dcrat | f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0da

Analysis

max time kernel
98s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
Size

2.7MB
MD5

7c935427ecd47e8deb5ce641226d8980
SHA1

963be2aa84776697aabe1e77d9b0596ba3ff0020
SHA256

f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0da
SHA512

1afb5e8f858b71fa3efdf0acfd38855d735b928388866e19396b86a874b69b45b00ebbdde233f4fddce2c04eb14acb137acf511e335d327aeb7f98f6d9ac27b2
SSDEEP

49152:5H3ow5/6oEcY2I6DxCP2vAWJ6ZsSVnJTXretG/Q1Hciyc5nIudabGm:5j/NDB9m2v9JqVJ7OG/Q18irfdabGm

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	3572	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	3572	schtasks.exe	83

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/32-1-0x0000000000880000-0x0000000000B32000-memory.dmp	dcrat
behavioral2/files/0x000a000000023b7f-29.dat	dcrat
behavioral2/files/0x000c00000001e104-96.dat	dcrat
behavioral2/files/0x000d000000023b7b-118.dat	dcrat
behavioral2/files/0x000e000000023b7f-150.dat	dcrat
behavioral2/files/0x0009000000023bec-197.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe

Executes dropped EXE 1 IoCs

pid	Process
2332	upfc.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\TableTextService\en-US\sihost.exe	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\RCX8A41.tmp	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\SearchApp.exe	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCXA233.tmp	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\RCXA447.tmp	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\sihost.exe	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\SearchApp.exe	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\38384e6a620884	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File created	C:\Program Files\VideoLAN\VLC\121e5b5079f7c0	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\sihost.exe	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\66fc9ff0ee96c2	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX9AE8.tmp	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCXA232.tmp	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File created	C:\Program Files\VideoLAN\VLC\sysmon.exe	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\RCX8A40.tmp	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\sysmon.exe	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\en-US\sihost.exe	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\66fc9ff0ee96c2	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX9AE9.tmp	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\it-IT\RCXA448.tmp	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCX8C57.tmp	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\RCX95A5.tmp	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\csrss.exe	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File created	C:\Windows\Branding\Basebrd\en-US\886983d96e3d3e	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File created	C:\Windows\Prefetch\ReadyBoot\e1ef82546f0b02	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File created	C:\Windows\Branding\Basebrd\en-US\csrss.exe	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCX8C56.tmp	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\SppExtComObj.exe	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File opened for modification	C:\Windows\Branding\Basebrd\en-US\RCX9623.tmp	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
File created	C:\Windows\Prefetch\ReadyBoot\SppExtComObj.exe	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
816	schtasks.exe
4840	schtasks.exe
4828	schtasks.exe
5116	schtasks.exe
1180	schtasks.exe
2444	schtasks.exe
1752	schtasks.exe
1984	schtasks.exe
3324	schtasks.exe
5108	schtasks.exe
1036	schtasks.exe
2156	schtasks.exe
4444	schtasks.exe
1796	schtasks.exe
3876	schtasks.exe
4688	schtasks.exe
4748	schtasks.exe
1776	schtasks.exe
4012	schtasks.exe
2552	schtasks.exe
1432	schtasks.exe
1504	schtasks.exe
3248	schtasks.exe
2860	schtasks.exe
4016	schtasks.exe
4916	schtasks.exe
4452	schtasks.exe
4816	schtasks.exe
1652	schtasks.exe
5096	schtasks.exe
4252	schtasks.exe
2656	schtasks.exe
4556	schtasks.exe
4940	schtasks.exe
3160	schtasks.exe
3616	schtasks.exe
3312	schtasks.exe
4584	schtasks.exe
3540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
32	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
32	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
32	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
32	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
32	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
32	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
32	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
2332	upfc.exe
2332	upfc.exe
2332	upfc.exe
2332	upfc.exe
2332	upfc.exe
2332	upfc.exe
2332	upfc.exe
2332	upfc.exe
2332	upfc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2332	upfc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	32	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
Token: SeDebugPrivilege	2332	upfc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 1832	32	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe	126
PID 32 wrote to memory of 1832	32	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe	126
PID 1832 wrote to memory of 1220	1832	cmd.exe	128
PID 1832 wrote to memory of 1220	1832	cmd.exe	128
PID 1832 wrote to memory of 2332	1832	cmd.exe	134
PID 1832 wrote to memory of 2332	1832	cmd.exe	134

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	upfc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe
"C:\Users\Admin\AppData\Local\Temp\f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0daN.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:32
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ITN63wlJdh.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1220
- - C:\Users\Public\Documents\My Pictures\upfc.exe
    "C:\Users\Public\Documents\My Pictures\upfc.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\NetHood\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\NetHood\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Pictures\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Pictures\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\Basebrd\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\Basebrd\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Pictures\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Pictures\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\My Documents\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\My Documents\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ITN63wlJdh.bat

Filesize
211B

MD5
f6ba2e3fe5af6d2c82fad2ce092a29fa

SHA1
450f58b57c614d5a3381a551758bc7f219e9b1d7

SHA256
dc43de17852e3f50586b9f20f969bbb0ffc7e7e8ed397cb88f0b734806494278

SHA512
2b4a36e87e0071055f10e4214d2c95b0bdfc1a915c38d2c75b4591523f23e27cf39c0f6ac7eeb0d61dbca2565e5aaedfcb4567584c3111bb0f3571219611a14d

Download Submit
C:\Users\Admin\Documents\StartMenuExperienceHost.exe

Filesize
2.7MB

MD5
339902f4c246a7635faaa7685b1946df

SHA1
7078aa82d5ba806bcc088cf9ee7b4213c73b365c

SHA256
a14d46fbd5f27a7ca9a9629c9b607ae1cec35e092c1891478f03c8ed938ed0dd

SHA512
930eb620912eed7f99cc47af4fcbc3b4f9475ab5360d79c594d9fa72696c6107ee855d1a17cdc21da1edb5895fe89715384e7b0d8366644cd4c8dd53791ac40d

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Registry.exe

Filesize
2.7MB

MD5
97811201afbe605e3cc9478919c065a9

SHA1
68168aff500926bd4dc694ad9026d9442f1395c0

SHA256
405f62351ff475315346a0defc9733e3e6d6b791da9b399bd6337fabafa3564f

SHA512
794ffe6c5017705639d35949dcf770803ca2a5847891857452b5290d476c38821d52f7d7ac66419c10c736bfbf93a8c13f72e834b547b7e4b07de89371ef2d0f

Download Submit
C:\Users\Public\Pictures\upfc.exe

Filesize
2.7MB

MD5
7c935427ecd47e8deb5ce641226d8980

SHA1
963be2aa84776697aabe1e77d9b0596ba3ff0020

SHA256
f6d9e0292d18f4cc7fde4f34bd9722276a570f94bd6586392bc94fc6380ec0da

SHA512
1afb5e8f858b71fa3efdf0acfd38855d735b928388866e19396b86a874b69b45b00ebbdde233f4fddce2c04eb14acb137acf511e335d327aeb7f98f6d9ac27b2

Download Submit
C:\Users\Public\services.exe

Filesize
2.7MB

MD5
e29d82c1b6cad2891ba7d6b1c8b87a1f

SHA1
c26b51f9ec13180dc9783cc629e02da54a244779

SHA256
b41d4242b5bf0932a3a40a428fa4b3e06c7c5a3b547bdb5745d96d132e9b77db

SHA512
3212924901a329a5d2c5baafdc53800bed812a4a175dd42380079a0bea6ff17c9d14312fc2b2c35713331308f93d929c47791454c7f5d06570a5d25db5c121cf

Download Submit
C:\Windows\Branding\Basebrd\en-US\csrss.exe

Filesize
2.7MB

MD5
22a08a736a598c525d5bb9f2e39baf00

SHA1
e7e03cf52d734416962cccd6ee9cc6accf676010

SHA256
e12726ea556092d2909b7ff21aad30a788a6b3846221eab5a6fde4288b76029a

SHA512
3b04e38854fe7803247b684e36c8be02e4fdcff5a3af2000b47ccf461d24f0002162d43e8c62d86a0393d85bfd647acbfccd795dd71aa2e6f75ce7ef35de955b

Download Submit
memory/32-7-0x000000001B670000-0x000000001B680000-memory.dmp

Filesize
64KB

Download
memory/32-15-0x000000001B760000-0x000000001B768000-memory.dmp

Filesize
32KB

Download
memory/32-8-0x000000001B680000-0x000000001B696000-memory.dmp

Filesize
88KB

Download
memory/32-9-0x000000001B6A0000-0x000000001B6A8000-memory.dmp

Filesize
32KB

Download
memory/32-10-0x000000001B6B0000-0x000000001B6BA000-memory.dmp

Filesize
40KB

Download
memory/32-11-0x000000001BEB0000-0x000000001BF06000-memory.dmp

Filesize
344KB

Download
memory/32-12-0x000000001B710000-0x000000001B722000-memory.dmp

Filesize
72KB

Download
memory/32-14-0x000000001B740000-0x000000001B748000-memory.dmp

Filesize
32KB

Download
memory/32-18-0x000000001B790000-0x000000001B79C000-memory.dmp

Filesize
48KB

Download
memory/32-19-0x000000001BF00000-0x000000001BF0A000-memory.dmp

Filesize
40KB

Download
memory/32-20-0x000000001BF10000-0x000000001BF1C000-memory.dmp

Filesize
48KB

Download
memory/32-17-0x000000001B780000-0x000000001B78E000-memory.dmp

Filesize
56KB

Download
memory/32-16-0x000000001B770000-0x000000001B77C000-memory.dmp

Filesize
48KB

Download
memory/32-0-0x00007FF94BB43000-0x00007FF94BB45000-memory.dmp

Filesize
8KB

Download
memory/32-13-0x000000001C430000-0x000000001C958000-memory.dmp

Filesize
5.2MB

Download
memory/32-6-0x0000000002C80000-0x0000000002C88000-memory.dmp

Filesize
32KB

Download
memory/32-5-0x000000001B6C0000-0x000000001B710000-memory.dmp

Filesize
320KB

Download
memory/32-4-0x0000000002C60000-0x0000000002C7C000-memory.dmp

Filesize
112KB

Download
memory/32-3-0x0000000002C50000-0x0000000002C5E000-memory.dmp

Filesize
56KB

Download
memory/32-178-0x00007FF94BB43000-0x00007FF94BB45000-memory.dmp

Filesize
8KB

Download
memory/32-196-0x00007FF94BB40000-0x00007FF94C601000-memory.dmp

Filesize
10.8MB

Download
memory/32-2-0x00007FF94BB40000-0x00007FF94C601000-memory.dmp

Filesize
10.8MB

Download
memory/32-208-0x00007FF94BB40000-0x00007FF94C601000-memory.dmp

Filesize
10.8MB

Download
memory/32-1-0x0000000000880000-0x0000000000B32000-memory.dmp

Filesize
2.7MB

Download
memory/2332-213-0x0000000003330000-0x0000000003342000-memory.dmp

Filesize
72KB

Download