dcrat | 563d00ae7f20691f00834ec48e58f85519af8425e46045a03d587f3c6e42f3f6

General

Target

1e3f692a00a384f021b60e1ac5e23c5c.exe
Size

2.6MB
MD5

1e3f692a00a384f021b60e1ac5e23c5c
SHA1

b80fdeaaea1379f593314ad60d1ab9da6cf2daa1
SHA256

563d00ae7f20691f00834ec48e58f85519af8425e46045a03d587f3c6e42f3f6
SHA512

6d82fc2a4a11e5fde4c40a01101bb7f27ff1f901360359b8772f762d0ebe085d1382c43f220d0ddd6b1f76666087af33fa47de400ae1032afa4ace6c7cd2fc6c
SSDEEP

49152:PpTn80rAHkSrvT7yEBpojAGw3fo+5D0gRbfGNW8UlbSpDCP2XF:PZpktrvTOqp2Nw3L0gRbfGI8sepeu1

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4056	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	2412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	2412	schtasks.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

1e3f692a00a384f021b60e1ac5e23c5c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1e3f692a00a384f021b60e1ac5e23c5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1e3f692a00a384f021b60e1ac5e23c5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1e3f692a00a384f021b60e1ac5e23c5c.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3712-132-0x0000000000610000-0x00000000008B4000-memory.dmp	dcrat
C:\odt\csrss.exe	dcrat

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

1e3f692a00a384f021b60e1ac5e23c5c.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1e3f692a00a384f021b60e1ac5e23c5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1e3f692a00a384f021b60e1ac5e23c5c.exe

Drops file in System32 directory 2 IoCs

Processes:

1e3f692a00a384f021b60e1ac5e23c5c.exe

description	ioc	process
File created	C:\Windows\SysWOW64\fr-FR\Licenses\dllhost.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\5940a34987c991	1e3f692a00a384f021b60e1ac5e23c5c.exe

Drops file in Program Files directory 12 IoCs

Processes:

1e3f692a00a384f021b60e1ac5e23c5c.exe

description	ioc	process
File created	C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\9e8d7a4ca61bd9	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\smss.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\f3b6ecef712a24	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\56085415360792	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Program Files (x86)\Google\Policies\fontdrvhost.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Program Files (x86)\Google\Policies\5b884080fd4f94	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\1e3f692a00a384f021b60e1ac5e23c5c.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\89f758bde081a1	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\69ddcba757bf72	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\spoolsv.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe

Drops file in Windows directory 2 IoCs

Processes:

1e3f692a00a384f021b60e1ac5e23c5c.exe

description	ioc	process
File created	C:\Windows\tracing\SppExtComObj.exe	1e3f692a00a384f021b60e1ac5e23c5c.exe
File created	C:\Windows\tracing\e1ef82546f0b02	1e3f692a00a384f021b60e1ac5e23c5c.exe

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1040	schtasks.exe
3540	schtasks.exe
1016	schtasks.exe
5072	schtasks.exe
3256	schtasks.exe
2952	schtasks.exe
4056	schtasks.exe
3760	schtasks.exe
5000	schtasks.exe
2364	schtasks.exe
636	schtasks.exe
1232	schtasks.exe
3692	schtasks.exe
1552	schtasks.exe
3676	schtasks.exe
4180	schtasks.exe
4036	schtasks.exe
2776	schtasks.exe
4680	schtasks.exe
3980	schtasks.exe
3664	schtasks.exe
4172	schtasks.exe
1132	schtasks.exe
4936	schtasks.exe
3952	schtasks.exe
5036	schtasks.exe
1256	schtasks.exe
4748	schtasks.exe
5040	schtasks.exe
1312	schtasks.exe
5104	schtasks.exe
4684	schtasks.exe
2256	schtasks.exe
1992	schtasks.exe
3412	schtasks.exe
932	schtasks.exe
2680	schtasks.exe
5080	schtasks.exe
4196	schtasks.exe
3808	schtasks.exe
3828	schtasks.exe
4720	schtasks.exe
4584	schtasks.exe
3844	schtasks.exe
3520	schtasks.exe
3864	schtasks.exe
224	schtasks.exe
2248	schtasks.exe
4768	schtasks.exe
4676	schtasks.exe
3344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

1e3f692a00a384f021b60e1ac5e23c5c.exe

pid	process
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe
3712	1e3f692a00a384f021b60e1ac5e23c5c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1e3f692a00a384f021b60e1ac5e23c5c.exe

description pid process

Token: SeDebugPrivilege 3712 1e3f692a00a384f021b60e1ac5e23c5c.exe

description	pid	process
Token: SeDebugPrivilege	3712	1e3f692a00a384f021b60e1ac5e23c5c.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

1e3f692a00a384f021b60e1ac5e23c5c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1e3f692a00a384f021b60e1ac5e23c5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1e3f692a00a384f021b60e1ac5e23c5c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	1e3f692a00a384f021b60e1ac5e23c5c.exe

C:\Users\Admin\AppData\Local\Temp\1e3f692a00a384f021b60e1ac5e23c5c.exe
"C:\Users\Admin\AppData\Local\Temp\1e3f692a00a384f021b60e1ac5e23c5c.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1e3f692a00a384f021b60e1ac5e23c5c.exe'
2⤵
PID:3868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
2⤵
PID:3060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\1e3f692a00a384f021b60e1ac5e23c5c.exe'
2⤵
PID:2480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\taskhostw.exe'
2⤵
PID:3076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
2⤵
PID:1116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\fr-FR\Licenses\dllhost.exe'
2⤵
PID:2964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\SppExtComObj.exe'
2⤵
PID:4788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
2⤵
PID:4860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
2⤵
PID:1432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\fontdrvhost.exe'
2⤵
PID:2252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\smss.exe'
2⤵
PID:4836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\root\Templates\1033\spoolsv.exe'
2⤵
PID:2088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
2⤵
PID:4964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'
2⤵
PID:64

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Policies\fontdrvhost.exe'
2⤵
PID:3400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe'
2⤵
PID:3856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\1e3f692a00a384f021b60e1ac5e23c5c.exe'
2⤵
PID:3940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
2⤵
PID:4376

C:\odt\csrss.exe
"C:\odt\csrss.exe"
2⤵
PID:5132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e3f692a00a384f021b60e1ac5e23c5c1" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\1e3f692a00a384f021b60e1ac5e23c5c.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e3f692a00a384f021b60e1ac5e23c5c" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\1e3f692a00a384f021b60e1ac5e23c5c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e3f692a00a384f021b60e1ac5e23c5c1" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\1e3f692a00a384f021b60e1ac5e23c5c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\tracing\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\fr-FR\Licenses\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\fr-FR\Licenses\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\fr-FR\Licenses\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Public\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\root\Templates\1033\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Templates\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\root\Templates\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Policies\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Policies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Policies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e3f692a00a384f021b60e1ac5e23c5c1" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\SendTo\1e3f692a00a384f021b60e1ac5e23c5c.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e3f692a00a384f021b60e1ac5e23c5c" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\1e3f692a00a384f021b60e1ac5e23c5c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e3f692a00a384f021b60e1ac5e23c5c1" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\SendTo\1e3f692a00a384f021b60e1ac5e23c5c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Bypass User Account Control

1

T1088

Scheduled Task

1

T1053

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\odt\csrss.exe
Filesize
320KB

MD5
a4fbe4025b106d09a1adb894aad9f141

SHA1
3d9ab861aba54bb2d7edd8cf13b5c45bc44e05b0

SHA256
2ad1f97201a26ddebc7ed68330a409aa16a4605fccebc3f7aadadc115cfe94a0

SHA512
cbd5a89a1f4c5601611b82bb574cc5ee074d95409b0a1ded4f2378e555510f58fda32e38aa6733246e0af5eb2f8f9303d81e6fb8e7b1a1382bb70398e39d56b4

Download Submit
memory/64-159-0x0000000000000000-mapping.dmp

Download
memory/1116-168-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/1116-149-0x0000000000000000-mapping.dmp

Download
memory/1432-173-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/1432-154-0x0000000000000000-mapping.dmp

Download
memory/2088-175-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/2088-157-0x0000000000000000-mapping.dmp

Download
memory/2252-174-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/2252-155-0x0000000000000000-mapping.dmp

Download
memory/2480-166-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/2480-147-0x0000000000000000-mapping.dmp

Download
memory/2964-171-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/2964-152-0x0000000000000000-mapping.dmp

Download
memory/3060-164-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/3060-165-0x000001E264370000-0x000001E264392000-memory.dmp

Filesize
136KB

Download
memory/3060-146-0x0000000000000000-mapping.dmp

Download
memory/3076-167-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/3076-148-0x0000000000000000-mapping.dmp

Download
memory/3400-160-0x0000000000000000-mapping.dmp

Download
memory/3712-143-0x000000001DCE0000-0x000000001DCE4000-memory.dmp

Filesize
16KB

Download
memory/3712-137-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/3712-150-0x000000001DCE7000-0x000000001DCEC000-memory.dmp

Filesize
20KB

Download
memory/3712-133-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/3712-134-0x000000001CD60000-0x000000001D288000-memory.dmp

Filesize
5.2MB

Download
memory/3712-135-0x00000000011E9000-0x00000000011EF000-memory.dmp

Filesize
24KB

Download
memory/3712-144-0x000000001DCE4000-0x000000001DCE7000-memory.dmp

Filesize
12KB

Download
memory/3712-132-0x0000000000610000-0x00000000008B4000-memory.dmp

Filesize
2.6MB

Download
memory/3712-136-0x000000001DCE0000-0x000000001DCE4000-memory.dmp

Filesize
16KB

Download
memory/3712-138-0x000000001DCE4000-0x000000001DCE7000-memory.dmp

Filesize
12KB

Download
memory/3712-142-0x00000000011E5000-0x00000000011EE000-memory.dmp

Filesize
36KB

Download
memory/3712-139-0x000000001DCE7000-0x000000001DCEC000-memory.dmp

Filesize
20KB

Download
memory/3712-141-0x00000000011E9000-0x00000000011EF000-memory.dmp

Filesize
24KB

Download
memory/3712-140-0x000000001DCE1000-0x000000001DCE6000-memory.dmp

Filesize
20KB

Download
memory/3856-161-0x0000000000000000-mapping.dmp

Download
memory/3868-145-0x0000000000000000-mapping.dmp

Download
memory/3868-169-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/3940-162-0x0000000000000000-mapping.dmp

Download
memory/4376-163-0x0000000000000000-mapping.dmp

Download
memory/4788-170-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/4788-151-0x0000000000000000-mapping.dmp

Download
memory/4836-156-0x0000000000000000-mapping.dmp

Download
memory/4860-172-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/4860-153-0x0000000000000000-mapping.dmp

Download
memory/4964-158-0x0000000000000000-mapping.dmp

Download
memory/4964-179-0x00007FFA943A0000-0x00007FFA94E61000-memory.dmp

Filesize
10.8MB

Download
memory/5132-176-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads