dcrat | c00b5a8c5635fbf1075f5048ee4ef28f9926f2e5d72a903e1a10cbdad1812de3

Analysis

max time kernel
149s
max time network
147s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-01-2023 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FGZlVYbGGS.exe
Size

2.9MB
MD5

f005ea5a727f0543d559c4d430c9078b
SHA1

a671eac2ca2ae7eb39980f9cca0261b346246152
SHA256

c00b5a8c5635fbf1075f5048ee4ef28f9926f2e5d72a903e1a10cbdad1812de3
SHA512

ea69ebef2c24158c94713e5b9afe426c105d350163fb87b56c0c1bb684a0dcd40b5fd789b6fbdffaaa25b70bedb8690043e3bc0816fdef2f72a3681792211fc6
SSDEEP

49152:H4DKm+cjWnC8WLqxdGWJMcWI2TJT1Q0UN2Trsljq:YDKmzjWnC8Wikx1DUN2/Uq

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	596	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

FGZlVYbGGS.exetaskhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	FGZlVYbGGS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	FGZlVYbGGS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	FGZlVYbGGS.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1264-54-0x0000000000D70000-0x0000000001056000-memory.dmp	dcrat
C:\Program Files\Common Files\SpeechEngines\taskhost.exe	dcrat
C:\Program Files\Common Files\SpeechEngines\taskhost.exe	dcrat
behavioral1/memory/2272-123-0x00000000000F0000-0x00000000003D6000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

taskhost.exe

pid process

2272 taskhost.exe

pid	process
2272	taskhost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

FGZlVYbGGS.exetaskhost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FGZlVYbGGS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	FGZlVYbGGS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

FGZlVYbGGS.exe

description	ioc	process
File created	C:\Program Files\Common Files\SpeechEngines\taskhost.exe	FGZlVYbGGS.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\taskhost.exe	FGZlVYbGGS.exe
File created	C:\Program Files\Common Files\SpeechEngines\b75386f1303e64	FGZlVYbGGS.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\RCX2E43.tmp	FGZlVYbGGS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1768	schtasks.exe
1176	schtasks.exe
1776	schtasks.exe
1848	schtasks.exe
864	schtasks.exe
964	schtasks.exe
1540	schtasks.exe
1636	schtasks.exe
1360	schtasks.exe
1352	schtasks.exe
1236	schtasks.exe
1104	schtasks.exe
828	schtasks.exe
768	schtasks.exe
1044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

FGZlVYbGGS.exetaskhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1264	FGZlVYbGGS.exe
2272	taskhost.exe
1040	powershell.exe
1092	powershell.exe
1236	powershell.exe
1636	powershell.exe
1148	powershell.exe
1856	powershell.exe
1852	powershell.exe
1004	powershell.exe
1612	powershell.exe
860	powershell.exe
320	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

FGZlVYbGGS.exetaskhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1264	FGZlVYbGGS.exe
Token: SeDebugPrivilege	2272	taskhost.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

FGZlVYbGGS.execmd.exetaskhost.exe

description	pid	process	target process
PID 1264 wrote to memory of 1720	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1720	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1720	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1612	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1612	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1612	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1852	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1852	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1852	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1092	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1092	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1092	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1148	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1148	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1148	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 320	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 320	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 320	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 860	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 860	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 860	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1856	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1856	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1856	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1004	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1004	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1004	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1040	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1040	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1040	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1236	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1236	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1236	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1636	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1636	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 1636	1264	FGZlVYbGGS.exe	powershell.exe
PID 1264 wrote to memory of 964	1264	FGZlVYbGGS.exe	cmd.exe
PID 1264 wrote to memory of 964	1264	FGZlVYbGGS.exe	cmd.exe
PID 1264 wrote to memory of 964	1264	FGZlVYbGGS.exe	cmd.exe
PID 964 wrote to memory of 2200	964	cmd.exe	w32tm.exe
PID 964 wrote to memory of 2200	964	cmd.exe	w32tm.exe
PID 964 wrote to memory of 2200	964	cmd.exe	w32tm.exe
PID 964 wrote to memory of 2272	964	cmd.exe	taskhost.exe
PID 964 wrote to memory of 2272	964	cmd.exe	taskhost.exe
PID 964 wrote to memory of 2272	964	cmd.exe	taskhost.exe
PID 2272 wrote to memory of 2636	2272	taskhost.exe	WScript.exe
PID 2272 wrote to memory of 2636	2272	taskhost.exe	WScript.exe
PID 2272 wrote to memory of 2636	2272	taskhost.exe	WScript.exe
PID 2272 wrote to memory of 2664	2272	taskhost.exe	WScript.exe
PID 2272 wrote to memory of 2664	2272	taskhost.exe	WScript.exe
PID 2272 wrote to memory of 2664	2272	taskhost.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

FGZlVYbGGS.exetaskhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	FGZlVYbGGS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	FGZlVYbGGS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	FGZlVYbGGS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhost.exe

C:\Users\Admin\AppData\Local\Temp\FGZlVYbGGS.exe
"C:\Users\Admin\AppData\Local\Temp\FGZlVYbGGS.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
PID:1720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tL8aKHMvnQ.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2200

C:\Program Files\Common Files\SpeechEngines\taskhost.exe
"C:\Program Files\Common Files\SpeechEngines\taskhost.exe"
3⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2272

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\672e9c30-07c8-475d-8cc7-923db7d07d15.vbs"
4⤵
PID:2636

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80937a5c-a8da-4998-a963-76d3669d9414.vbs"
4⤵
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\SpeechEngines\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\SpeechEngines\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\ad6fdfc2-6219-11ed-a572-5e34c4ab0fa3\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\SpeechEngines\taskhost.exe
Filesize
2.9MB

MD5
9081c669ff27fcb632210bc42cdad57c

SHA1
7f74596d2fb38b5eafe4115b65ca3865433518e5

SHA256
3c09434c09e937602e76cf605b635754edcabea649a961e367f8b6eba540a240

SHA512
8a1985271688a0c265d546cd69f85c2003b33242041d6ad0f5ce1266750fe739b00ce0ac61f764da97eaaa5408c528b0dde4c1967477fdd74c2e042987c8610c

Download Submit
C:\Program Files\Common Files\SpeechEngines\taskhost.exe
Filesize
2.9MB

MD5
9081c669ff27fcb632210bc42cdad57c

SHA1
7f74596d2fb38b5eafe4115b65ca3865433518e5

SHA256
3c09434c09e937602e76cf605b635754edcabea649a961e367f8b6eba540a240

SHA512
8a1985271688a0c265d546cd69f85c2003b33242041d6ad0f5ce1266750fe739b00ce0ac61f764da97eaaa5408c528b0dde4c1967477fdd74c2e042987c8610c

Download Submit
C:\Users\Admin\AppData\Local\Temp\672e9c30-07c8-475d-8cc7-923db7d07d15.vbs
Filesize
732B

MD5
8c54b9dd3ba1693822aff2e93e43b35c

SHA1
22b32ce8ec7480c837a655eeaa78e6a179ff14eb

SHA256
8fb7b0d9d18202dde4e1a420da1a97ed9a598b86a971afc4ca779dc3b8f969e8

SHA512
294f44b017ecec0c9e32987da2ee7eda9224f6d8cc52174614257e2d47a0d90deb92325d514c1e316f149167d804f7f58ddbd9281943cbbbbbcb582d077300ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\80937a5c-a8da-4998-a963-76d3669d9414.vbs
Filesize
508B

MD5
eb8eceda7e05fe6327b8ddadbf3a102e

SHA1
bd60120db3884afacdb6985f68d37024d38a6020

SHA256
c6a418e6d01c9cc101485ec6d358c60431e2bd3fa4eb07a36fa7feca429263db

SHA512
6799693d758973079dc0051358736eb94672f0ee1d29b2489abac4b3f62181f5f3562b89553063f80b3ff6a16b96ec6ec2b8ff05f18b5ee59d2853aeb10d2e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\tL8aKHMvnQ.bat
Filesize
221B

MD5
34410237a38829b3418c58d4a68ba4de

SHA1
9a1a63fc8c4ebf320c1e12870e2e61e3649b4f73

SHA256
bee797c2eac28480fb0d84563b97e8729381b7b533bb412c9c492ee1f4916bcd

SHA512
e705f1db5955a87c65438f666cd5122c81d175c2f4bfe396a2dd62fe834a2be4a83cd5c8a6887cff9d736d633e93418a7a8870bf1b5797f7355133708c9fed34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1b1cd3a2429c3589c396a1946c5bf387

SHA1
4088935d210b8b8476cd24410328069d9706650a

SHA256
cc64b9617bcd047b701c7b3d202b6c78494e2ef1ce1b23b2f2ecea5af2479f5d

SHA512
a20a004c538a57dfd4b3e4ee5e8c35fb22230263cfeedaa185776c1d4c963dfc2055bc10f06853096f66cd75d58785407b37bfd79c78406c6735e04d7de4cc26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1b1cd3a2429c3589c396a1946c5bf387

SHA1
4088935d210b8b8476cd24410328069d9706650a

SHA256
cc64b9617bcd047b701c7b3d202b6c78494e2ef1ce1b23b2f2ecea5af2479f5d

SHA512
a20a004c538a57dfd4b3e4ee5e8c35fb22230263cfeedaa185776c1d4c963dfc2055bc10f06853096f66cd75d58785407b37bfd79c78406c6735e04d7de4cc26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1b1cd3a2429c3589c396a1946c5bf387

SHA1
4088935d210b8b8476cd24410328069d9706650a

SHA256
cc64b9617bcd047b701c7b3d202b6c78494e2ef1ce1b23b2f2ecea5af2479f5d

SHA512
a20a004c538a57dfd4b3e4ee5e8c35fb22230263cfeedaa185776c1d4c963dfc2055bc10f06853096f66cd75d58785407b37bfd79c78406c6735e04d7de4cc26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1b1cd3a2429c3589c396a1946c5bf387

SHA1
4088935d210b8b8476cd24410328069d9706650a

SHA256
cc64b9617bcd047b701c7b3d202b6c78494e2ef1ce1b23b2f2ecea5af2479f5d

SHA512
a20a004c538a57dfd4b3e4ee5e8c35fb22230263cfeedaa185776c1d4c963dfc2055bc10f06853096f66cd75d58785407b37bfd79c78406c6735e04d7de4cc26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1b1cd3a2429c3589c396a1946c5bf387

SHA1
4088935d210b8b8476cd24410328069d9706650a

SHA256
cc64b9617bcd047b701c7b3d202b6c78494e2ef1ce1b23b2f2ecea5af2479f5d

SHA512
a20a004c538a57dfd4b3e4ee5e8c35fb22230263cfeedaa185776c1d4c963dfc2055bc10f06853096f66cd75d58785407b37bfd79c78406c6735e04d7de4cc26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1b1cd3a2429c3589c396a1946c5bf387

SHA1
4088935d210b8b8476cd24410328069d9706650a

SHA256
cc64b9617bcd047b701c7b3d202b6c78494e2ef1ce1b23b2f2ecea5af2479f5d

SHA512
a20a004c538a57dfd4b3e4ee5e8c35fb22230263cfeedaa185776c1d4c963dfc2055bc10f06853096f66cd75d58785407b37bfd79c78406c6735e04d7de4cc26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1b1cd3a2429c3589c396a1946c5bf387

SHA1
4088935d210b8b8476cd24410328069d9706650a

SHA256
cc64b9617bcd047b701c7b3d202b6c78494e2ef1ce1b23b2f2ecea5af2479f5d

SHA512
a20a004c538a57dfd4b3e4ee5e8c35fb22230263cfeedaa185776c1d4c963dfc2055bc10f06853096f66cd75d58785407b37bfd79c78406c6735e04d7de4cc26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1b1cd3a2429c3589c396a1946c5bf387

SHA1
4088935d210b8b8476cd24410328069d9706650a

SHA256
cc64b9617bcd047b701c7b3d202b6c78494e2ef1ce1b23b2f2ecea5af2479f5d

SHA512
a20a004c538a57dfd4b3e4ee5e8c35fb22230263cfeedaa185776c1d4c963dfc2055bc10f06853096f66cd75d58785407b37bfd79c78406c6735e04d7de4cc26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
1b1cd3a2429c3589c396a1946c5bf387

SHA1
4088935d210b8b8476cd24410328069d9706650a

SHA256
cc64b9617bcd047b701c7b3d202b6c78494e2ef1ce1b23b2f2ecea5af2479f5d

SHA512
a20a004c538a57dfd4b3e4ee5e8c35fb22230263cfeedaa185776c1d4c963dfc2055bc10f06853096f66cd75d58785407b37bfd79c78406c6735e04d7de4cc26

Download Submit
memory/320-167-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/320-166-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/320-83-0x0000000000000000-mapping.dmp

Download
memory/320-142-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/320-165-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/320-134-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/320-125-0x000007FEEA9D0000-0x000007FEEB3F3000-memory.dmp

Filesize
10.1MB

Download
memory/860-186-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/860-182-0x000000000259B000-0x00000000025BA000-memory.dmp

Filesize
124KB

Download
memory/860-132-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/860-185-0x000000000259B000-0x00000000025BA000-memory.dmp

Filesize
124KB

Download
memory/860-84-0x0000000000000000-mapping.dmp

Download
memory/860-127-0x000007FEEA9D0000-0x000007FEEB3F3000-memory.dmp

Filesize
10.1MB

Download
memory/860-164-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/860-140-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/964-106-0x0000000000000000-mapping.dmp

Download
memory/1004-157-0x000000001B740000-0x000000001BA3F000-memory.dmp

Filesize
3.0MB

Download
memory/1004-181-0x00000000022FB000-0x000000000231A000-memory.dmp

Filesize
124KB

Download
memory/1004-133-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/1004-126-0x000007FEEA9D0000-0x000007FEEB3F3000-memory.dmp

Filesize
10.1MB

Download
memory/1004-141-0x00000000022F4000-0x00000000022F7000-memory.dmp

Filesize
12KB

Download
memory/1004-90-0x0000000000000000-mapping.dmp

Download
memory/1004-188-0x00000000022F4000-0x00000000022F7000-memory.dmp

Filesize
12KB

Download
memory/1004-191-0x00000000022FB000-0x000000000231A000-memory.dmp

Filesize
124KB

Download
memory/1040-117-0x000007FEEA9D0000-0x000007FEEB3F3000-memory.dmp

Filesize
10.1MB

Download
memory/1040-168-0x000000000261B000-0x000000000263A000-memory.dmp

Filesize
124KB

Download
memory/1040-135-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/1040-93-0x0000000000000000-mapping.dmp

Download
memory/1040-155-0x000000001B770000-0x000000001BA6F000-memory.dmp

Filesize
3.0MB

Download
memory/1040-143-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/1040-169-0x0000000002614000-0x0000000002617000-memory.dmp

Filesize
12KB

Download
memory/1092-156-0x000000001B7F0000-0x000000001BAEF000-memory.dmp

Filesize
3.0MB

Download
memory/1092-128-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/1092-81-0x0000000000000000-mapping.dmp

Download
memory/1092-170-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/1092-171-0x000000000289B000-0x00000000028BA000-memory.dmp

Filesize
124KB

Download
memory/1092-116-0x000007FEEA9D0000-0x000007FEEB3F3000-memory.dmp

Filesize
10.1MB

Download
memory/1092-136-0x0000000002894000-0x0000000002897000-memory.dmp

Filesize
12KB

Download
memory/1148-147-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/1148-173-0x000000000293B000-0x000000000295A000-memory.dmp

Filesize
124KB

Download
memory/1148-172-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/1148-124-0x000007FEEA9D0000-0x000007FEEB3F3000-memory.dmp

Filesize
10.1MB

Download
memory/1148-82-0x0000000000000000-mapping.dmp

Download
memory/1148-159-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/1148-148-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/1236-184-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/1236-150-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/1236-121-0x000007FEEA9D0000-0x000007FEEB3F3000-memory.dmp

Filesize
10.1MB

Download
memory/1236-97-0x0000000000000000-mapping.dmp

Download
memory/1236-163-0x000000001B830000-0x000000001BB2F000-memory.dmp

Filesize
3.0MB

Download
memory/1236-183-0x00000000023DB000-0x00000000023FA000-memory.dmp

Filesize
124KB

Download
memory/1236-178-0x00000000023DB000-0x00000000023FA000-memory.dmp

Filesize
124KB

Download
memory/1236-146-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/1264-75-0x0000000000D00000-0x0000000000D08000-memory.dmp

Filesize
32KB

Download
memory/1264-66-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/1264-72-0x0000000000B40000-0x0000000000B48000-memory.dmp

Filesize
32KB

Download
memory/1264-71-0x0000000000B30000-0x0000000000B3E000-memory.dmp

Filesize
56KB

Download
memory/1264-55-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/1264-56-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/1264-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1264-61-0x0000000000640000-0x0000000000650000-memory.dmp

Filesize
64KB

Download
memory/1264-58-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/1264-59-0x0000000000430000-0x0000000000438000-memory.dmp

Filesize
32KB

Download
memory/1264-62-0x0000000000980000-0x000000000098A000-memory.dmp

Filesize
40KB

Download
memory/1264-70-0x0000000000B20000-0x0000000000B2A000-memory.dmp

Filesize
40KB

Download
memory/1264-69-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/1264-54-0x0000000000D70000-0x0000000001056000-memory.dmp

Filesize
2.9MB

Download
memory/1264-74-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/1264-60-0x0000000000630000-0x0000000000638000-memory.dmp

Filesize
32KB

Download
memory/1264-73-0x0000000000CE0000-0x0000000000CEE000-memory.dmp

Filesize
56KB

Download
memory/1264-76-0x0000000000D10000-0x0000000000D1A000-memory.dmp

Filesize
40KB

Download
memory/1264-77-0x0000000000D20000-0x0000000000D2C000-memory.dmp

Filesize
48KB

Download
memory/1264-63-0x0000000000A80000-0x0000000000AD6000-memory.dmp

Filesize
344KB

Download
memory/1264-68-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/1264-67-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/1264-64-0x0000000000990000-0x000000000099C000-memory.dmp

Filesize
48KB

Download
memory/1264-65-0x00000000009E0000-0x00000000009E8000-memory.dmp

Filesize
32KB

Download
memory/1612-130-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/1612-89-0x000007FEEA9D0000-0x000007FEEB3F3000-memory.dmp

Filesize
10.1MB

Download
memory/1612-176-0x00000000025B4000-0x00000000025B7000-memory.dmp

Filesize
12KB

Download
memory/1612-177-0x00000000025BB000-0x00000000025DA000-memory.dmp

Filesize
124KB

Download
memory/1612-79-0x0000000000000000-mapping.dmp

Download
memory/1612-86-0x000007FEFB8E1000-0x000007FEFB8E3000-memory.dmp

Filesize
8KB

Download
memory/1612-138-0x00000000025B4000-0x00000000025B7000-memory.dmp

Filesize
12KB

Download
memory/1636-99-0x0000000000000000-mapping.dmp

Download
memory/1636-114-0x000007FEEA9D0000-0x000007FEEB3F3000-memory.dmp

Filesize
10.1MB

Download
memory/1636-158-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/1636-189-0x000000000276B000-0x000000000278A000-memory.dmp

Filesize
124KB

Download
memory/1636-149-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/1636-180-0x000000000276B000-0x000000000278A000-memory.dmp

Filesize
124KB

Download
memory/1636-144-0x0000000002764000-0x0000000002767000-memory.dmp

Filesize
12KB

Download
memory/1720-78-0x0000000000000000-mapping.dmp

Download
memory/1852-179-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/1852-139-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/1852-190-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/1852-131-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/1852-80-0x0000000000000000-mapping.dmp

Download
memory/1852-187-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/1852-115-0x000007FEEA9D0000-0x000007FEEB3F3000-memory.dmp

Filesize
10.1MB

Download
memory/1852-161-0x000000001B840000-0x000000001BB3F000-memory.dmp

Filesize
3.0MB

Download
memory/1856-175-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/1856-174-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1856-129-0x000007FEEEA00000-0x000007FEEF55D000-memory.dmp

Filesize
11.4MB

Download
memory/1856-162-0x000000001B7E0000-0x000000001BADF000-memory.dmp

Filesize
3.0MB

Download
memory/1856-137-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1856-118-0x000007FEEA9D0000-0x000007FEEB3F3000-memory.dmp

Filesize
10.1MB

Download
memory/1856-85-0x0000000000000000-mapping.dmp

Download
memory/2200-113-0x0000000000000000-mapping.dmp

Download
memory/2272-123-0x00000000000F0000-0x00000000003D6000-memory.dmp

Filesize
2.9MB

Download
memory/2272-145-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/2272-120-0x0000000000000000-mapping.dmp

Download
memory/2636-151-0x0000000000000000-mapping.dmp

Download
memory/2664-152-0x0000000000000000-mapping.dmp

Download