dcrat | 182ddbdb6883ebe006722c43b0a28ddab33d5a87f6609a6f933bd811ca489ae3

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-09-2022 05:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
Size

6.4MB
MD5

a2ce6b8cc1683e6f1b0e4a8ad210b4d0
SHA1

c8bf69219d2fb1b6280425e58465493b0dfab0ae
SHA256

182ddbdb6883ebe006722c43b0a28ddab33d5a87f6609a6f933bd811ca489ae3
SHA512

4f24e9fc230d3ab5c4ac19798a7c058f2e713400dde817b1082ffdd5f284e23cb0257a7a732bcacaf4867189f21f3484a9a1fd9cb63c446db549dfed7748b070
SSDEEP

98304:x25qF8LaEDcvSRApmZCzz9+hMYPGTjdThYHP3fkfsu/t/0SSEvEy6k4kCFWiSHrw:wx

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	1296	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1296	schtasks.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1960-55-0x000000001BD90000-0x000000001BF18000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

Processes:

tmp39A.tmp.exeSystem.exetmp13EF.tmp.exe

pid process

1604 tmp39A.tmp.exe
2236 System.exe
2360 tmp13EF.tmp.exe
Loads dropped DLL 6 IoCs

Processes:

WerFault.exeWerFault.exe

pid process

1488 WerFault.exe
1488 WerFault.exe
1488 WerFault.exe
2392 WerFault.exe
2392 WerFault.exe
2392 WerFault.exe

pid	process
1604	tmp39A.tmp.exe
2236	System.exe
2360	tmp13EF.tmp.exe

pid	process
1488	WerFault.exe
1488	WerFault.exe
1488	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe
2392	WerFault.exe

Drops file in Program Files directory 9 IoCs

Processes:

a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\browser\services.exe	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
File created	C:\Program Files\Mozilla Firefox\browser\c5b4cb5e9653cc	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\7a0fd90576e088	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
File created	C:\Program Files\Windows Media Player\Skins\csrss.exe	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
File created	C:\Program Files\Mozilla Firefox\browser\services.exe	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\explorer.exe	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
File created	C:\Program Files\DVD Maker\lsm.exe	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
File created	C:\Program Files\DVD Maker\101b941d020240	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
File created	C:\Program Files\Windows Media Player\Skins\886983d96e3d3e	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe

Drops file in Windows directory 6 IoCs

Processes:

a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe

description	ioc	process
File created	C:\Windows\ehome\ja-JP\services.exe	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
File created	C:\Windows\ehome\ja-JP\c5b4cb5e9653cc	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
File created	C:\Windows\Logs\DPX\dwm.exe	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
File created	C:\Windows\Logs\DPX\6cb0b6c459d5d3	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
File created	C:\Windows\PolicyDefinitions\en-US\System.exe	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
File created	C:\Windows\PolicyDefinitions\en-US\27d1bcfc3c54e0	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1488 1604 WerFault.exe tmp39A.tmp.exe
2392 2360 WerFault.exe tmp13EF.tmp.exe

pid	pid_target	process	target process
1488	1604	WerFault.exe	tmp39A.tmp.exe
2392	2360	WerFault.exe	tmp13EF.tmp.exe

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1828	schtasks.exe
584	schtasks.exe
988	schtasks.exe
1588	schtasks.exe
584	schtasks.exe
2152	schtasks.exe
868	schtasks.exe
1328	schtasks.exe
1484	schtasks.exe
1948	schtasks.exe
996	schtasks.exe
1548	schtasks.exe
2132	schtasks.exe
796	schtasks.exe
1124	schtasks.exe
932	schtasks.exe
2168	schtasks.exe
308	schtasks.exe
1692	schtasks.exe
2000	schtasks.exe
1748	schtasks.exe
1328	schtasks.exe
2092	schtasks.exe
2188	schtasks.exe
596	schtasks.exe
688	schtasks.exe
776	schtasks.exe
1688	schtasks.exe
1084	schtasks.exe
1560	schtasks.exe
2052	schtasks.exe
1668	schtasks.exe
1644	schtasks.exe
1748	schtasks.exe
824	schtasks.exe
1596	schtasks.exe
676	schtasks.exe
1212	schtasks.exe
1412	schtasks.exe
976	schtasks.exe
984	schtasks.exe
1064	schtasks.exe
1584	schtasks.exe
2112	schtasks.exe
1720	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exeSystem.exe

pid	process
1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe
2236	System.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exeSystem.exe

description pid process

Token: SeDebugPrivilege 1960 a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
Token: SeDebugPrivilege 2236 System.exe

description	pid	process
Token: SeDebugPrivilege	1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
Token: SeDebugPrivilege	2236	System.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exetmp39A.tmp.exeSystem.exetmp13EF.tmp.exe

description	pid	process	target process
PID 1960 wrote to memory of 1604	1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe	tmp39A.tmp.exe
PID 1960 wrote to memory of 1604	1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe	tmp39A.tmp.exe
PID 1960 wrote to memory of 1604	1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe	tmp39A.tmp.exe
PID 1960 wrote to memory of 1604	1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe	tmp39A.tmp.exe
PID 1604 wrote to memory of 1488	1604	tmp39A.tmp.exe	WerFault.exe
PID 1604 wrote to memory of 1488	1604	tmp39A.tmp.exe	WerFault.exe
PID 1604 wrote to memory of 1488	1604	tmp39A.tmp.exe	WerFault.exe
PID 1604 wrote to memory of 1488	1604	tmp39A.tmp.exe	WerFault.exe
PID 1960 wrote to memory of 2236	1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe	System.exe
PID 1960 wrote to memory of 2236	1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe	System.exe
PID 1960 wrote to memory of 2236	1960	a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe	System.exe
PID 2236 wrote to memory of 2360	2236	System.exe	tmp13EF.tmp.exe
PID 2236 wrote to memory of 2360	2236	System.exe	tmp13EF.tmp.exe
PID 2236 wrote to memory of 2360	2236	System.exe	tmp13EF.tmp.exe
PID 2236 wrote to memory of 2360	2236	System.exe	tmp13EF.tmp.exe
PID 2360 wrote to memory of 2392	2360	tmp13EF.tmp.exe	WerFault.exe
PID 2360 wrote to memory of 2392	2360	tmp13EF.tmp.exe	WerFault.exe
PID 2360 wrote to memory of 2392	2360	tmp13EF.tmp.exe	WerFault.exe
PID 2360 wrote to memory of 2392	2360	tmp13EF.tmp.exe	WerFault.exe
PID 2236 wrote to memory of 2488	2236	System.exe	WScript.exe
PID 2236 wrote to memory of 2488	2236	System.exe	WScript.exe
PID 2236 wrote to memory of 2488	2236	System.exe	WScript.exe
PID 2236 wrote to memory of 2512	2236	System.exe	WScript.exe
PID 2236 wrote to memory of 2512	2236	System.exe	WScript.exe
PID 2236 wrote to memory of 2512	2236	System.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe
"C:\Users\Admin\AppData\Local\Temp\a2ce6b8cc1683e6f1b0e4a8ad210b4d0.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\tmp39A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp39A.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 96
3⤵
- Loads dropped DLL
- Program crash
PID:1488

C:\Windows\PolicyDefinitions\en-US\System.exe
"C:\Windows\PolicyDefinitions\en-US\System.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236

C:\Users\Admin\AppData\Local\Temp\tmp13EF.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp13EF.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 96
4⤵
- Loads dropped DLL
- Program crash
PID:2392

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\339c2a84-2f14-4290-b6f3-cabc647ad601.vbs"
3⤵
PID:2488

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a3b43a13-d792-4eb2-95c2-58b40d95a5bf.vbs"
3⤵
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\browser\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\browser\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Videos\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\Videos\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\c0f67622-1a8a-11ed-ae9f-b21da26d38ed\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Skins\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\ehome\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ehome\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\ehome\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\DPX\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\DPX\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\339c2a84-2f14-4290-b6f3-cabc647ad601.vbs
Filesize
721B

MD5
d3a46b8a46d51881f3d0259575e1b0e7

SHA1
f8b4eee79603d7300b4d3587385f21d949d749fc

SHA256
fc76cf65e6b568178e331078f9bd4de573c131352a44d2cdf4f61dce65d6d664

SHA512
ce46f90f36e4dd44009394de4e6d03bc2a1bc992efed3156f8d4beb03c77efaf19be47cd588c9787e17805ea07dcc440e0bfb08f9bb4ab6438c39ea5d0f02c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3b43a13-d792-4eb2-95c2-58b40d95a5bf.vbs
Filesize
497B

MD5
20ab18d462b8f46d2c7312e2dfe599bb

SHA1
54041ec58012c42224801e469ed54c207c822cc2

SHA256
34196a3d243092143629eb8cdb17037aa7f66ca43536b9407a795dfb239814d5

SHA512
1b768a5995b69b1450511cdc1a757c30e62d95aee13204b74d636f9d9266455d5a7ca497e2b84d79d0a468f68bfa5cea9e6319faba463b4c0bc50c9d95b0f22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp13EF.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp39A.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Windows\PolicyDefinitions\en-US\System.exe
Filesize
6.4MB

MD5
a2ce6b8cc1683e6f1b0e4a8ad210b4d0

SHA1
c8bf69219d2fb1b6280425e58465493b0dfab0ae

SHA256
182ddbdb6883ebe006722c43b0a28ddab33d5a87f6609a6f933bd811ca489ae3

SHA512
4f24e9fc230d3ab5c4ac19798a7c058f2e713400dde817b1082ffdd5f284e23cb0257a7a732bcacaf4867189f21f3484a9a1fd9cb63c446db549dfed7748b070

Download Submit
C:\Windows\PolicyDefinitions\en-US\System.exe
Filesize
6.4MB

MD5
a2ce6b8cc1683e6f1b0e4a8ad210b4d0

SHA1
c8bf69219d2fb1b6280425e58465493b0dfab0ae

SHA256
182ddbdb6883ebe006722c43b0a28ddab33d5a87f6609a6f933bd811ca489ae3

SHA512
4f24e9fc230d3ab5c4ac19798a7c058f2e713400dde817b1082ffdd5f284e23cb0257a7a732bcacaf4867189f21f3484a9a1fd9cb63c446db549dfed7748b070

Download Submit
\Users\Admin\AppData\Local\Temp\tmp13EF.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp13EF.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp13EF.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp39A.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp39A.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp39A.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
memory/1488-68-0x0000000000000000-mapping.dmp

Download
memory/1604-66-0x0000000000000000-mapping.dmp

Download
memory/1960-61-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/1960-60-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/1960-64-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/1960-55-0x000000001BD90000-0x000000001BF18000-memory.dmp

Filesize
1.5MB

Download
memory/1960-63-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/1960-54-0x0000000001050000-0x00000000016B6000-memory.dmp

Filesize
6.4MB

Download
memory/1960-56-0x0000000000190000-0x00000000001AC000-memory.dmp

Filesize
112KB

Download
memory/1960-62-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/1960-57-0x0000000000430000-0x0000000000446000-memory.dmp

Filesize
88KB

Download
memory/1960-65-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/1960-58-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/1960-59-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/2236-74-0x00000000008D0000-0x0000000000F36000-memory.dmp

Filesize
6.4MB

Download
memory/2236-71-0x0000000000000000-mapping.dmp

Download
memory/2360-76-0x0000000000000000-mapping.dmp

Download
memory/2392-78-0x0000000000000000-mapping.dmp

Download
memory/2488-82-0x0000000000000000-mapping.dmp

Download
memory/2512-83-0x0000000000000000-mapping.dmp

Download