dcrat | ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/10/2024, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Size

1.6MB
MD5

8ce0a9103ab10fed54094a3a2d1146e0
SHA1

4aef0ddaa8d065170c0ff2cc099c31aa6b1085aa
SHA256

ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0
SHA512

cf0adcb740f1eec83e6477bc487cf3a0d152222e08f186b78a674e0e9178b591e7088c5a2d2763dbd6eed55e3eef2bbdfaddf1791158e7dad7c891577f71e76f
SSDEEP

24576:NsoVH984fBm2iMbyrpEGwFQ0Gm3eQk31V6hK5r898Qs:NAtJeGwkm3eQk31rF8V

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2352	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2352	schtasks.exe	30

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2760-1-0x00000000003D0000-0x0000000000570000-memory.dmp	dcrat
behavioral1/files/0x00060000000174a6-23.dat	dcrat
behavioral1/memory/1832-49-0x0000000000DD0000-0x0000000000F70000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1832	csrss.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\audiodg.exe	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\smss.exe	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Program Files\Windows Portable Devices\42af1c969fbb7b	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Program Files\Windows Sidebar\42af1c969fbb7b	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\6ccacd8608530f	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Program Files\Windows Portable Devices\audiodg.exe	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\27d1bcfc3c54e0	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Speech\886983d96e3d3e	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Windows\Offline Web Pages\winlogon.exe	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Windows\Offline Web Pages\cc11b995f2a76d	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Windows\ja-JP\lsass.exe	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Windows\ja-JP\6203df4a6bafc7	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Windows\Help\mui\0411\lsm.exe	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Windows\Help\mui\0411\101b941d020240	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
File created	C:\Windows\Speech\csrss.exe	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3024	schtasks.exe
1148	schtasks.exe
2384	schtasks.exe
2900	schtasks.exe
2448	schtasks.exe
2792	schtasks.exe
2572	schtasks.exe
2072	schtasks.exe
2888	schtasks.exe
756	schtasks.exe
984	schtasks.exe
2592	schtasks.exe
864	schtasks.exe
1976	schtasks.exe
2204	schtasks.exe
2372	schtasks.exe
2808	schtasks.exe
2236	schtasks.exe
2404	schtasks.exe
1700	schtasks.exe
1824	schtasks.exe
2816	schtasks.exe
396	schtasks.exe
1004	schtasks.exe
1320	schtasks.exe
2144	schtasks.exe
2112	schtasks.exe
2672	schtasks.exe
804	schtasks.exe
2876	schtasks.exe
2600	schtasks.exe
996	schtasks.exe
2380	schtasks.exe
2132	schtasks.exe
2168	schtasks.exe
1592	schtasks.exe
2980	schtasks.exe
2936	schtasks.exe
2344	schtasks.exe
2232	schtasks.exe
848	schtasks.exe
1852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2760	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
2760	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
2760	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
2760	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
2760	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
1832	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Token: SeDebugPrivilege	1832	csrss.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 1832	2760	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe	73
PID 2760 wrote to memory of 1832	2760	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe	73
PID 2760 wrote to memory of 1832	2760	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe	73

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe
"C:\Users\Admin\AppData\Local\Temp\ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0N.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2760
- C:\Windows\Speech\csrss.exe
  "C:\Windows\Speech\csrss.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\mui\0411\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Help\mui\0411\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\mui\0411\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Videos\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Speech\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Speech\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\PrintHood\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\PrintHood\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft Help\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft Help\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab43E5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar43F8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Speech\csrss.exe

Filesize
1.6MB

MD5
8ce0a9103ab10fed54094a3a2d1146e0

SHA1
4aef0ddaa8d065170c0ff2cc099c31aa6b1085aa

SHA256
ab7307731f5026b64631fe11b117e29ed3a4c851df388238048b6370bb99fee0

SHA512
cf0adcb740f1eec83e6477bc487cf3a0d152222e08f186b78a674e0e9178b591e7088c5a2d2763dbd6eed55e3eef2bbdfaddf1791158e7dad7c891577f71e76f

Download Submit
memory/1832-51-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/1832-49-0x0000000000DD0000-0x0000000000F70000-memory.dmp

Filesize
1.6MB

Download
memory/2760-5-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2760-12-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2760-7-0x0000000002150000-0x000000000215C000-memory.dmp

Filesize
48KB

Download
memory/2760-10-0x0000000002180000-0x0000000002192000-memory.dmp

Filesize
72KB

Download
memory/2760-9-0x0000000002170000-0x000000000217C000-memory.dmp

Filesize
48KB

Download
memory/2760-8-0x0000000002160000-0x0000000002168000-memory.dmp

Filesize
32KB

Download
memory/2760-13-0x0000000002360000-0x000000000236A000-memory.dmp

Filesize
40KB

Download
memory/2760-6-0x00000000020C0000-0x00000000020CA000-memory.dmp

Filesize
40KB

Download
memory/2760-11-0x00000000021B0000-0x00000000021BE000-memory.dmp

Filesize
56KB

Download
memory/2760-14-0x00000000023F0000-0x00000000023FC000-memory.dmp

Filesize
48KB

Download
memory/2760-0-0x000007FEF6163000-0x000007FEF6164000-memory.dmp

Filesize
4KB

Download
memory/2760-50-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2760-4-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/2760-3-0x0000000000570000-0x000000000058C000-memory.dmp

Filesize
112KB

Download
memory/2760-2-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

Filesize
9.9MB

Download
memory/2760-1-0x00000000003D0000-0x0000000000570000-memory.dmp

Filesize
1.6MB

Download