dcrat | 1e9b61bacadec88ed81039e5551de06d39f558694e5756bbe7aa92d46ba488a5

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90125421267c6f2a55fb1566eac89528.exe
Size

1.1MB
MD5

90125421267c6f2a55fb1566eac89528
SHA1

eb56f971b495461dce763a4680b96c4e07d5a1b5
SHA256

1e9b61bacadec88ed81039e5551de06d39f558694e5756bbe7aa92d46ba488a5
SHA512

e36d7cccf5c4e7aa134a922e7d5b735cc4ab5094dd4cdb2a4407c33934459871b412c7f8d4c527d75f04535ca592fd1a354a718925ef7a21a6a28e2b02d58d6f
SSDEEP

24576:KCEPLqs02vS7YlgdGNrY6JtfcDc8a24C2xSeq9Ra+4:KCCx0XIUUmRN

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 22 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2708	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2708	schtasks.exe	28

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3056-0-0x0000000000190000-0x00000000002B2000-memory.dmp	dcrat
behavioral1/files/0x0006000000016cf2-14.dat	dcrat
behavioral1/memory/2532-44-0x0000000000970000-0x0000000000A92000-memory.dmp	dcrat
behavioral1/memory/2532-47-0x0000000002320000-0x00000000023A0000-memory.dmp	dcrat
behavioral1/memory/1244-70-0x0000000000F10000-0x0000000001032000-memory.dmp	dcrat
behavioral1/memory/1244-72-0x000000001B090000-0x000000001B110000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1244	dwm.exe

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\\smss.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\unimdmat\\taskhost.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\lsass.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\d3d11\\services.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\90125421267c6f2a55fb1566eac89528 = "\"C:\\MSOCache\\All Users\\90125421267c6f2a55fb1566eac89528.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\All Users\\Microsoft Help\\lsass.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\sppsvc\\csrss.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\System32\\lmhsvc\\spoolsv.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\twunk_32\\explorer.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\wbemcore\\WmiPrvSE.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\spoolsv.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\90125421267c6f2a55fb1566eac89528 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\java_install_reg\\90125421267c6f2a55fb1566eac89528.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Windows\\System32\\wininet\\taskhost.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\\Idle.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\twunk_16\\explorer.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\kbd101c\\csrss.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\PerfLogs\\Admin\\lsm.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\perfos\\csrss.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\srrstr\\csrss.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\spoolsv.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Common Files\\SpeechEngines\\dwm.exe\""	90125421267c6f2a55fb1566eac89528.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\ProgramData\\Favorites\\lsass.exe\""	90125421267c6f2a55fb1566eac89528.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\System32\srrstr\csrss.exe	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\System32\srrstr\886983d96e3d3e31032c679b2d4ea91b6c05afef	90125421267c6f2a55fb1566eac89528.exe
File opened for modification	C:\Windows\System32\perfos\csrss.exe	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\System32\wbem\wbemcore\24dbde2999530ef5fd907494bc374d663924116c	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\System32\d3d11\c5b4cb5e9653cce737f29f72ba880dd4c4bab27d	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\System32\wininet\taskhost.exe	90125421267c6f2a55fb1566eac89528.exe
File opened for modification	C:\Windows\System32\lmhsvc\spoolsv.exe	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\System32\lmhsvc\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\System32\kbd101c\886983d96e3d3e31032c679b2d4ea91b6c05afef	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\System32\perfos\886983d96e3d3e31032c679b2d4ea91b6c05afef	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\System32\wbem\wbemcore\WmiPrvSE.exe	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\System32\kbd101c\csrss.exe	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\System32\perfos\csrss.exe	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\System32\d3d11\services.exe	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\System32\sppsvc\csrss.exe	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\System32\sppsvc\886983d96e3d3e31032c679b2d4ea91b6c05afef	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\System32\lmhsvc\spoolsv.exe	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\System32\unimdmat\taskhost.exe	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\System32\unimdmat\b75386f1303e64d8139363b71e44ac16341adf4e	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\System32\wininet\b75386f1303e64d8139363b71e44ac16341adf4e	90125421267c6f2a55fb1566eac89528.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\SpeechEngines\6cb0b6c459d5d3455a3da700e713f2e2529862ff	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\f3b6ecef712a24f33798f5d2fb3790c3d9b894c4	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Program Files\Common Files\SpeechEngines\dwm.exe	90125421267c6f2a55fb1566eac89528.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\twunk_16\explorer.exe	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\twunk_16\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\twunk_32\explorer.exe	90125421267c6f2a55fb1566eac89528.exe
File created	C:\Windows\twunk_32\7a0fd90576e08807bde2cc57bcf9854bbce05fe3	90125421267c6f2a55fb1566eac89528.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 22 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1048	schtasks.exe
2688	schtasks.exe
2068	schtasks.exe
2944	schtasks.exe
1788	schtasks.exe
1720	schtasks.exe
2808	schtasks.exe
1504	schtasks.exe
1104	schtasks.exe
2844	schtasks.exe
2588	schtasks.exe
2732	schtasks.exe
2904	schtasks.exe
1384	schtasks.exe
2476	schtasks.exe
1632	schtasks.exe
968	schtasks.exe
2968	schtasks.exe
1832	schtasks.exe
1512	schtasks.exe
800	schtasks.exe
2316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3056	90125421267c6f2a55fb1566eac89528.exe
2560	90125421267c6f2a55fb1566eac89528.exe
3064	90125421267c6f2a55fb1566eac89528.exe
2532	90125421267c6f2a55fb1566eac89528.exe
1244	dwm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	90125421267c6f2a55fb1566eac89528.exe
Token: SeDebugPrivilege	2560	90125421267c6f2a55fb1566eac89528.exe
Token: SeDebugPrivilege	3064	90125421267c6f2a55fb1566eac89528.exe
Token: SeDebugPrivilege	2532	90125421267c6f2a55fb1566eac89528.exe
Token: SeDebugPrivilege	1244	dwm.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2560	3056	90125421267c6f2a55fb1566eac89528.exe	33
PID 3056 wrote to memory of 2560	3056	90125421267c6f2a55fb1566eac89528.exe	33
PID 3056 wrote to memory of 2560	3056	90125421267c6f2a55fb1566eac89528.exe	33
PID 2560 wrote to memory of 3064	2560	90125421267c6f2a55fb1566eac89528.exe	38
PID 2560 wrote to memory of 3064	2560	90125421267c6f2a55fb1566eac89528.exe	38
PID 2560 wrote to memory of 3064	2560	90125421267c6f2a55fb1566eac89528.exe	38
PID 3064 wrote to memory of 1492	3064	90125421267c6f2a55fb1566eac89528.exe	48
PID 3064 wrote to memory of 1492	3064	90125421267c6f2a55fb1566eac89528.exe	48
PID 3064 wrote to memory of 1492	3064	90125421267c6f2a55fb1566eac89528.exe	48
PID 1492 wrote to memory of 1188	1492	cmd.exe	46
PID 1492 wrote to memory of 1188	1492	cmd.exe	46
PID 1492 wrote to memory of 1188	1492	cmd.exe	46
PID 1492 wrote to memory of 3008	1492	cmd.exe	49
PID 1492 wrote to memory of 3008	1492	cmd.exe	49
PID 1492 wrote to memory of 3008	1492	cmd.exe	49
PID 1492 wrote to memory of 2532	1492	cmd.exe	50
PID 1492 wrote to memory of 2532	1492	cmd.exe	50
PID 1492 wrote to memory of 2532	1492	cmd.exe	50
PID 2532 wrote to memory of 1676	2532	90125421267c6f2a55fb1566eac89528.exe	61
PID 2532 wrote to memory of 1676	2532	90125421267c6f2a55fb1566eac89528.exe	61
PID 2532 wrote to memory of 1676	2532	90125421267c6f2a55fb1566eac89528.exe	61
PID 1676 wrote to memory of 1192	1676	cmd.exe	59
PID 1676 wrote to memory of 1192	1676	cmd.exe	59
PID 1676 wrote to memory of 1192	1676	cmd.exe	59
PID 1676 wrote to memory of 2432	1676	cmd.exe	58
PID 1676 wrote to memory of 2432	1676	cmd.exe	58
PID 1676 wrote to memory of 2432	1676	cmd.exe	58
PID 1676 wrote to memory of 1244	1676	cmd.exe	62
PID 1676 wrote to memory of 1244	1676	cmd.exe	62
PID 1676 wrote to memory of 1244	1676	cmd.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\90125421267c6f2a55fb1566eac89528.exe
"C:\Users\Admin\AppData\Local\Temp\90125421267c6f2a55fb1566eac89528.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\90125421267c6f2a55fb1566eac89528.exe
  "C:\Users\Admin\AppData\Local\Temp\90125421267c6f2a55fb1566eac89528.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\90125421267c6f2a55fb1566eac89528.exe
    "C:\Users\Admin\AppData\Local\Temp\90125421267c6f2a55fb1566eac89528.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UH7nsZNhp7.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:3008
    - - C:\Users\Admin\AppData\Local\Temp\90125421267c6f2a55fb1566eac89528.exe
        
        "C:\Users\Admin\AppData\Local\Temp\90125421267c6f2a55fb1566eac89528.exe"
        5⤵
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tid4Iapb5F.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Program Files\Common Files\SpeechEngines\dwm.exe
        
        "C:\Program Files\Common Files\SpeechEngines\dwm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\twunk_16\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\sppsvc\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\lmhsvc\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\unimdmat\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\PerfLogs\Admin\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\kbd101c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\perfos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\srrstr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\twunk_32\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\d3d11\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\wbemcore\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "90125421267c6f2a55fb1566eac89528" /sc ONLOGON /tr "'C:\MSOCache\All Users\90125421267c6f2a55fb1566eac89528.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "90125421267c6f2a55fb1566eac89528" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\java_install_reg\90125421267c6f2a55fb1566eac89528.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ProgramData\Favorites\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\System32\wininet\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2432

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UH7nsZNhp7.bat

Filesize
286B

MD5
2df48089e1af14c940aaa31a4a9605fc

SHA1
6332ddce73943417fa077736b71c529b6efbf939

SHA256
78bc97114298cc022703bd859b82ab0026d0993f3174a88cb5abc006ee9f59f5

SHA512
9f225047378ea2d06d0d6a97b7f75421e9cb614b8018993f9f4026e8901f7be014034bac2d55f6d959c4408830760aab10487c8cc898c1ef14f652b5b61734c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tid4Iapb5F.bat

Filesize
267B

MD5
36ac06a115a5320eba5dbd5f991761ca

SHA1
22e0932b87ba67e3520df087d2095b0aa5bc2520

SHA256
a0baf8ea2d5c66ba8c200ac8abebbb5d4141373171bc2e11c0a1c5cd89ec8c79

SHA512
f2cbafb06f0d1a335e28a36d8dd400216e24d1ee68cbcb84bb0cbb68ab938336f60f59746c9cdb71c441aaf2f2fa4ffd78365a6c05f9188dfc8304c0664afa78

Download Submit
C:\Windows\System32\lmhsvc\spoolsv.exe

Filesize
1.1MB

MD5
90125421267c6f2a55fb1566eac89528

SHA1
eb56f971b495461dce763a4680b96c4e07d5a1b5

SHA256
1e9b61bacadec88ed81039e5551de06d39f558694e5756bbe7aa92d46ba488a5

SHA512
e36d7cccf5c4e7aa134a922e7d5b735cc4ab5094dd4cdb2a4407c33934459871b412c7f8d4c527d75f04535ca592fd1a354a718925ef7a21a6a28e2b02d58d6f

Download Submit
memory/1244-74-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/1244-73-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/1244-72-0x000000001B090000-0x000000001B110000-memory.dmp

Filesize
512KB

Download
memory/1244-70-0x0000000000F10000-0x0000000001032000-memory.dmp

Filesize
1.1MB

Download
memory/1244-71-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2532-45-0x000007FEF4C30000-0x000007FEF561C000-memory.dmp

Filesize
9.9MB

Download
memory/2532-67-0x000007FEF4C30000-0x000007FEF561C000-memory.dmp

Filesize
9.9MB

Download
memory/2532-47-0x0000000002320000-0x00000000023A0000-memory.dmp

Filesize
512KB

Download
memory/2532-44-0x0000000000970000-0x0000000000A92000-memory.dmp

Filesize
1.1MB

Download
memory/2560-12-0x000000001ADA0000-0x000000001AE20000-memory.dmp

Filesize
512KB

Download
memory/2560-46-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/2560-11-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/3056-0-0x0000000000190000-0x00000000002B2000-memory.dmp

Filesize
1.1MB

Download
memory/3056-13-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/3056-2-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/3056-1-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-43-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download
memory/3064-23-0x000000001AC20000-0x000000001ACA0000-memory.dmp

Filesize
512KB

Download
memory/3064-22-0x000007FEF5620000-0x000007FEF600C000-memory.dmp

Filesize
9.9MB

Download