dcrat | 503f68ee6b9cb184e1dad186bb3f7e200a97b0ebd56de4a2bdd7e78d6c10e3aa

Analysis

max time kernel
125s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
Size

829KB
MD5

75efabc3056a03a80af5f744f2c7f616
SHA1

8c8d4b0dd3b3f3cafcc55841431a3f56be29c47f
SHA256

249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92
SHA512

e552ed4b4a06e4daf004832153e1904e6ad19be127bfdb479f0688a5ae7425618ffac17c9a686971b72beb8a46f48c57fc6a628b6a4302d00a9c1650fa12c798
SSDEEP

12288:PEyrEZFe6JTVqa28z0SOGBslmJrZpUpazI5Izpbpwvr2/QJVKOEpiu:s7e6JTVXaGu2M5IzNpwS/QJVKO4

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	4116	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	4116	schtasks.exe

DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
rat

Processes:

resource yara_rule

behavioral2/memory/1472-1-0x0000000000A50000-0x0000000000B26000-memory.dmp dcrat
C:\Windows\appcompat\Programs\MusNotification.exe dcrat

resource	yara_rule
behavioral2/memory/1472-1-0x0000000000A50000-0x0000000000B26000-memory.dmp	dcrat
C:\Windows\appcompat\Programs\MusNotification.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe

Executes dropped EXE 1 IoCs

Processes:

winlogon.exe

pid process

1348 winlogon.exe

pid	process
1348	winlogon.exe

Drops file in Program Files directory 14 IoCs

Processes:

249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\msedge.exe	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files\VideoLAN\RuntimeBroker.exe	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files\VideoLAN\9e8d7a4ca61bd9	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\cc11b995f2a76d	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\29c1c3cc0f7685	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files\Internet Explorer\249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\msedge.exe	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\61a52ddc9dd915	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files\Internet Explorer\275c2e83f62543	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files (x86)\Windows Media Player\System.exe	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Program Files (x86)\Windows Media Player\27d1bcfc3c54e0	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe

Drops file in Windows directory 8 IoCs

Processes:

249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe

description	ioc	process
File created	C:\Windows\de-DE\ea9f0e6c9e2dcd	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Windows\appcompat\Programs\MusNotification.exe	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Windows\appcompat\Programs\aa97147c4c782d	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Windows\GameBarPresenceWriter\wininit.exe	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Windows\GameBarPresenceWriter\56085415360792	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Windows\Sun\taskhostw.exe	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Windows\Sun\ea9f0e6c9e2dcd	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
File created	C:\Windows\de-DE\taskhostw.exe	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
884	schtasks.exe
4452	schtasks.exe
4428	schtasks.exe
1560	schtasks.exe
4964	schtasks.exe
112	schtasks.exe
216	schtasks.exe
5020	schtasks.exe
4408	schtasks.exe
784	schtasks.exe
4576	schtasks.exe
3684	schtasks.exe
4472	schtasks.exe
3360	schtasks.exe
2116	schtasks.exe
2320	schtasks.exe
3008	schtasks.exe
1816	schtasks.exe
2680	schtasks.exe
1504	schtasks.exe
4800	schtasks.exe
4388	schtasks.exe
3564	schtasks.exe
1684	schtasks.exe
4968	schtasks.exe
1152	schtasks.exe
3244	schtasks.exe
4404	schtasks.exe
1668	schtasks.exe
2808	schtasks.exe
820	schtasks.exe
1428	schtasks.exe
1532	schtasks.exe
3936	schtasks.exe
1912	schtasks.exe
4660	schtasks.exe
3636	schtasks.exe
2152	schtasks.exe
3044	schtasks.exe
4692	schtasks.exe
3212	schtasks.exe
1448	schtasks.exe
548	schtasks.exe
3924	schtasks.exe
5036	schtasks.exe
4624	schtasks.exe
840	schtasks.exe
2024	schtasks.exe
2788	schtasks.exe
4152	schtasks.exe
1580	schtasks.exe
2560	schtasks.exe
2280	schtasks.exe
1020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exewinlogon.exe

pid	process
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
1348	winlogon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exewinlogon.exe

description pid process

Token: SeDebugPrivilege 1472 249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
Token: SeDebugPrivilege 1348 winlogon.exe

description	pid	process
Token: SeDebugPrivilege	1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
Token: SeDebugPrivilege	1348	winlogon.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe

description	pid	process	target process
PID 1472 wrote to memory of 1348	1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe	winlogon.exe
PID 1472 wrote to memory of 1348	1472	249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe	winlogon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe
"C:\Users\Admin\AppData\Local\Temp\249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Default\Downloads\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 14 /tr "'C:\Windows\appcompat\Programs\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\appcompat\Programs\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Windows\appcompat\Programs\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\GameBarPresenceWriter\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb922" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb922" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\Sun\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Sun\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Windows\Sun\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\de-DE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4156,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8
1⤵
PID:4304

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\appcompat\Programs\MusNotification.exe
Filesize
829KB

MD5
75efabc3056a03a80af5f744f2c7f616

SHA1
8c8d4b0dd3b3f3cafcc55841431a3f56be29c47f

SHA256
249009648a4e88d2cd0fb5e595c911e5dca3ec1d70252981554ab0331800cb92

SHA512
e552ed4b4a06e4daf004832153e1904e6ad19be127bfdb479f0688a5ae7425618ffac17c9a686971b72beb8a46f48c57fc6a628b6a4302d00a9c1650fa12c798

Download Submit
memory/1472-0-0x00007FFCA8693000-0x00007FFCA8695000-memory.dmp

Filesize
8KB

Download
memory/1472-1-0x0000000000A50000-0x0000000000B26000-memory.dmp

Filesize
856KB

Download
memory/1472-2-0x00007FFCA8690000-0x00007FFCA9151000-memory.dmp

Filesize
10.8MB

Download
memory/1472-50-0x00007FFCA8690000-0x00007FFCA9151000-memory.dmp

Filesize
10.8MB

Download