23615c00e53

SHA1
010670457c082a750eca6d28568ed819b1f32559

SHA256
f9dc41ab7a043cf887b9737060be951dd11571c5774a8b6ca004b503c1995c72

SHA512
a170f923fbd41d78f60a3ac06fb5b04e867955c07746063a28c861ce9f74c0460ea539f0e900234bbacb02d0485e4fd8355a0a6826d64fcdd8aef5b059997c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE56F2.tmp
Filesize
1KB

MD5
c4b6f8744ed5d8cd22366ccc62a831ae

SHA1
272c52c3168c13eb02d7c70e6b9e13229514a117

SHA256
669aa55b22f247411e2bf013794784c5e2637ccd764d8115bfa5a8d24f121b5e

SHA512
4fc6c8163d17fbe5c7153d0284271a16e01bbfa0aa0af54e8cdc871f22cfdd564a9251d55624dca458b46b9d1775d82d0bd8c5efc5e49e594caa4c660d5b4d43

Download Submit
memory/4648-0-0x00007FFEC4133000-0x00007FFEC4135000-memory.dmp

Filesize
8KB

Download
memory/4648-1-0x0000000000180000-0x00000000002B8000-memory.dmp

Filesize
1.2MB

Download
memory/4648-2-0x00007FFEC4130000-0x00007FFEC4BF1000-memory.dmp

Filesize
10.8MB

Download
memory/4648-3-0x00000000023C0000-0x00000000023DC000-memory.dmp

Filesize
112KB

Download
memory/4648-4-0x0000000002440000-0x0000000002490000-memory.dmp

Filesize
320KB

Download
memory/4648-7-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/4648-6-0x0000000002400000-0x000000000240E000-memory.dmp

Filesize
56KB

Download
memory/4648-5-0x00000000023E0000-0x00000000023F6000-memory.dmp

Filesize
88KB

Download
memory/4648-48-0x00007FFEC4130000-0x00007FFEC4BF1000-memory.dmp

Filesize
10.8MB

Download