dcrat | fc7ca5dbd9e3d228416ea9725c7283d105d75533f7a4e069d89f2632840e1a5d

Resubmissions

12-02-2023 06:08

230212-gwaw9shf55 10

02-02-2023 03:07

230202-dmra4see74 10

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20220812-es
resource tags

arch:x64arch:x86image:win7-20220812-eslocale:es-esos:windows7-x64systemwindows
submitted
02-02-2023 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PZCheat.exe
Size

1.5MB
MD5

164ba5ee6f6b30539e874248ccfa4c05
SHA1

6b14ed8dab712359453779f2896e1cbad78871d7
SHA256

fc7ca5dbd9e3d228416ea9725c7283d105d75533f7a4e069d89f2632840e1a5d
SHA512

c9b2eef0e4499832f9c4eca8b503f17f4cc7589d0d2b12fe82572ad5df23e85cef9267bdc24928b7ac6df0fff70fe49d2422d6e9a549f07a74c8f9bd47892cfc
SSDEEP

24576:B2G/nvxW3WLRnhzLfSRyBWkNUk9tJIzxIq2+kt3S5wFAiQuwV4ilByjNTVu1:BbA3+p9SRyBW0Tty2E5wFzQuo4iupRu1

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	844	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	844	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/984-67-0x0000000001150000-0x000000000150C000-memory.dmp	dcrat
behavioral1/memory/984-73-0x0000000001150000-0x000000000150C000-memory.dmp	dcrat
behavioral1/memory/2172-81-0x00000000003C0000-0x000000000077C000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

containersavesCrt.execsrss.exe

pid process

984 containersavesCrt.exe
2172 csrss.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.execmd.exe

pid process

1412 cmd.exe
1412 cmd.exe
2096 cmd.exe
2096 cmd.exe

pid	process
1412	cmd.exe
1412	cmd.exe
2096	cmd.exe
2096	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs

Processes:

containersavesCrt.execsrss.exe

pid	process
984	containersavesCrt.exe
2172	csrss.exe
2172	csrss.exe
2172	csrss.exe
2172	csrss.exe
2172	csrss.exe
2172	csrss.exe
2172	csrss.exe
2172	csrss.exe
2172	csrss.exe

Drops file in Program Files directory 11 IoCs

Processes:

containersavesCrt.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe	containersavesCrt.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\6ccacd8608530f	containersavesCrt.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\WmiPrvSE.exe	containersavesCrt.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe	containersavesCrt.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\containersavesCrt.exe	containersavesCrt.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe	containersavesCrt.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\7a0fd90576e088	containersavesCrt.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\Idle.exe	containersavesCrt.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\24dbde2999530e	containersavesCrt.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\69ddcba757bf72	containersavesCrt.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\c0e8d1e0447bf6	containersavesCrt.exe

Drops file in Windows directory 8 IoCs

Processes:

containersavesCrt.exe

description	ioc	process
File created	C:\Windows\Resources\Themes\Aero\en-US\csrss.exe	containersavesCrt.exe
File created	C:\Windows\Resources\Themes\Aero\en-US\886983d96e3d3e	containersavesCrt.exe
File created	C:\Windows\es-ES\WmiPrvSE.exe	containersavesCrt.exe
File created	C:\Windows\es-ES\24dbde2999530e	containersavesCrt.exe
File created	C:\Windows\Prefetch\WMIADAP.exe	containersavesCrt.exe
File created	C:\Windows\Prefetch\75a57c1bdf437c	containersavesCrt.exe
File created	C:\Windows\TAPI\conhost.exe	containersavesCrt.exe
File created	C:\Windows\TAPI\088424020bedd6	containersavesCrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
332	schtasks.exe
1604	schtasks.exe
1724	schtasks.exe
868	schtasks.exe
1268	schtasks.exe
1400	schtasks.exe
1764	schtasks.exe
1352	schtasks.exe
1632	schtasks.exe
1680	schtasks.exe
1772	schtasks.exe
272	schtasks.exe
1316	schtasks.exe
2060	schtasks.exe
1608	schtasks.exe
820	schtasks.exe
1396	schtasks.exe
1628	schtasks.exe
1408	schtasks.exe
1908	schtasks.exe
1268	schtasks.exe
2024	schtasks.exe
1988	schtasks.exe
1948	schtasks.exe
824	schtasks.exe
772	schtasks.exe
932	schtasks.exe
1416	schtasks.exe
1980	schtasks.exe
2024	schtasks.exe
1612	schtasks.exe
772	schtasks.exe
1612	schtasks.exe
1732	schtasks.exe
824	schtasks.exe
1396	schtasks.exe
964	schtasks.exe
1588	schtasks.exe
612	schtasks.exe
1164	schtasks.exe
780	schtasks.exe
820	schtasks.exe
1752	schtasks.exe
1236	schtasks.exe
1696	schtasks.exe
1596	schtasks.exe
1340	schtasks.exe
1816	schtasks.exe
924	schtasks.exe
1688	schtasks.exe
1640	schtasks.exe
2036	schtasks.exe
704	schtasks.exe
1232	schtasks.exe
612	schtasks.exe
1492	schtasks.exe
988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

containersavesCrt.execsrss.exe

pid	process
984	containersavesCrt.exe
2172	csrss.exe
2172	csrss.exe
2172	csrss.exe
2172	csrss.exe
2172	csrss.exe
2172	csrss.exe
2172	csrss.exe
2172	csrss.exe
2172	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

containersavesCrt.execsrss.exe

description pid process

Token: SeDebugPrivilege 984 containersavesCrt.exe
Token: SeDebugPrivilege 2172 csrss.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

containersavesCrt.execsrss.exe

pid process

984 containersavesCrt.exe
2172 csrss.exe

description	pid	process
Token: SeDebugPrivilege	984	containersavesCrt.exe
Token: SeDebugPrivilege	2172	csrss.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

PZCheat.exeWScript.execmd.execontainersavesCrt.execmd.exew32tm.exe

description	pid	process	target process
PID 1072 wrote to memory of 1320	1072	PZCheat.exe	WScript.exe
PID 1072 wrote to memory of 1320	1072	PZCheat.exe	WScript.exe
PID 1072 wrote to memory of 1320	1072	PZCheat.exe	WScript.exe
PID 1072 wrote to memory of 1320	1072	PZCheat.exe	WScript.exe
PID 1320 wrote to memory of 1412	1320	WScript.exe	cmd.exe
PID 1320 wrote to memory of 1412	1320	WScript.exe	cmd.exe
PID 1320 wrote to memory of 1412	1320	WScript.exe	cmd.exe
PID 1320 wrote to memory of 1412	1320	WScript.exe	cmd.exe
PID 1412 wrote to memory of 984	1412	cmd.exe	containersavesCrt.exe
PID 1412 wrote to memory of 984	1412	cmd.exe	containersavesCrt.exe
PID 1412 wrote to memory of 984	1412	cmd.exe	containersavesCrt.exe
PID 1412 wrote to memory of 984	1412	cmd.exe	containersavesCrt.exe
PID 984 wrote to memory of 2096	984	containersavesCrt.exe	cmd.exe
PID 984 wrote to memory of 2096	984	containersavesCrt.exe	cmd.exe
PID 984 wrote to memory of 2096	984	containersavesCrt.exe	cmd.exe
PID 984 wrote to memory of 2096	984	containersavesCrt.exe	cmd.exe
PID 2096 wrote to memory of 2128	2096	cmd.exe	w32tm.exe
PID 2096 wrote to memory of 2128	2096	cmd.exe	w32tm.exe
PID 2096 wrote to memory of 2128	2096	cmd.exe	w32tm.exe
PID 2096 wrote to memory of 2128	2096	cmd.exe	w32tm.exe
PID 2128 wrote to memory of 2152	2128	w32tm.exe	w32tm.exe
PID 2128 wrote to memory of 2152	2128	w32tm.exe	w32tm.exe
PID 2128 wrote to memory of 2152	2128	w32tm.exe	w32tm.exe
PID 2128 wrote to memory of 2152	2128	w32tm.exe	w32tm.exe
PID 2096 wrote to memory of 2172	2096	cmd.exe	csrss.exe
PID 2096 wrote to memory of 2172	2096	cmd.exe	csrss.exe
PID 2096 wrote to memory of 2172	2096	cmd.exe	csrss.exe
PID 2096 wrote to memory of 2172	2096	cmd.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\PZCheat.exe
"C:\Users\Admin\AppData\Local\Temp\PZCheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\surrogateContainerhostcrtDll\qAjDBhKogos2S0J68ty6.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\surrogateContainerhostcrtDll\fba6WO2dA9UqWb6NlbxSa.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412

C:\surrogateContainerhostcrtDll\containersavesCrt.exe
"C:\surrogateContainerhostcrtDll\containersavesCrt.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FkSNsaMugs.bat"
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:2152

C:\Windows\Resources\Themes\Aero\en-US\csrss.exe
"C:\Windows\Resources\Themes\Aero\en-US\csrss.exe"
6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\surrogateContainerhostcrtDll\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\surrogateContainerhostcrtDll\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\surrogateContainerhostcrtDll\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\TAPI\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\TAPI\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\surrogateContainerhostcrtDll\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\surrogateContainerhostcrtDll\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\surrogateContainerhostcrtDll\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containersavesCrtc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\containersavesCrt.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containersavesCrt" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\containersavesCrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containersavesCrtc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\containersavesCrt.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\surrogateContainerhostcrtDll\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\surrogateContainerhostcrtDll\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\surrogateContainerhostcrtDll\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Themes\Aero\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Resources\Themes\Aero\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\surrogateContainerhostcrtDll\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\surrogateContainerhostcrtDll\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\surrogateContainerhostcrtDll\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\Prefetch\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FkSNsaMugs.bat

Filesize
213B

MD5
19bce6a2a71791bcd1f0980d52049f34

SHA1
dd791cf8210d5c8f8f29437c258bed06260b5be8

SHA256
777f2a13625479e535fab9d1295b7f3de957f189acf100df9dfd2b250eb40d8f

SHA512
842b78ad4771a6ea5a071e72b7677c3ea69a8abd5902e396f2c1595428cf8ab051ac1ee6746a8d637f20f9a6c25569cfedae46b12378966f732e61bbad3ae750

Download Submit
C:\Windows\Resources\Themes\Aero\en-US\csrss.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
C:\Windows\Resources\Themes\Aero\en-US\csrss.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
C:\surrogateContainerhostcrtDll\containersavesCrt.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
C:\surrogateContainerhostcrtDll\containersavesCrt.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
C:\surrogateContainerhostcrtDll\fba6WO2dA9UqWb6NlbxSa.bat

Filesize
55B

MD5
f1a7c3c3ddb14918973adcec0ca793e5

SHA1
cd8dc923af6be2083d0a41f69fb32c9a08b2ea7a

SHA256
ed360b14dbbe3a7a03e882f0bd9b892af8357642fcbb296e62bac96112d4a526

SHA512
472f2d9d775d7b3a9a17fc8327040438e591ffbaaf87be8353a4e02446bd5ee805ce39fa2c57f1b32ca6f971210fba6532d3b993b7f861a6dd49edb0986dbccf

Download Submit
C:\surrogateContainerhostcrtDll\qAjDBhKogos2S0J68ty6.vbe

Filesize
226B

MD5
6a5882c4cb8293cb361d7f95c51de59e

SHA1
48662867659024019cfc01e2e4731f9efaa83c67

SHA256
1ce3ab815dfa8ab817dab9bb42c012e940041735fa4f2064f780cd44b7a5c0a2

SHA512
e5c5940e4f1358688df06cb84ab1b9ea3a26a336ccbef7b02b0c40cb6477894855c8513f037ec602b4fce7a72f4a54b4f4ccf314437b595521aa4b3d4f21fe9f

Download Submit
\Windows\Resources\Themes\Aero\en-US\csrss.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
\Windows\Resources\Themes\Aero\en-US\csrss.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
\surrogateContainerhostcrtDll\containersavesCrt.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
\surrogateContainerhostcrtDll\containersavesCrt.exe

Filesize
1.2MB

MD5
963f8f811b559d489ac8f0f5128acb7a

SHA1
91b273936ab1e1f562d29893f18bfe13a8be6448

SHA256
a3add9edc4b19b2b4e1061b0f1e685c2738bed0be41a5b6bfb6f85b66f21d923

SHA512
6c969271651bb4480d66c17665155e3a9590f41cc59091f2219b9f54bd86eabd6dee0deb758a12980b98740aa3859e670bf0cffa889702b3e038b1f9131a94c7

Download Submit
memory/984-73-0x0000000001150000-0x000000000150C000-memory.dmp

Filesize
3.7MB

Download
memory/984-68-0x0000000001150000-0x000000000150C000-memory.dmp

Filesize
3.7MB

Download
memory/984-64-0x0000000000000000-mapping.dmp

Download
memory/984-67-0x0000000001150000-0x000000000150C000-memory.dmp

Filesize
3.7MB

Download
memory/1072-54-0x0000000076601000-0x0000000076603000-memory.dmp

Filesize
8KB

Download
memory/1320-55-0x0000000000000000-mapping.dmp

Download
memory/1412-62-0x0000000002100000-0x00000000024BC000-memory.dmp

Filesize
3.7MB

Download
memory/1412-59-0x0000000000000000-mapping.dmp

Download
memory/2096-69-0x0000000000000000-mapping.dmp

Download
memory/2128-71-0x0000000000000000-mapping.dmp

Download
memory/2152-74-0x0000000000000000-mapping.dmp

Download
memory/2172-78-0x0000000000000000-mapping.dmp

Download
memory/2172-81-0x00000000003C0000-0x000000000077C000-memory.dmp

Filesize
3.7MB

Download
memory/2172-82-0x00000000003C0000-0x000000000077C000-memory.dmp

Filesize
3.7MB

Download