dcrat | 7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445

Analysis

max time kernel
91s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 00:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12dcc1cafbf752f84a12d3bed14cd6e2.exe
Size

2.6MB
MD5

12dcc1cafbf752f84a12d3bed14cd6e2
SHA1

9ebf8e2fef206cefff0cb2474f284869827e6e45
SHA256

7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445
SHA512

e6d535bbf3a65d225f7a6b8fd500952774a8664daea4e091fa9dd4d0a6538a150089ff38271ff345c91a76518c2094dbb59a2ff92d7fc24cdf2d66d4fcdd1a27
SSDEEP

49152:EZjcfg3kx6GhHszTNMdkdOYY/Z5K0eR/SRXtbqayyLsPZqGXkcZAo:nY0UwmOTBU5R+dbqzTB

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	184	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	504	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3680	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2792	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	2792	schtasks.exe	88

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/5084-1-0x00000000000A0000-0x0000000000348000-memory.dmp	dcrat
behavioral2/files/0x000a000000023ba7-29.dat	dcrat
behavioral2/files/0x000f000000023a66-72.dat	dcrat
behavioral2/files/0x000d000000023a34-99.dat	dcrat
behavioral2/files/0x0013000000023a64-122.dat	dcrat
behavioral2/files/0x000a000000023bbc-143.dat	dcrat
behavioral2/files/0x000c000000023b9b-154.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	12dcc1cafbf752f84a12d3bed14cd6e2.exe

Executes dropped EXE 1 IoCs

pid	Process
1264	taskhostw.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\9e8d7a4ca61bd9	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files\Windows Portable Devices\unsecapp.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXC4C3.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files\Mozilla Firefox\fontdrvhost.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\StartMenuExperienceHost.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXBBA4.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fontdrvhost.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCXC541.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXBBA3.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCXCA95.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXCFE8.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXD27A.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\csrss.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Windows NT\RuntimeBroker.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files\Windows Portable Devices\29c1c3cc0f7685	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\55b276f4edf653	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCXCA17.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\StartMenuExperienceHost.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files\Mozilla Firefox\5b884080fd4f94	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\886983d96e3d3e	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files\Google\Chrome\Application\spoolsv.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXBDB8.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\csrss.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files\Google\Chrome\Application\f3b6ecef712a24	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\spoolsv.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXBDC9.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RuntimeBroker.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXCFD7.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files\Windows Portable Devices\unsecapp.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXD1FC.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InputMethod\CHT\RuntimeBroker.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Windows\InputMethod\CHT\9e8d7a4ca61bd9	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Windows\InputMethod\CHT\RCXB97E.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Windows\InputMethod\CHT\RCXB98F.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Windows\InputMethod\CHT\RuntimeBroker.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	12dcc1cafbf752f84a12d3bed14cd6e2.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4072	schtasks.exe
5092	schtasks.exe
2400	schtasks.exe
3780	schtasks.exe
3360	schtasks.exe
4464	schtasks.exe
2108	schtasks.exe
3672	schtasks.exe
3296	schtasks.exe
5048	schtasks.exe
4036	schtasks.exe
4956	schtasks.exe
2356	schtasks.exe
3424	schtasks.exe
3732	schtasks.exe
496	schtasks.exe
504	schtasks.exe
3944	schtasks.exe
404	schtasks.exe
4684	schtasks.exe
2188	schtasks.exe
4672	schtasks.exe
964	schtasks.exe
2644	schtasks.exe
3040	schtasks.exe
2740	schtasks.exe
3680	schtasks.exe
4952	schtasks.exe
184	schtasks.exe
2656	schtasks.exe
1264	schtasks.exe
3572	schtasks.exe
1168	schtasks.exe
4824	schtasks.exe
936	schtasks.exe
1316	schtasks.exe
3124	schtasks.exe
4908	schtasks.exe
208	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
5084	12dcc1cafbf752f84a12d3bed14cd6e2.exe
5084	12dcc1cafbf752f84a12d3bed14cd6e2.exe
5084	12dcc1cafbf752f84a12d3bed14cd6e2.exe
5084	12dcc1cafbf752f84a12d3bed14cd6e2.exe
5084	12dcc1cafbf752f84a12d3bed14cd6e2.exe
5084	12dcc1cafbf752f84a12d3bed14cd6e2.exe
1264	taskhostw.exe
1264	taskhostw.exe
1264	taskhostw.exe
1264	taskhostw.exe
1264	taskhostw.exe
1264	taskhostw.exe
1264	taskhostw.exe
1264	taskhostw.exe
1264	taskhostw.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1264	taskhostw.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Token: SeDebugPrivilege	1264	taskhostw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 2924	5084	12dcc1cafbf752f84a12d3bed14cd6e2.exe	134
PID 5084 wrote to memory of 2924	5084	12dcc1cafbf752f84a12d3bed14cd6e2.exe	134
PID 2924 wrote to memory of 3552	2924	cmd.exe	137
PID 2924 wrote to memory of 3552	2924	cmd.exe	137
PID 2924 wrote to memory of 1264	2924	cmd.exe	138
PID 2924 wrote to memory of 1264	2924	cmd.exe	138

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\12dcc1cafbf752f84a12d3bed14cd6e2.exe
"C:\Users\Admin\AppData\Local\Temp\12dcc1cafbf752f84a12d3bed14cd6e2.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lf4SkxfpVp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3552
- - C:\Recovery\WindowsRE\taskhostw.exe
    "C:\Recovery\WindowsRE\taskhostw.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\InputMethod\CHT\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\InputMethod\CHT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Users\Default User\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\ssh\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\ssh\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\ssh\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\RuntimeBroker.exe

Filesize
2.6MB

MD5
647a6b962726e32a07a2ac5194091240

SHA1
6ab09c2f45cf394d3a5cb4aa3aaf6c56e94af902

SHA256
bc49e22471ed9c3c8e84272db699ce687701310f065bde3fea12734fef8e425b

SHA512
c6e805bb58e0971e90e835d86e90763f1c1062cb91bff4ac09817c879aa9062367978d0f9f763dfaefe37895c0e7b757b5896cf849f1c51753a121b13bef300f

Download Submit
C:\Program Files\Google\Chrome\Application\spoolsv.exe

Filesize
2.6MB

MD5
20ad907a5ca96967f5cf6f209c9b4bf8

SHA1
b54c99b7d282e7f790f988dbd70821baff3c8fa6

SHA256
c49c50bec509d202e24ddde02b670c49f30d116b01868b0c764b0a90a008c92c

SHA512
ab128943a15bae05a269a53f460008e038e4c8534d33c86afbc0cae98c0f0f52b58124749a605c2f5efa7da9b49eec7590c9f9854a29a56ba9fed87d4ddc17e3

Download Submit
C:\Program Files\Mozilla Firefox\RCXBBA4.tmp

Filesize
2.6MB

MD5
02911d19174feb724cd47570d4188a58

SHA1
9b5a3e306b44cf73cb6b6f02b7355843029dcb8f

SHA256
dce2e3db78a32c0826767f5cb2c40f909b91d0db2209215939b5d6fbacc1df2e

SHA512
1de27f7ed6118691cfe59543a0f00c692d58ca46991ad7ecae936435cd79da97c4e56bee97bb8e14a9d9c171ef34789a812c47cc9b2991eb896be88f48c2c9b0

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
2.6MB

MD5
e6d3d830254211e2fb8d66edf90dc4c7

SHA1
b1b6813ee8e085eb20d5e78762df08280d3a0dcc

SHA256
fedcd395f919a2fa3edf59b654e4f130dd721c4793983978e8747263c01a7f07

SHA512
2330b7acd9530228178cb3179da14caf14a024b4c9a0e269cbb018563342a7608fecdaa4782af43c07886539e86ffd910a92b2cd47eddc33e295f75be51ece7e

Download Submit
C:\Recovery\WindowsRE\taskhostw.exe

Filesize
2.6MB

MD5
12dcc1cafbf752f84a12d3bed14cd6e2

SHA1
9ebf8e2fef206cefff0cb2474f284869827e6e45

SHA256
7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445

SHA512
e6d535bbf3a65d225f7a6b8fd500952774a8664daea4e091fa9dd4d0a6538a150089ff38271ff345c91a76518c2094dbb59a2ff92d7fc24cdf2d66d4fcdd1a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\lf4SkxfpVp.bat

Filesize
200B

MD5
cf1f991244055877b9d1379594d773de

SHA1
1eec6cb1dac0b93fc3a4a846068ab26744700de8

SHA256
1d0e5141444fb71b0d116a65aef43a2bdb318ade01d9b8d4362fa59faaae3a41

SHA512
e856f7b94f91cf03a68e46058ee5398574194c44244afb8af01a8339b5ed286175759fad28fed735b0c9bc0b8a44d3867ac74951f81a913aa48e00f50c448297

Download Submit
C:\Users\Default\MusNotification.exe

Filesize
2.6MB

MD5
058d14dfdd4da4256ed29668cb845124

SHA1
c1047757ce1b9063cffa8e5809f0086caeb55821

SHA256
602530a145eed5626973fd790d78508268fa71555d1ba35083551e01308f83c4

SHA512
bac14b7db3a809e5c18ab220d7b06fe76fa621afb37bf1813882c2127ff0ec84b1ffae1410feacda3248fb321483a1429a038cb7fb4955a48f0f81ac561471a4

Download Submit
memory/1264-211-0x000000001B0F0000-0x000000001B146000-memory.dmp

Filesize
344KB

Download
memory/5084-8-0x00000000024B0000-0x00000000024C6000-memory.dmp

Filesize
88KB

Download
memory/5084-18-0x000000001B0F0000-0x000000001B0FE000-memory.dmp

Filesize
56KB

Download
memory/5084-10-0x00000000024E0000-0x00000000024EA000-memory.dmp

Filesize
40KB

Download
memory/5084-11-0x000000001B060000-0x000000001B0B6000-memory.dmp

Filesize
344KB

Download
memory/5084-12-0x00000000024F0000-0x00000000024F8000-memory.dmp

Filesize
32KB

Download
memory/5084-13-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/5084-14-0x000000001C060000-0x000000001C588000-memory.dmp

Filesize
5.2MB

Download
memory/5084-16-0x000000001B0D0000-0x000000001B0D8000-memory.dmp

Filesize
32KB

Download
memory/5084-15-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/5084-20-0x000000001B110000-0x000000001B11A000-memory.dmp

Filesize
40KB

Download
memory/5084-19-0x000000001B100000-0x000000001B10C000-memory.dmp

Filesize
48KB

Download
memory/5084-9-0x00000000024D0000-0x00000000024D8000-memory.dmp

Filesize
32KB

Download
memory/5084-17-0x000000001B0E0000-0x000000001B0EC000-memory.dmp

Filesize
48KB

Download
memory/5084-0-0x00007FFE0C913000-0x00007FFE0C915000-memory.dmp

Filesize
8KB

Download
memory/5084-6-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/5084-7-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/5084-5-0x0000000002630000-0x0000000002680000-memory.dmp

Filesize
320KB

Download
memory/5084-4-0x0000000000B30000-0x0000000000B4C000-memory.dmp

Filesize
112KB

Download
memory/5084-3-0x0000000000B00000-0x0000000000B0E000-memory.dmp

Filesize
56KB

Download
memory/5084-176-0x00007FFE0C913000-0x00007FFE0C915000-memory.dmp

Filesize
8KB

Download
memory/5084-199-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/5084-206-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/5084-2-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/5084-1-0x00000000000A0000-0x0000000000348000-memory.dmp

Filesize
2.7MB

Download