dcrat | 5d3f37a7c26e9ed952646c5ad109748dbfaca5a48521a62dab7251097d0dbf16

General

Target

3901c69b6a512e0a04191c06fa3ad1d0.exe
Size

315KB
MD5

3901c69b6a512e0a04191c06fa3ad1d0
SHA1

a83bde5b7bf349d2e1c561d6e2ad42b5394e0274
SHA256

5d3f37a7c26e9ed952646c5ad109748dbfaca5a48521a62dab7251097d0dbf16
SHA512

55a5c7f95418d0747bdfdf1a09d4ef622246b6371cd4f3c8a3427420aaa07336bf5c2de24b9f7513c19e0d14f475fc1a9c3f9fefc442a92e3d5af044f75dec24
SSDEEP

6144:37VyN3U5hGl0bHCI0AfGwrj/UAloI8LdorlE5fObRBVwCqy:3wNE5YbI0s/UXLdoa5f2BR

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	1768	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	1768	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/1132-132-0x0000000000D60000-0x0000000000DB6000-memory.dmp	dcrat
C:\Recovery\WindowsRE\smss.exe	dcrat
C:\Recovery\WindowsRE\smss.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

smss.exe

pid process

3376 smss.exe

pid	process
3376	smss.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3901c69b6a512e0a04191c06fa3ad1d0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	3901c69b6a512e0a04191c06fa3ad1d0.exe

Drops file in Program Files directory 20 IoCs

Processes:

3901c69b6a512e0a04191c06fa3ad1d0.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\backgroundTaskHost.exe	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\c5b4cb5e9653cc	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\6ccacd8608530f	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Program Files\7-Zip\Lang\886983d96e3d3e	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\f3b6ecef712a24	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Program Files\Windows Media Player\fr-FR\e1ef82546f0b02	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Program Files\Mozilla Firefox\eddb19405b7ce1	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Program Files\Windows Photo Viewer\smss.exe	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Program Files\Windows Photo Viewer\69ddcba757bf72	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\5940a34987c991	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Program Files\Windows Media Player\fr-FR\SppExtComObj.exe	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\dllhost.exe	3901c69b6a512e0a04191c06fa3ad1d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Program Files\WindowsPowerShell\csrss.exe	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Program Files\WindowsPowerShell\886983d96e3d3e	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Program Files\7-Zip\Lang\csrss.exe	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe	3901c69b6a512e0a04191c06fa3ad1d0.exe

Drops file in Windows directory 6 IoCs

Processes:

3901c69b6a512e0a04191c06fa3ad1d0.exe

description	ioc	process
File created	C:\Windows\tracing\smss.exe	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Windows\tracing\69ddcba757bf72	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Windows\en-US\StartMenuExperienceHost.exe	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Windows\en-US\55b276f4edf653	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Windows\PrintDialog\Assets\services.exe	3901c69b6a512e0a04191c06fa3ad1d0.exe
File created	C:\Windows\PrintDialog\Assets\c5b4cb5e9653cc	3901c69b6a512e0a04191c06fa3ad1d0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2152	schtasks.exe
1536	schtasks.exe
1744	schtasks.exe
4308	schtasks.exe
932	schtasks.exe
1924	schtasks.exe
3980	schtasks.exe
3412	schtasks.exe
2968	schtasks.exe
2260	schtasks.exe
2148	schtasks.exe
3692	schtasks.exe
4728	schtasks.exe
3244	schtasks.exe
2100	schtasks.exe
3536	schtasks.exe
2180	schtasks.exe
4080	schtasks.exe
3380	schtasks.exe
1308	schtasks.exe
4756	schtasks.exe
4276	schtasks.exe
4168	schtasks.exe
2776	schtasks.exe
4396	schtasks.exe
4228	schtasks.exe
4140	schtasks.exe
4912	schtasks.exe
2196	schtasks.exe
208	schtasks.exe
2692	schtasks.exe
772	schtasks.exe
3764	schtasks.exe
4108	schtasks.exe
5080	schtasks.exe
3656	schtasks.exe
3112	schtasks.exe
4336	schtasks.exe
348	schtasks.exe
4716	schtasks.exe
2052	schtasks.exe
768	schtasks.exe
2436	schtasks.exe
3424	schtasks.exe
3852	schtasks.exe
1320	schtasks.exe
2120	schtasks.exe
1660	schtasks.exe
1304	schtasks.exe
4904	schtasks.exe
4820	schtasks.exe
1960	schtasks.exe
2796	schtasks.exe
3620	schtasks.exe

Modifies registry class 1 IoCs

Processes:

3901c69b6a512e0a04191c06fa3ad1d0.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	3901c69b6a512e0a04191c06fa3ad1d0.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

3901c69b6a512e0a04191c06fa3ad1d0.exesmss.exe

pid	process
1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
3376	smss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3901c69b6a512e0a04191c06fa3ad1d0.exesmss.exe

description pid process

Token: SeDebugPrivilege 1132 3901c69b6a512e0a04191c06fa3ad1d0.exe
Token: SeDebugPrivilege 3376 smss.exe

description	pid	process
Token: SeDebugPrivilege	1132	3901c69b6a512e0a04191c06fa3ad1d0.exe
Token: SeDebugPrivilege	3376	smss.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3901c69b6a512e0a04191c06fa3ad1d0.execmd.exe

description	pid	process	target process
PID 1132 wrote to memory of 2536	1132	3901c69b6a512e0a04191c06fa3ad1d0.exe	cmd.exe
PID 1132 wrote to memory of 2536	1132	3901c69b6a512e0a04191c06fa3ad1d0.exe	cmd.exe
PID 2536 wrote to memory of 5044	2536	cmd.exe	w32tm.exe
PID 2536 wrote to memory of 5044	2536	cmd.exe	w32tm.exe
PID 2536 wrote to memory of 3376	2536	cmd.exe	smss.exe
PID 2536 wrote to memory of 3376	2536	cmd.exe	smss.exe

C:\Users\Admin\AppData\Local\Temp\3901c69b6a512e0a04191c06fa3ad1d0.exe
"C:\Users\Admin\AppData\Local\Temp\3901c69b6a512e0a04191c06fa3ad1d0.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wp6woF86i.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:5044

C:\Recovery\WindowsRE\smss.exe
"C:\Recovery\WindowsRE\smss.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\fr-FR\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\fr-FR\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\PrintDialog\Assets\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PrintDialog\Assets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\PrintDialog\Assets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\tracing\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\NetHood\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\NetHood\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3901c69b6a512e0a04191c06fa3ad1d03" /sc MINUTE /mo 8 /tr "'C:\odt\3901c69b6a512e0a04191c06fa3ad1d0.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3901c69b6a512e0a04191c06fa3ad1d0" /sc ONLOGON /tr "'C:\odt\3901c69b6a512e0a04191c06fa3ad1d0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3901c69b6a512e0a04191c06fa3ad1d03" /sc MINUTE /mo 8 /tr "'C:\odt\3901c69b6a512e0a04191c06fa3ad1d0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\smss.exe
Filesize
315KB

MD5
3901c69b6a512e0a04191c06fa3ad1d0

SHA1
a83bde5b7bf349d2e1c561d6e2ad42b5394e0274

SHA256
5d3f37a7c26e9ed952646c5ad109748dbfaca5a48521a62dab7251097d0dbf16

SHA512
55a5c7f95418d0747bdfdf1a09d4ef622246b6371cd4f3c8a3427420aaa07336bf5c2de24b9f7513c19e0d14f475fc1a9c3f9fefc442a92e3d5af044f75dec24

Download Submit
C:\Recovery\WindowsRE\smss.exe
Filesize
315KB

MD5
3901c69b6a512e0a04191c06fa3ad1d0

SHA1
a83bde5b7bf349d2e1c561d6e2ad42b5394e0274

SHA256
5d3f37a7c26e9ed952646c5ad109748dbfaca5a48521a62dab7251097d0dbf16

SHA512
55a5c7f95418d0747bdfdf1a09d4ef622246b6371cd4f3c8a3427420aaa07336bf5c2de24b9f7513c19e0d14f475fc1a9c3f9fefc442a92e3d5af044f75dec24

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wp6woF86i.bat
Filesize
195B

MD5
2a606209a8d43f5cb04d3f03a0b0a86b

SHA1
133ee8de9e3a3d4d3dfef63d0201bc857a522079

SHA256
99b4babb968b3451b43b1261ec8c6a19b9b66033125d1377681bbb0ddf8fe4b5

SHA512
324172347fd174bbdc6da8cb7629b523801756fdb3453c23f189fef459f2c8931204ba65afaa8534d95adc3e49b7ff1464ec475a39d839f3caa8030dd3f94400

Download Submit
memory/1132-132-0x0000000000D60000-0x0000000000DB6000-memory.dmp

Filesize
344KB

Download
memory/1132-133-0x00007FFFDECB0000-0x00007FFFDF771000-memory.dmp

Filesize
10.8MB

Download
memory/1132-137-0x00007FFFDECB0000-0x00007FFFDF771000-memory.dmp

Filesize
10.8MB

Download
memory/2536-134-0x0000000000000000-mapping.dmp

Download
memory/3376-138-0x0000000000000000-mapping.dmp

Download
memory/3376-141-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3376-142-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3376-143-0x00007FFFDEF20000-0x00007FFFDF9E1000-memory.dmp

Filesize
10.8MB

Download
memory/5044-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads