dcrat | b90c52219d8c75357133266f06849a804b0995d3e20e9e0672c78bc94ebc8c9d

Analysis

max time kernel
91s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2022 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02da4648a2941f1f70f9dc3d59f72595.exe
Size

2.6MB
MD5

02da4648a2941f1f70f9dc3d59f72595
SHA1

f04ff761eea9313ebaa1cf5d2914c3de7fe0b1c0
SHA256

b90c52219d8c75357133266f06849a804b0995d3e20e9e0672c78bc94ebc8c9d
SHA512

3b12be79bb99744155b09e34fb392cda54f2f9d55a2da4d930012800fe96d472028c2c09c8c4f5b008257864e8fe50d783f6ec7091f6eff6413054ec762c664f
SSDEEP

49152:+pTn80rAHkSrvT7yEBpojAGw3fo+5D0gRbfGNW8UlbSpDCP2XF:+ZpktrvTOqp2Nw3L0gRbfGI8sepeu1

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	1388	schtasks.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	1388	schtasks.exe	67

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	02da4648a2941f1f70f9dc3d59f72595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	02da4648a2941f1f70f9dc3d59f72595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	02da4648a2941f1f70f9dc3d59f72595.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1032-132-0x0000000000460000-0x0000000000704000-memory.dmp	dcrat

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	02da4648a2941f1f70f9dc3d59f72595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	02da4648a2941f1f70f9dc3d59f72595.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe	02da4648a2941f1f70f9dc3d59f72595.exe
File created	C:\Program Files\Windows Portable Devices\ee2ad38f3d4382	02da4648a2941f1f70f9dc3d59f72595.exe
File opened for modification	C:\Program Files\7-Zip\Lang\csrss.exe	02da4648a2941f1f70f9dc3d59f72595.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe	02da4648a2941f1f70f9dc3d59f72595.exe
File created	C:\Program Files\7-Zip\Lang\886983d96e3d3e	02da4648a2941f1f70f9dc3d59f72595.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\f3b6ecef712a24	02da4648a2941f1f70f9dc3d59f72595.exe
File created	C:\Program Files\Windows Portable Devices\Registry.exe	02da4648a2941f1f70f9dc3d59f72595.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXB3CE.tmp	02da4648a2941f1f70f9dc3d59f72595.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXB91F.tmp	02da4648a2941f1f70f9dc3d59f72595.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXC257.tmp	02da4648a2941f1f70f9dc3d59f72595.exe
File created	C:\Program Files\7-Zip\Lang\csrss.exe	02da4648a2941f1f70f9dc3d59f72595.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\56085415360792	02da4648a2941f1f70f9dc3d59f72595.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX8F2B.tmp	02da4648a2941f1f70f9dc3d59f72595.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX9B23.tmp	02da4648a2941f1f70f9dc3d59f72595.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\wininit.exe	02da4648a2941f1f70f9dc3d59f72595.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RCXC556.tmp	02da4648a2941f1f70f9dc3d59f72595.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Speech_OneCore\Engines\Lexicon\taskhostw.exe	02da4648a2941f1f70f9dc3d59f72595.exe
File created	C:\Windows\Speech_OneCore\Engines\Lexicon\ea9f0e6c9e2dcd	02da4648a2941f1f70f9dc3d59f72595.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1768	1032	WerFault.exe	78

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
556	schtasks.exe
1780	schtasks.exe
5004	schtasks.exe
208	schtasks.exe
4796	schtasks.exe
3152	schtasks.exe
3360	schtasks.exe
3124	schtasks.exe
4992	schtasks.exe
1692	schtasks.exe
3524	schtasks.exe
3548	schtasks.exe
1624	schtasks.exe
4900	schtasks.exe
2400	schtasks.exe
3156	schtasks.exe
3452	schtasks.exe
1616	schtasks.exe
3544	schtasks.exe
1884	schtasks.exe
2216	schtasks.exe
4336	schtasks.exe
2060	schtasks.exe
4192	schtasks.exe
4852	schtasks.exe
2652	schtasks.exe
3888	schtasks.exe
3540	schtasks.exe
3412	schtasks.exe
2596	schtasks.exe
4476	schtasks.exe
4244	schtasks.exe
5052	schtasks.exe
4704	schtasks.exe
1844	schtasks.exe
5076	schtasks.exe
2044	schtasks.exe
4540	schtasks.exe
2748	schtasks.exe
5016	schtasks.exe
1764	schtasks.exe
3400	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe
1032	02da4648a2941f1f70f9dc3d59f72595.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	02da4648a2941f1f70f9dc3d59f72595.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	02da4648a2941f1f70f9dc3d59f72595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	02da4648a2941f1f70f9dc3d59f72595.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	02da4648a2941f1f70f9dc3d59f72595.exe

C:\Users\Admin\AppData\Local\Temp\02da4648a2941f1f70f9dc3d59f72595.exe
"C:\Users\Admin\AppData\Local\Temp\02da4648a2941f1f70f9dc3d59f72595.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1032
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1032 -s 1064
  2⤵
  - Program crash
  PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "02da4648a2941f1f70f9dc3d59f725950" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\02da4648a2941f1f70f9dc3d59f72595.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "02da4648a2941f1f70f9dc3d59f72595" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\02da4648a2941f1f70f9dc3d59f72595.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "02da4648a2941f1f70f9dc3d59f725950" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\02da4648a2941f1f70f9dc3d59f72595.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Videos\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 180 -p 1032 -ip 1032
1⤵
PID:1480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1032-132-0x0000000000460000-0x0000000000704000-memory.dmp

Filesize
2.6MB

Download
memory/1032-133-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/1032-134-0x000000001D1D0000-0x000000001D6F8000-memory.dmp

Filesize
5.2MB

Download
memory/1032-135-0x000000001B489000-0x000000001B48F000-memory.dmp

Filesize
24KB

Download
memory/1032-136-0x000000001E090000-0x000000001E094000-memory.dmp

Filesize
16KB

Download
memory/1032-137-0x000000001E094000-0x000000001E097000-memory.dmp

Filesize
12KB

Download
memory/1032-138-0x000000001E097000-0x000000001E09C000-memory.dmp

Filesize
20KB

Download
memory/1032-139-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/1032-140-0x000000001B489000-0x000000001B48F000-memory.dmp

Filesize
24KB

Download
memory/1032-141-0x000000001E090000-0x000000001E094000-memory.dmp

Filesize
16KB

Download
memory/1032-142-0x000000001E094000-0x000000001E097000-memory.dmp

Filesize
12KB

Download
memory/1032-143-0x000000001E097000-0x000000001E09C000-memory.dmp

Filesize
20KB

Download
memory/1032-145-0x000000001E090000-0x000000001E094000-memory.dmp

Filesize
16KB

Download
memory/1032-144-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/1032-146-0x000000001E094000-0x000000001E097000-memory.dmp

Filesize
12KB

Download
memory/1032-147-0x000000001E097000-0x000000001E09C000-memory.dmp

Filesize
20KB

Download