dcrat | 41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309

Analysis

max time kernel
117s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
Size

2.3MB
MD5

1e83ded2729ce777053c604e7d667c38
SHA1

e4de4580f9e80703961c6df8b3dc687d6ff16cda
SHA256

41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309
SHA512

6c032fee11131744a6234b9011e700faa12aaa194afc8d32f1206d61bbe397b7b4f9f278192e32883379e0ecb178b1aedf426285745c23a127e9db2495867ad1
SSDEEP

49152:P581k6pWQwY9zhWLCGUdeuGMvLq0jvYQxkm:P58C6pgTEO0jvYQR

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2944	schtasks.exe
		4252	schtasks.exe
		2592	schtasks.exe
		3664	schtasks.exe
		3912	schtasks.exe
File created	C:\Windows\Migration\WTR\5b884080fd4f94		41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
		632	schtasks.exe
		4308	schtasks.exe
		2444	schtasks.exe
		5040	schtasks.exe
		2008	schtasks.exe
		2228	schtasks.exe
		2368	schtasks.exe
		4616	schtasks.exe
		1180	schtasks.exe
		2260	schtasks.exe
		544	schtasks.exe
		4524	schtasks.exe
		1596	schtasks.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\6ccacd8608530f		41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
		412	schtasks.exe
		3608	schtasks.exe
		3216	schtasks.exe
		3420	schtasks.exe
		2572	schtasks.exe
		3384	schtasks.exe
File created	C:\Program Files\Internet Explorer\e6c9b481da804f		41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
		4572	schtasks.exe
		3236	schtasks.exe
		2216	schtasks.exe
		4812	schtasks.exe
		4708	schtasks.exe
		3604	schtasks.exe
		712	schtasks.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\ee2ad38f3d4382		41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
		2332	schtasks.exe
		3908	schtasks.exe
		1156	schtasks.exe
		1184	schtasks.exe
		3128	schtasks.exe
		1032	schtasks.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\29c1c3cc0f7685		41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
		2700	schtasks.exe
		3712	schtasks.exe
		3488	schtasks.exe
		1928	schtasks.exe
		636	schtasks.exe
		3472	schtasks.exe
		4820	schtasks.exe
		2308	schtasks.exe
		3684	schtasks.exe
		5108	schtasks.exe
		3004	schtasks.exe
		2684	schtasks.exe
		1656	schtasks.exe
		3528	schtasks.exe
		1916	schtasks.exe
		3840	schtasks.exe
		380	schtasks.exe
		2588	schtasks.exe
		1400	schtasks.exe
		1048	schtasks.exe
		3952	schtasks.exe
		4108	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3420	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	3460	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	3460	schtasks.exe	83

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4080-1-0x00000000005F0000-0x0000000000840000-memory.dmp	dcrat
behavioral2/files/0x0007000000023cbf-19.dat	dcrat

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 10 IoCs

pid	Process
2168	csrss.exe
3428	csrss.exe
5040	csrss.exe
4336	csrss.exe
2256	csrss.exe
184	csrss.exe
4564	csrss.exe
1108	csrss.exe
4852	csrss.exe
3004	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
26	pastebin.com
41	pastebin.com
47	pastebin.com
53	pastebin.com
54	pastebin.com
19	pastebin.com
39	pastebin.com
45	pastebin.com
46	pastebin.com
18	pastebin.com

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\DESIGNER\RuntimeBroker.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\9e8d7a4ca61bd9	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\eddb19405b7ce1	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6cb0b6c459d5d3	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\cc11b995f2a76d	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\unsecapp.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\ee2ad38f3d4382	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\MSBuild\taskhostw.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\Internet Explorer\e6c9b481da804f	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\MSBuild\ea9f0e6c9e2dcd	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\Crashpad\reports\c5b4cb5e9653cc	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\5940a34987c991	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\unsecapp.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\Common Files\DESIGNER\9e8d7a4ca61bd9	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\29c1c3cc0f7685	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\Registry.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Windows Portable Devices\22eafd247d37c3	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\ModifiableWindowsApps\fontdrvhost.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\unsecapp.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\backgroundTaskHost.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\dllhost.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\29c1c3cc0f7685	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\Crashpad\reports\services.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\29c1c3cc0f7685	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\RuntimeBroker.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\Idle.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\6ccacd8608530f	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\Registry.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\Internet Explorer\OfficeClickToRun.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\fontdrvhost.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File opened for modification	C:\Windows\appcompat\encapsulation\services.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Windows\Performance\WinSAT\DataStore\6cb0b6c459d5d3	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Windows\Speech_OneCore\Engines\886983d96e3d3e	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Windows\WaaS\tasks\fontdrvhost.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Windows\Migration\WTR\5b884080fd4f94	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Windows\appcompat\encapsulation\services.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Windows\appcompat\encapsulation\c5b4cb5e9653cc	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Windows\Performance\WinSAT\DataStore\dwm.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Windows\Speech_OneCore\Engines\csrss.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3608	schtasks.exe
3420	schtasks.exe
3004	schtasks.exe
2588	schtasks.exe
544	schtasks.exe
736	schtasks.exe
3604	schtasks.exe
1244	schtasks.exe
4108	schtasks.exe
3996	schtasks.exe
4564	schtasks.exe
3664	schtasks.exe
4552	schtasks.exe
4812	schtasks.exe
4964	schtasks.exe
2716	schtasks.exe
4708	schtasks.exe
636	schtasks.exe
3908	schtasks.exe
1048	schtasks.exe
2368	schtasks.exe
2944	schtasks.exe
3684	schtasks.exe
4724	schtasks.exe
5108	schtasks.exe
2572	schtasks.exe
1928	schtasks.exe
4524	schtasks.exe
3448	schtasks.exe
632	schtasks.exe
2108	schtasks.exe
1184	schtasks.exe
2592	schtasks.exe
5088	schtasks.exe
3384	schtasks.exe
2216	schtasks.exe
1596	schtasks.exe
5040	schtasks.exe
3128	schtasks.exe
2008	schtasks.exe
2008	schtasks.exe
1032	schtasks.exe
2332	schtasks.exe
2684	schtasks.exe
2260	schtasks.exe
712	schtasks.exe
1656	schtasks.exe
4820	schtasks.exe
4976	schtasks.exe
3664	schtasks.exe
2228	schtasks.exe
412	schtasks.exe
4252	schtasks.exe
1180	schtasks.exe
380	schtasks.exe
736	schtasks.exe
1908	schtasks.exe
4616	schtasks.exe
3840	schtasks.exe
2308	schtasks.exe
2292	schtasks.exe
1224	schtasks.exe
2700	schtasks.exe
1400	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4056	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4056	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4056	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4056	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4056	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4056	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4056	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4056	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4056	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4056	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4056	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4056	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4056	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4056	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
4056	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
2168	csrss.exe
3428	csrss.exe
5040	csrss.exe
4336	csrss.exe
2256	csrss.exe
184	csrss.exe
4564	csrss.exe
1108	csrss.exe
4852	csrss.exe
3004	csrss.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
Token: SeDebugPrivilege	4056	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
Token: SeDebugPrivilege	2168	csrss.exe
Token: SeDebugPrivilege	3428	csrss.exe
Token: SeDebugPrivilege	5040	csrss.exe
Token: SeDebugPrivilege	4336	csrss.exe
Token: SeDebugPrivilege	2256	csrss.exe
Token: SeDebugPrivilege	184	csrss.exe
Token: SeDebugPrivilege	4564	csrss.exe
Token: SeDebugPrivilege	1108	csrss.exe
Token: SeDebugPrivilege	4852	csrss.exe
Token: SeDebugPrivilege	3004	csrss.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 3392	4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	129
PID 4080 wrote to memory of 3392	4080	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	129
PID 3392 wrote to memory of 4996	3392	cmd.exe	131
PID 3392 wrote to memory of 4996	3392	cmd.exe	131
PID 3392 wrote to memory of 4056	3392	cmd.exe	135
PID 3392 wrote to memory of 4056	3392	cmd.exe	135
PID 4056 wrote to memory of 2168	4056	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	186
PID 4056 wrote to memory of 2168	4056	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	186
PID 2168 wrote to memory of 4016	2168	csrss.exe	191
PID 2168 wrote to memory of 4016	2168	csrss.exe	191
PID 4016 wrote to memory of 4344	4016	cmd.exe	193
PID 4016 wrote to memory of 4344	4016	cmd.exe	193
PID 4016 wrote to memory of 3428	4016	cmd.exe	199
PID 4016 wrote to memory of 3428	4016	cmd.exe	199
PID 3428 wrote to memory of 2136	3428	csrss.exe	202
PID 3428 wrote to memory of 2136	3428	csrss.exe	202
PID 2136 wrote to memory of 3604	2136	cmd.exe	204
PID 2136 wrote to memory of 3604	2136	cmd.exe	204
PID 2136 wrote to memory of 5040	2136	cmd.exe	206
PID 2136 wrote to memory of 5040	2136	cmd.exe	206
PID 5040 wrote to memory of 3544	5040	csrss.exe	212
PID 5040 wrote to memory of 3544	5040	csrss.exe	212
PID 3544 wrote to memory of 1064	3544	cmd.exe	214
PID 3544 wrote to memory of 1064	3544	cmd.exe	214
PID 3544 wrote to memory of 4336	3544	cmd.exe	216
PID 3544 wrote to memory of 4336	3544	cmd.exe	216
PID 4336 wrote to memory of 632	4336	csrss.exe	219
PID 4336 wrote to memory of 632	4336	csrss.exe	219
PID 632 wrote to memory of 4320	632	cmd.exe	221
PID 632 wrote to memory of 4320	632	cmd.exe	221
PID 632 wrote to memory of 2256	632	cmd.exe	223
PID 632 wrote to memory of 2256	632	cmd.exe	223
PID 2256 wrote to memory of 2876	2256	csrss.exe	228
PID 2256 wrote to memory of 2876	2256	csrss.exe	228
PID 2876 wrote to memory of 4708	2876	cmd.exe	230
PID 2876 wrote to memory of 4708	2876	cmd.exe	230
PID 2876 wrote to memory of 184	2876	cmd.exe	232
PID 2876 wrote to memory of 184	2876	cmd.exe	232
PID 184 wrote to memory of 1048	184	csrss.exe	235
PID 184 wrote to memory of 1048	184	csrss.exe	235
PID 1048 wrote to memory of 324	1048	cmd.exe	237
PID 1048 wrote to memory of 324	1048	cmd.exe	237
PID 1048 wrote to memory of 4564	1048	cmd.exe	239
PID 1048 wrote to memory of 4564	1048	cmd.exe	239
PID 4564 wrote to memory of 2528	4564	csrss.exe	243
PID 4564 wrote to memory of 2528	4564	csrss.exe	243
PID 2528 wrote to memory of 1840	2528	cmd.exe	245
PID 2528 wrote to memory of 1840	2528	cmd.exe	245
PID 2528 wrote to memory of 1108	2528	cmd.exe	247
PID 2528 wrote to memory of 1108	2528	cmd.exe	247
PID 1108 wrote to memory of 988	1108	csrss.exe	251
PID 1108 wrote to memory of 988	1108	csrss.exe	251
PID 988 wrote to memory of 4556	988	cmd.exe	253
PID 988 wrote to memory of 4556	988	cmd.exe	253
PID 988 wrote to memory of 4852	988	cmd.exe	255
PID 988 wrote to memory of 4852	988	cmd.exe	255
PID 4852 wrote to memory of 2844	4852	csrss.exe	259
PID 4852 wrote to memory of 2844	4852	csrss.exe	259
PID 2844 wrote to memory of 940	2844	cmd.exe	261
PID 2844 wrote to memory of 940	2844	cmd.exe	261
PID 2844 wrote to memory of 3004	2844	cmd.exe	263
PID 2844 wrote to memory of 3004	2844	cmd.exe	263

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
"C:\Users\Admin\AppData\Local\Temp\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe"
1⤵
- DcRat
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fCXoMj8vOc.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4996
- - C:\Users\Admin\AppData\Local\Temp\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
    "C:\Users\Admin\AppData\Local\Temp\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\Speech_OneCore\Engines\csrss.exe
      "C:\Windows\Speech_OneCore\Engines\csrss.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9EVEWoB6gn.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4016
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4344
      - C:\Windows\Speech_OneCore\Engines\csrss.exe
        
        "C:\Windows\Speech_OneCore\Engines\csrss.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9EVEWoB6gn.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3604
        
        C:\Windows\Speech_OneCore\Engines\csrss.exe
        
        "C:\Windows\Speech_OneCore\Engines\csrss.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1064
        
        C:\Windows\Speech_OneCore\Engines\csrss.exe
        
        "C:\Windows\Speech_OneCore\Engines\csrss.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4320
        
        C:\Windows\Speech_OneCore\Engines\csrss.exe
        
        "C:\Windows\Speech_OneCore\Engines\csrss.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4708
        
        C:\Windows\Speech_OneCore\Engines\csrss.exe
        
        "C:\Windows\Speech_OneCore\Engines\csrss.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:324
        
        C:\Windows\Speech_OneCore\Engines\csrss.exe
        
        "C:\Windows\Speech_OneCore\Engines\csrss.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlHmrlOhE6.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1840
        
        C:\Windows\Speech_OneCore\Engines\csrss.exe
        
        "C:\Windows\Speech_OneCore\Engines\csrss.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4556
        
        C:\Windows\Speech_OneCore\Engines\csrss.exe
        
        "C:\Windows\Speech_OneCore\Engines\csrss.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:940
        
        C:\Windows\Speech_OneCore\Engines\csrss.exe
        
        "C:\Windows\Speech_OneCore\Engines\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\3D Objects\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\3D Objects\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de3094" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de3094" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Links\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Links\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Links\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Pictures\Saved Pictures\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Saved Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Pictures\Saved Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\encapsulation\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\appcompat\encapsulation\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\DESIGNER\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Common Files\DESIGNER\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\DESIGNER\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\DataStore\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\DataStore\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech_OneCore\Engines\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech_OneCore\Engines\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\reports\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\reports\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\unsecapp.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\unsecapp.exe'" /f
1⤵
- DcRat
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\Default\sihost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Default\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\RuntimeBroker.exe'" /f
1⤵
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Start Menu\Registry.exe'" /f
1⤵
- DcRat
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Start Menu\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Portable Devices\TextInputHost.exe

Filesize
2.3MB

MD5
1e83ded2729ce777053c604e7d667c38

SHA1
e4de4580f9e80703961c6df8b3dc687d6ff16cda

SHA256
41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309

SHA512
6c032fee11131744a6234b9011e700faa12aaa194afc8d32f1206d61bbe397b7b4f9f278192e32883379e0ecb178b1aedf426285745c23a127e9db2495867ad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe.log

Filesize
1KB

MD5
bbb951a34b516b66451218a3ec3b0ae1

SHA1
7393835a2476ae655916e0a9687eeaba3ee876e9

SHA256
eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

SHA512
63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9EVEWoB6gn.bat

Filesize
208B

MD5
dc104b33e12f6f16035f7839d7fbe04b

SHA1
e8213253cf4f29a401a3dd41ff20ed1f73c9f30a

SHA256
9ed97e3447f1363ec393b38cbe4b0562d5935c9b3929b173385da81186cf47e0

SHA512
2d755bdfe74ad9c5ce895af1610cc22253202de9052e4a9b802e7aeec3b33d5cb4bdfc1a5ff46d4d8b159305456dbdaffa295a6895a2bc3a80c4a9b72af42657

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat

Filesize
208B

MD5
1d75c88f329353be12e5d546f89b913a

SHA1
14621d749544b0c6580cfa586ad168026bafc16b

SHA256
497d76134ea0882a142ebb788b95d5cd218560d8e8063f129f62431b47dd93e8

SHA512
3357d57c7eac00e7f37822a7735a19460cc4db63ac7638677cd21a4bd417acf6ff83ad4f54624ed6a9bcd9d9b3456989ba5fc2887685b7804a199009f53a7501

Download Submit
C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat

Filesize
208B

MD5
00561d4b16c8f15b309e3661ca1cb949

SHA1
a64ce964c330aad3bd2072393d1b019471dc4df3

SHA256
532adc55af8dc11b4b40b7ab87a69f072fd3319905d049f2026ed36d3fd8908e

SHA512
7c6ffe1d96ffe82091bf84f99f5d434c81fb527583a2bcf29acaa49f20918de1c35c9a95e3ef5ee5f1cce0d2ffffbd837721b6d72b63feca7ff7082f20d00453

Download Submit
C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat

Filesize
208B

MD5
3b2ac29792d3af79af8d66be1ee8b01f

SHA1
9822fa635ed79ed1548dd45f64cd900258cb990b

SHA256
e1d1f1f89ff37d37a860fc4faedb28f61d6b676cce7dc355d9eeaae5985d3eb2

SHA512
42bf5a8fa2f53cbaf3e51e32762175a4ce72250207e669c2cc1464cb5f29790038e01318152b5da7212100813ed9c420556ef8a965d78e257dbabcd3c3eaefbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat

Filesize
208B

MD5
5175924ed436e516c67094a54c726d3b

SHA1
d144f6eed70be1206dbd408a281dd980afb8cdc2

SHA256
2c3a7655b07900b6324b555fb41bfe892787b5b870ec815e555efcfb1ea25a2e

SHA512
0095517c6f4721fdfc6ceaee8535aa2993bc608aa006c6024ad5b8c27fb34c294c1188fb48819c44047e8626e9a514cc4c32c64313c9f0fd6e0d8708d8c2a459

Download Submit
C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat

Filesize
208B

MD5
0a8ad5fa84d5a44be33eb8c01492df2e

SHA1
af7a6d9505f7fa1e251ef010dae1fbdffd1515f1

SHA256
ce0aec5b85b328f8f362fd914ca72d5d912bf2a4feefccb129f86cecd46c5db4

SHA512
650ceea5b8bd511c1489f0549bd34b19fab782bbe762b805156c9aa3347557732b10fcaa0076eab5814fd29d7a2a69b710432e890cc6198fddba7d28a2022aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fCXoMj8vOc.bat

Filesize
267B

MD5
a76cc9fde79de77ebeebc1d48b7ffb6a

SHA1
ec12d72540a506123c6a78dfce468e267d0af4d4

SHA256
c04a3dae6790d3bfaa21c8ea0579cb41f1edab1ec89c77af45900ac2904c5fcf

SHA512
9345469fb7724b9525435a6575810fc36cea08dd045183d2438f0f65dd9b43211f64339f5d717a4a538a986beaf399ef593c995ff5467a799f168d03eee23a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlHmrlOhE6.bat

Filesize
208B

MD5
59e850284890509c809ffb25d5c73f44

SHA1
f618b87567fe34f1b23f99c469b8057f2f8dce6e

SHA256
53f62253444b5ad33aa02c7dcb06df7fd530c5756d6eee27f482de3eca63799f

SHA512
f7e1ebc27c73e571b87f59b72fdcf852e9fed9d30bc2a6c9c0cc668a6d32a271f250c71a5065eb5b378210f196294464da02f63c5e604efbff4945a903e93794

Download Submit
memory/184-130-0x000000001BDF0000-0x000000001BE02000-memory.dmp

Filesize
72KB

Download
memory/184-135-0x000000001E760000-0x000000001E909000-memory.dmp

Filesize
1.7MB

Download
memory/1108-149-0x000000001E3D0000-0x000000001E579000-memory.dmp

Filesize
1.7MB

Download
memory/2168-93-0x000000001B7F0000-0x000000001B802000-memory.dmp

Filesize
72KB

Download
memory/2256-126-0x000000001DF60000-0x000000001E109000-memory.dmp

Filesize
1.7MB

Download
memory/2256-127-0x000000001DF60000-0x000000001E109000-memory.dmp

Filesize
1.7MB

Download
memory/4056-49-0x000000001BE80000-0x000000001BED6000-memory.dmp

Filesize
344KB

Download
memory/4056-50-0x000000001B910000-0x000000001B922000-memory.dmp

Filesize
72KB

Download
memory/4080-8-0x000000001C350000-0x000000001C878000-memory.dmp

Filesize
5.2MB

Download
memory/4080-10-0x000000001B510000-0x000000001B518000-memory.dmp

Filesize
32KB

Download
memory/4080-5-0x0000000002980000-0x0000000002996000-memory.dmp

Filesize
88KB

Download
memory/4080-1-0x00000000005F0000-0x0000000000840000-memory.dmp

Filesize
2.3MB

Download
memory/4080-6-0x000000001BA40000-0x000000001BA96000-memory.dmp

Filesize
344KB

Download
memory/4080-7-0x00000000029A0000-0x00000000029B2000-memory.dmp

Filesize
72KB

Download
memory/4080-46-0x00007FFFA5FC0000-0x00007FFFA6A81000-memory.dmp

Filesize
10.8MB

Download
memory/4080-4-0x000000001B4C0000-0x000000001B510000-memory.dmp

Filesize
320KB

Download
memory/4080-0-0x00007FFFA5FC3000-0x00007FFFA5FC5000-memory.dmp

Filesize
8KB

Download
memory/4080-2-0x00007FFFA5FC0000-0x00007FFFA6A81000-memory.dmp

Filesize
10.8MB

Download
memory/4080-9-0x00000000029D0000-0x00000000029DE000-memory.dmp

Filesize
56KB

Download
memory/4080-3-0x0000000002950000-0x000000000296C000-memory.dmp

Filesize
112KB

Download
memory/4336-119-0x000000001DF60000-0x000000001E109000-memory.dmp

Filesize
1.7MB

Download
memory/4564-142-0x000000001E1B0000-0x000000001E359000-memory.dmp

Filesize
1.7MB

Download
memory/4852-152-0x000000001C3F0000-0x000000001C402000-memory.dmp

Filesize
72KB

Download
memory/4852-157-0x000000001DD60000-0x000000001DF09000-memory.dmp

Filesize
1.7MB

Download
memory/5040-112-0x000000001E2B0000-0x000000001E459000-memory.dmp

Filesize
1.7MB

Download