dcrat | 5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
Size

2.4MB
MD5

526153cbd86009228ad53cd262a9c6b3
SHA1

6bbe6ce1bdd69cfd516170d5abe2fe4379b6bac2
SHA256

5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48
SHA512

9b01653e6f5b80d8497d8aba00aca45b305feaecd13fd4075ff4e1c06d9cb29d96d0422b3dce43d0b96316510f6fad1e2e49b64ac6038725961de98e7ba9d665
SSDEEP

49152:TF42UxdKzPsUdtK7iOgwNwjlYrdnXJc9Qn3z4:TC2UxdYZhOIeBXJcu3

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	1808	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1808	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1560-1-0x0000000000F40000-0x00000000011B6000-memory.dmp	dcrat
behavioral2/files/0x0007000000023445-23.dat	dcrat

Detects executables packed with SmartAssembly 1 IoCs

resource	yara_rule
behavioral2/memory/1560-12-0x000000001BFB0000-0x000000001BFBA000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	upfc.exe

Executes dropped EXE 1 IoCs

pid	Process
3200	upfc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\69ddcba757bf72	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Program Files (x86)\Windows Mail\55b276f4edf653	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Program Files\ModifiableWindowsApps\dllhost.exe	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Program Files\Windows Defender\56085415360792	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Program Files\Windows Photo Viewer\upfc.exe	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Program Files\Windows Mail\ee2ad38f3d4382	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Program Files\Windows Photo Viewer\ea1d8f6d871115	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\upfc.exe	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\9e8d7a4ca61bd9	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Program Files (x86)\Google\9e8d7a4ca61bd9	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Program Files\Windows Defender\wininit.exe	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Program Files (x86)\Windows Portable Devices\smss.exe	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Program Files\Windows Mail\Registry.exe	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Program Files (x86)\Google\RuntimeBroker.exe	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\27d1bcfc3c54e0	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Windows\bcastdvr\fontdrvhost.exe	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Windows\bcastdvr\5b884080fd4f94	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Windows\LiveKernelReports\lsass.exe	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Windows\LiveKernelReports\6203df4a6bafc7	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Windows\DiagTrack\dllhost.exe	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Windows\DiagTrack\5940a34987c991	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
File created	C:\Windows\Downloaded Program Files\System.exe	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3944	schtasks.exe
1784	schtasks.exe
3112	schtasks.exe
2240	schtasks.exe
4552	schtasks.exe
2964	schtasks.exe
3428	schtasks.exe
3376	schtasks.exe
1756	schtasks.exe
4524	schtasks.exe
4392	schtasks.exe
3468	schtasks.exe
1832	schtasks.exe
3372	schtasks.exe
3284	schtasks.exe
896	schtasks.exe
3676	schtasks.exe
4644	schtasks.exe
2320	schtasks.exe
4156	schtasks.exe
4824	schtasks.exe
4544	schtasks.exe
3332	schtasks.exe
2880	schtasks.exe
4056	schtasks.exe
3352	schtasks.exe
1536	schtasks.exe
1388	schtasks.exe
4900	schtasks.exe
4216	schtasks.exe
1240	schtasks.exe
3872	schtasks.exe
1476	schtasks.exe
1996	schtasks.exe
932	schtasks.exe
3400	schtasks.exe
5036	schtasks.exe
872	schtasks.exe
3396	schtasks.exe
864	schtasks.exe
1272	schtasks.exe
1948	schtasks.exe
4468	schtasks.exe
4632	schtasks.exe
3404	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1560	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
1560	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
1560	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
1560	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
1560	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
1560	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
1560	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
1560	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
1560	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
1560	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
1560	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
1560	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
1560	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
3200	upfc.exe
3200	upfc.exe
3200	upfc.exe
3200	upfc.exe
3200	upfc.exe
3200	upfc.exe
3200	upfc.exe
3200	upfc.exe
3200	upfc.exe
3200	upfc.exe
3200	upfc.exe
3200	upfc.exe
3200	upfc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3200	upfc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
Token: SeDebugPrivilege	3200	upfc.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 4576	1560	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe	132
PID 1560 wrote to memory of 4576	1560	5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe	132
PID 4576 wrote to memory of 3724	4576	cmd.exe	134
PID 4576 wrote to memory of 3724	4576	cmd.exe	134
PID 4576 wrote to memory of 3200	4576	cmd.exe	141
PID 4576 wrote to memory of 3200	4576	cmd.exe	141
PID 3200 wrote to memory of 1636	3200	upfc.exe	143
PID 3200 wrote to memory of 1636	3200	upfc.exe	143
PID 3200 wrote to memory of 700	3200	upfc.exe	144
PID 3200 wrote to memory of 700	3200	upfc.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe
"C:\Users\Admin\AppData\Local\Temp\5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3HEn4gW8y3.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3724
- - C:\Program Files\Windows Photo Viewer\upfc.exe
    "C:\Program Files\Windows Photo Viewer\upfc.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af11301d-3954-47fb-8eae-53189756b420.vbs"
      4⤵
      PID:1636
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5663167-c8a6-4b48-975f-1fb837719b1c.vbs"
      4⤵
      PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Searches\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Searches\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Searches\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\DiagTrack\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\DiagTrack\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Favorites\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Favorites\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Favorites\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Searches\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Searches\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Searches\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\bcastdvr\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3HEn4gW8y3.bat

Filesize
211B

MD5
8cc18958736d3e8fc100e4c98d69757b

SHA1
b751af89966971f4f94830a10eab14531cc12d2d

SHA256
3813ae80dce1e0e9c1979976be925c0e4a219f1a1a01c6c2144bef9baa69e2dd

SHA512
d5a149b4df359d36ef3291233cf648f72da093489733d1e72f7b2fbdd04c6b0b60804d85a4ba02e4cd6a34ff7194ceb08435cc72ec3d699928652bf1dbff13fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5663167-c8a6-4b48-975f-1fb837719b1c.vbs

Filesize
498B

MD5
6c10bfeb983d705847ab79d9bb8174bf

SHA1
18f7f8d59d64244ba2b55cf87479ab956066ea05

SHA256
05643dc900b064fdb052e89c8f0448a5f0f04294bb1a8f2c9ad6b1070b8d3d03

SHA512
a8efb0f5697afb199396f0073dd28f7f2207eb2b667c13f60dc439d843895a1fc3a917bef8e6361c8cc16ec3e6320be45a39bc41d6411d092dbd62c38c6073ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\af11301d-3954-47fb-8eae-53189756b420.vbs

Filesize
722B

MD5
591355ff752451efe4ef7033130b94f4

SHA1
d5ed712d2281984bf3a29e6dfb1401c7912e3ae0

SHA256
b8cdee8f1ca7df65eb3099a0b6e3b9994cc6be6e3288c1a1e0880eac53bd0797

SHA512
3534d7766e0c3b35d091ac54f6929e050b9c906f3a9404ea34a40a07a65ebd9ec570084571ee59a6e2b085f14f8753e552447be795a3a3743988a2e77065ca0c

Download Submit
C:\Windows\LiveKernelReports\lsass.exe

Filesize
2.4MB

MD5
526153cbd86009228ad53cd262a9c6b3

SHA1
6bbe6ce1bdd69cfd516170d5abe2fe4379b6bac2

SHA256
5cebc27b366a165f72fc0f83b570434b6ae5edae22c0e6023d27c9642b702b48

SHA512
9b01653e6f5b80d8497d8aba00aca45b305feaecd13fd4075ff4e1c06d9cb29d96d0422b3dce43d0b96316510f6fad1e2e49b64ac6038725961de98e7ba9d665

Download Submit
memory/1560-5-0x0000000003280000-0x0000000003288000-memory.dmp

Filesize
32KB

Download
memory/1560-13-0x000000001C420000-0x000000001C42E000-memory.dmp

Filesize
56KB

Download
memory/1560-7-0x000000001C3D0000-0x000000001C426000-memory.dmp

Filesize
344KB

Download
memory/1560-4-0x000000001BF60000-0x000000001BFB0000-memory.dmp

Filesize
320KB

Download
memory/1560-8-0x0000000003400000-0x000000000340C000-memory.dmp

Filesize
48KB

Download
memory/1560-9-0x000000001BE10000-0x000000001BE22000-memory.dmp

Filesize
72KB

Download
memory/1560-10-0x000000001CD60000-0x000000001D288000-memory.dmp

Filesize
5.2MB

Download
memory/1560-11-0x000000001BE40000-0x000000001BE48000-memory.dmp

Filesize
32KB

Download
memory/1560-14-0x000000001C430000-0x000000001C43C000-memory.dmp

Filesize
48KB

Download
memory/1560-0-0x00007FF95E373000-0x00007FF95E375000-memory.dmp

Filesize
8KB

Download
memory/1560-12-0x000000001BFB0000-0x000000001BFBA000-memory.dmp

Filesize
40KB

Download
memory/1560-6-0x000000001BDF0000-0x000000001BE06000-memory.dmp

Filesize
88KB

Download
memory/1560-50-0x00007FF95E370000-0x00007FF95EE31000-memory.dmp

Filesize
10.8MB

Download
memory/1560-3-0x00000000033E0000-0x00000000033FC000-memory.dmp

Filesize
112KB

Download
memory/1560-1-0x0000000000F40000-0x00000000011B6000-memory.dmp

Filesize
2.5MB

Download
memory/1560-2-0x00007FF95E370000-0x00007FF95EE31000-memory.dmp

Filesize
10.8MB

Download
memory/3200-55-0x000000001B3F0000-0x000000001B402000-memory.dmp

Filesize
72KB

Download