dcrat | f1d40c753045905eb4de629feb351fc9238cccb58c9d8e37245c700534328455

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
26/10/2022, 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

264ee26b10dc5d2ff7b6df41c975f6f6.exe
Size

2.8MB
MD5

264ee26b10dc5d2ff7b6df41c975f6f6
SHA1

4809585cc09822319521a5ed68f55d27702b37d6
SHA256

f1d40c753045905eb4de629feb351fc9238cccb58c9d8e37245c700534328455
SHA512

1d990b538ea01505fa04f4bcb0b5f6c3716870bc801f317a482c3f5f92f10b80d4e2b7b06cc1e66853b210d986eba8d1d8e1cc2dce842aa081d77d9a574235b9
SSDEEP

49152:SKMSgDJ61Pk4HCqx2xUKVNzYb5xEJEDqVBQJqg9V7Eol1f2ILY7HFGK5vo8Mxx/i:SxSGgx2GYNz8LkpJgjQonLY7HFn5vojo

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	1512	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1512	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	1512	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	1512	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	1512	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	1512	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1512	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1512	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1512	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	1512	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1512	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1512	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	1512	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	1512	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	1512	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	1512	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1512	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1512	schtasks.exe	27

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	264ee26b10dc5d2ff7b6df41c975f6f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	264ee26b10dc5d2ff7b6df41c975f6f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	264ee26b10dc5d2ff7b6df41c975f6f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1284-54-0x0000000001070000-0x0000000001338000-memory.dmp	dcrat
behavioral1/files/0x000a00000001230f-73.dat	dcrat
behavioral1/files/0x000a00000001230f-74.dat	dcrat
behavioral1/memory/1152-75-0x0000000000270000-0x0000000000538000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1152	winlogon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	264ee26b10dc5d2ff7b6df41c975f6f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	264ee26b10dc5d2ff7b6df41c975f6f6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ipinfo.io
6	ipinfo.io

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX70E9.tmp	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File created	C:\Program Files\Windows Portable Devices\c5b4cb5e9653cc	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\6ccacd8608530f	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\b75386f1303e64	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCX4D8B.tmp	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\Idle.exe	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX35F2.tmp	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX395C.tmp	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\lsass.exe	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File created	C:\Program Files\Windows Portable Devices\services.exe	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\Idle.exe	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File created	C:\Program Files\DVD Maker\it-IT\lsass.exe	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File created	C:\Program Files\DVD Maker\it-IT\6203df4a6bafc7	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCX5105.tmp	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File opened for modification	C:\Program Files\Windows Portable Devices\services.exe	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\RCX6524.tmp	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\RCX688F.tmp	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX7454.tmp	264ee26b10dc5d2ff7b6df41c975f6f6.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\Characters\cc11b995f2a76d	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File created	C:\Windows\Registration\CRMLog\b75386f1303e64	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\RCX4531.tmp	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\winlogon.exe	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCX5CCA.tmp	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File opened for modification	C:\Windows\Registration\CRMLog\taskhost.exe	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File created	C:\Windows\Web\Wallpaper\Characters\winlogon.exe	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File created	C:\Windows\Registration\CRMLog\taskhost.exe	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File opened for modification	C:\Windows\Web\Wallpaper\Characters\RCX41B7.tmp	264ee26b10dc5d2ff7b6df41c975f6f6.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCX595F.tmp	264ee26b10dc5d2ff7b6df41c975f6f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
788	schtasks.exe
1988	schtasks.exe
1464	schtasks.exe
1012	schtasks.exe
1660	schtasks.exe
1788	schtasks.exe
1268	schtasks.exe
1668	schtasks.exe
1524	schtasks.exe
360	schtasks.exe
1032	schtasks.exe
996	schtasks.exe
1824	schtasks.exe
1416	schtasks.exe
836	schtasks.exe
1980	schtasks.exe
1388	schtasks.exe
1808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe
1152	winlogon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe
Token: SeDebugPrivilege	1152	winlogon.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1152	1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe	46
PID 1284 wrote to memory of 1152	1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe	46
PID 1284 wrote to memory of 1152	1284	264ee26b10dc5d2ff7b6df41c975f6f6.exe	46

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	264ee26b10dc5d2ff7b6df41c975f6f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	264ee26b10dc5d2ff7b6df41c975f6f6.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	264ee26b10dc5d2ff7b6df41c975f6f6.exe

C:\Users\Admin\AppData\Local\Temp\264ee26b10dc5d2ff7b6df41c975f6f6.exe
"C:\Users\Admin\AppData\Local\Temp\264ee26b10dc5d2ff7b6df41c975f6f6.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1284
- C:\Windows\Web\Wallpaper\Characters\winlogon.exe
  "C:\Windows\Web\Wallpaper\Characters\winlogon.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\Characters\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Characters\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Wallpaper\Characters\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Registration\CRMLog\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Web\Wallpaper\Characters\winlogon.exe

Filesize
2.8MB

MD5
104ec4374b2136071a51d712be356d42

SHA1
a0b6cddb1a7d4c2319c663f48c94c9bee86deea2

SHA256
bc7482d8982c5410627dff329b5542c679832f3baffdc5b1ba20320948a85885

SHA512
e9624e210870f228e207a1fa121bfe652f22af8f0c5992a0cbfb40fe4d0d57d79609bcb4af887c94239d432012c2590fe66a616477d858f511bd6d541a2b669f

Download Submit
C:\Windows\Web\Wallpaper\Characters\winlogon.exe

Filesize
2.8MB

MD5
104ec4374b2136071a51d712be356d42

SHA1
a0b6cddb1a7d4c2319c663f48c94c9bee86deea2

SHA256
bc7482d8982c5410627dff329b5542c679832f3baffdc5b1ba20320948a85885

SHA512
e9624e210870f228e207a1fa121bfe652f22af8f0c5992a0cbfb40fe4d0d57d79609bcb4af887c94239d432012c2590fe66a616477d858f511bd6d541a2b669f

Download Submit
memory/1152-79-0x000000001B266000-0x000000001B285000-memory.dmp

Filesize
124KB

Download
memory/1152-78-0x000000001B266000-0x000000001B285000-memory.dmp

Filesize
124KB

Download
memory/1152-77-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/1152-75-0x0000000000270000-0x0000000000538000-memory.dmp

Filesize
2.8MB

Download
memory/1284-60-0x0000000000BC0000-0x0000000000BD0000-memory.dmp

Filesize
64KB

Download
memory/1284-70-0x000000001B166000-0x000000001B185000-memory.dmp

Filesize
124KB

Download
memory/1284-63-0x0000000000E70000-0x0000000000E7C000-memory.dmp

Filesize
48KB

Download
memory/1284-64-0x0000000000E80000-0x0000000000E8C000-memory.dmp

Filesize
48KB

Download
memory/1284-65-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/1284-66-0x0000000001000000-0x0000000001008000-memory.dmp

Filesize
32KB

Download
memory/1284-67-0x0000000000EA0000-0x0000000000EAE000-memory.dmp

Filesize
56KB

Download
memory/1284-68-0x0000000001010000-0x000000000101E000-memory.dmp

Filesize
56KB

Download
memory/1284-69-0x0000000001020000-0x000000000102C000-memory.dmp

Filesize
48KB

Download
memory/1284-62-0x0000000000FB0000-0x0000000001006000-memory.dmp

Filesize
344KB

Download
memory/1284-71-0x000000001B166000-0x000000001B185000-memory.dmp

Filesize
124KB

Download
memory/1284-61-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/1284-54-0x0000000001070000-0x0000000001338000-memory.dmp

Filesize
2.8MB

Download
memory/1284-59-0x00000000006A0000-0x00000000006B2000-memory.dmp

Filesize
72KB

Download
memory/1284-58-0x0000000000E50000-0x0000000000E66000-memory.dmp

Filesize
88KB

Download
memory/1284-76-0x000000001B166000-0x000000001B185000-memory.dmp

Filesize
124KB

Download
memory/1284-57-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/1284-56-0x0000000000550000-0x000000000056C000-memory.dmp

Filesize
112KB

Download
memory/1284-55-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download