dcrat | 88953240e260b3ca53b4563afa657ee6d414b887a972e8862b12ca46e0a5853d

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

terminal.exe
Size

2.9MB
MD5

200451026a7f2be02adb274026dc827a
SHA1

655f5cff899d319975dfd43b1902e6318a0944f6
SHA256

88953240e260b3ca53b4563afa657ee6d414b887a972e8862b12ca46e0a5853d
SHA512

1054e3b258fab5f496cea9e156b0b17b9e5b1f4f5b049a4308df1b200d89534c88ec1ff11e6612a2b0961842984fe31d7d38b8077c14fd9bb388a03e7d0c3ac8
SSDEEP

49152:1bA3PlN3nP+YscRfII1f8CReMT1Um7GWw/N0TOu09gqpBuuDqtmAP:1buN3nrsc5fdRfTr7GWw/ayl9RIuDqtZ

Score

10^/10

dcrat discovery evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	2832	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	2832	schtasks.exe	86

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	portdrivernet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	portdrivernet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	portdrivernet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0008000000023bf9-10.dat	dcrat
behavioral2/memory/952-13-0x00000000008E0000-0x0000000000B94000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	terminal.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	portdrivernet.exe

Executes dropped EXE 2 IoCs

pid	Process
952	portdrivernet.exe
2172	unsecapp.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	portdrivernet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	portdrivernet.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\en-US\OfficeClickToRun.exe	portdrivernet.exe
File created	C:\Program Files\Windows Defender\en-US\e6c9b481da804f	portdrivernet.exe
File created	C:\Program Files\Uninstall Information\MoUsoCoreWorker.exe	portdrivernet.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe	portdrivernet.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\29c1c3cc0f7685	portdrivernet.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\images\SearchApp.exe	portdrivernet.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\unsecapp.exe	portdrivernet.exe
File created	C:\Program Files\Uninstall Information\1f93f77a7f4778	portdrivernet.exe
File created	C:\Program Files\dotnet\swidtag\OfficeClickToRun.exe	portdrivernet.exe
File created	C:\Program Files\dotnet\swidtag\e6c9b481da804f	portdrivernet.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\886983d96e3d3e	portdrivernet.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\conhost.exe	portdrivernet.exe
File created	C:\Windows\TAPI\088424020bedd6	portdrivernet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	terminal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	terminal.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3992	schtasks.exe
1336	schtasks.exe
980	schtasks.exe
4504	schtasks.exe
216	schtasks.exe
3112	schtasks.exe
368	schtasks.exe
3576	schtasks.exe
2472	schtasks.exe
5084	schtasks.exe
2588	schtasks.exe
3572	schtasks.exe
4744	schtasks.exe
4520	schtasks.exe
2808	schtasks.exe
4800	schtasks.exe
2164	schtasks.exe
2828	schtasks.exe
3880	schtasks.exe
2216	schtasks.exe
1388	schtasks.exe
5072	schtasks.exe
2264	schtasks.exe
4872	schtasks.exe
3888	schtasks.exe
1764	schtasks.exe
2840	schtasks.exe
4640	schtasks.exe
852	schtasks.exe
400	schtasks.exe
2896	schtasks.exe
1908	schtasks.exe
4832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
952	portdrivernet.exe
952	portdrivernet.exe
952	portdrivernet.exe
2172	unsecapp.exe
2172	unsecapp.exe
2172	unsecapp.exe
2172	unsecapp.exe
2172	unsecapp.exe
2172	unsecapp.exe
2172	unsecapp.exe
2172	unsecapp.exe
2172	unsecapp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2172	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	952	portdrivernet.exe
Token: SeDebugPrivilege	2172	unsecapp.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 1584	4368	terminal.exe	82
PID 4368 wrote to memory of 1584	4368	terminal.exe	82
PID 4368 wrote to memory of 1584	4368	terminal.exe	82
PID 1584 wrote to memory of 4936	1584	WScript.exe	88
PID 1584 wrote to memory of 4936	1584	WScript.exe	88
PID 1584 wrote to memory of 4936	1584	WScript.exe	88
PID 4936 wrote to memory of 952	4936	cmd.exe	90
PID 4936 wrote to memory of 952	4936	cmd.exe	90
PID 952 wrote to memory of 2172	952	portdrivernet.exe	126
PID 952 wrote to memory of 2172	952	portdrivernet.exe	126

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	portdrivernet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	portdrivernet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	portdrivernet.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	unsecapp.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	unsecapp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\terminal.exe
"C:\Users\Admin\AppData\Local\Temp\terminal.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\containercomponentfontruntime\qhSOQkLJ6CCd.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\containercomponentfontruntime\XmZE9.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\containercomponentfontruntime\portdrivernet.exe
      "C:\containercomponentfontruntime\portdrivernet.exe"
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:952
    - - C:\Program Files (x86)\Reference Assemblies\Microsoft\unsecapp.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\unsecapp.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\containercomponentfontruntime\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\containercomponentfontruntime\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\containercomponentfontruntime\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\swidtag\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\swidtag\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\containercomponentfontruntime\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\containercomponentfontruntime\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\containercomponentfontruntime\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\containercomponentfontruntime\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\containercomponentfontruntime\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\containercomponentfontruntime\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\en-US\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\en-US\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Roaming\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\TAPI\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\TAPI\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\containercomponentfontruntime\XmZE9.bat

Filesize
52B

MD5
7f19dde92420e1112fb9ef25b0c56e38

SHA1
9da19ead2fccc172a39171f026eed2623229d2b7

SHA256
697ad5724417463eb1e37c6e173bc24ca4416b3c064036b06b5c05bc6c33742a

SHA512
6a184f7e5fb90e302fbdc92eff043b84cab803e741abea94a7a06e1c3f502babd60b95e75b705ae8cd27430dc0bf3873d4ff9b719ea28648f50e080ebef79268

Download Submit
C:\containercomponentfontruntime\portdrivernet.exe

Filesize
2.7MB

MD5
718e0805d80d7e040a20b5aeda4f877d

SHA1
c83f6d2c1ec158e20af2bf54f4d7aeb465cbe58e

SHA256
cb1189a7b059346d31cca7596357609eb52e9e518ef59a7659a0e061602f7c0b

SHA512
d3854ad4a29732f802a5087c320ca8b85cf46a818f5d283ab612254e9b495e4019c58cc1c8fe7d9f369e070a025d367d6226cf92343b1cafdc8f4aab9fb38cc9

Download Submit
C:\containercomponentfontruntime\qhSOQkLJ6CCd.vbe

Filesize
211B

MD5
8ac77355599fe3bfb19415a591c62148

SHA1
ca5b38c7525b454144d6dfb681a7d5b7c8afd807

SHA256
993cc8867a308e64cb94b89206c6632cc1e160a5de372e29686b86a7eb9b318b

SHA512
38c7bce3490a171bda26f482e1ef50cdd5cbe8f59f9ce5bafbc452fb8f3b878b9e72a3358489765e8b30ca19e8dba9cb9ffed92f24267a7ba0aab5311416b2b6

Download Submit
memory/952-21-0x000000001B710000-0x000000001B71A000-memory.dmp

Filesize
40KB

Download
memory/952-23-0x000000001BED0000-0x000000001BED8000-memory.dmp

Filesize
32KB

Download
memory/952-14-0x0000000001350000-0x000000000135E000-memory.dmp

Filesize
56KB

Download
memory/952-15-0x000000001B6A0000-0x000000001B6BC000-memory.dmp

Filesize
112KB

Download
memory/952-16-0x000000001BE80000-0x000000001BED0000-memory.dmp

Filesize
320KB

Download
memory/952-17-0x0000000001360000-0x0000000001368000-memory.dmp

Filesize
32KB

Download
memory/952-18-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

Filesize
64KB

Download
memory/952-19-0x000000001B6F0000-0x000000001B706000-memory.dmp

Filesize
88KB

Download
memory/952-20-0x000000001B6D0000-0x000000001B6D8000-memory.dmp

Filesize
32KB

Download
memory/952-12-0x00007FFD215F3000-0x00007FFD215F5000-memory.dmp

Filesize
8KB

Download
memory/952-22-0x000000001B720000-0x000000001B776000-memory.dmp

Filesize
344KB

Download
memory/952-13-0x00000000008E0000-0x0000000000B94000-memory.dmp

Filesize
2.7MB

Download
memory/952-24-0x000000001BFE0000-0x000000001BFF2000-memory.dmp

Filesize
72KB

Download
memory/952-25-0x000000001C520000-0x000000001CA48000-memory.dmp

Filesize
5.2MB

Download
memory/952-28-0x000000001BF20000-0x000000001BF2C000-memory.dmp

Filesize
48KB

Download
memory/952-30-0x000000001BF40000-0x000000001BF4C000-memory.dmp

Filesize
48KB

Download
memory/952-29-0x000000001BF30000-0x000000001BF3E000-memory.dmp

Filesize
56KB

Download
memory/952-27-0x000000001BF10000-0x000000001BF18000-memory.dmp

Filesize
32KB

Download
memory/952-26-0x000000001BF00000-0x000000001BF08000-memory.dmp

Filesize
32KB

Download
memory/952-31-0x000000001BF50000-0x000000001BF5A000-memory.dmp

Filesize
40KB

Download
memory/952-32-0x000000001BF60000-0x000000001BF6C000-memory.dmp

Filesize
48KB

Download
memory/2172-66-0x000000001BAC0000-0x000000001BB16000-memory.dmp

Filesize
344KB

Download