dcrat | 01e7e40df68d964bc66f0b36b986abe39b395baedf8f2067378c395bedffd59e

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2022, 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

685KB
MD5

f46ec173d8bde278bd30b1ea98139b82
SHA1

449d0804551bddab7e74b5f49075844c7eb5910b
SHA256

01e7e40df68d964bc66f0b36b986abe39b395baedf8f2067378c395bedffd59e
SHA512

721f2ce3d13a44d2a5a601fdb4448acb710397295e5f4992ba53a268072d36fba19e1758ed7d9e59e77ea71de353b3e0460cde7fb931d75439dd5926513b8bf3
SSDEEP

12288:6Nqf31kcqzecjnf6vBSx7zr/5Ot3blrAJR1pvXvamrbfWQM27W5stq:n1qzeEiSbBwblrAbtnfsst

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	3204	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	3204	schtasks.exe	36

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4920-139-0x0000000000400000-0x000000000047C000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

pid	Process
2464	dwm.exe
2860	dwm.exe
4012	dwm.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	file.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2688 set thread context of 4920	2688	file.exe	86
PID 2464 set thread context of 4012	2464	dwm.exe	138

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\ee2ad38f3d4382	file.exe
File created	C:\Program Files (x86)\Google\Update\spoolsv.exe	file.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\dllhost.exe	file.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\Registry.exe	file.exe
File opened for modification	C:\Program Files (x86)\Google\Update\spoolsv.exe	file.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\5940a34987c991	file.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe	file.exe
File created	C:\Program Files (x86)\Adobe\Idle.exe	file.exe
File created	C:\Program Files (x86)\Adobe\6ccacd8608530f	file.exe
File created	C:\Program Files (x86)\Google\Update\f3b6ecef712a24	file.exe
File created	C:\Program Files\Windows Portable Devices\SppExtComObj.exe	file.exe
File created	C:\Program Files\Windows Portable Devices\e1ef82546f0b02	file.exe
File created	C:\Program Files (x86)\Microsoft\lsass.exe	file.exe
File created	C:\Program Files (x86)\Microsoft\6203df4a6bafc7	file.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\6cb0b6c459d5d3	file.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\IdentityCRL\production\StartMenuExperienceHost.exe	file.exe
File created	C:\Windows\IdentityCRL\production\55b276f4edf653	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4424	schtasks.exe
3696	schtasks.exe
4732	schtasks.exe
996	schtasks.exe
4512	schtasks.exe
3316	schtasks.exe
2008	schtasks.exe
3744	schtasks.exe
1668	schtasks.exe
4824	schtasks.exe
2492	schtasks.exe
3492	schtasks.exe
1716	schtasks.exe
1700	schtasks.exe
4036	schtasks.exe
1268	schtasks.exe
3804	schtasks.exe
4808	schtasks.exe
5012	schtasks.exe
512	schtasks.exe
4604	schtasks.exe
4484	schtasks.exe
4500	schtasks.exe
2228	schtasks.exe
4372	schtasks.exe
2320	schtasks.exe
4984	schtasks.exe
2652	schtasks.exe
4796	schtasks.exe
4924	schtasks.exe
1752	schtasks.exe
3532	schtasks.exe
5000	schtasks.exe
3404	schtasks.exe
1892	schtasks.exe
1996	schtasks.exe
5076	schtasks.exe
3168	schtasks.exe
2724	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	file.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2688	file.exe
2688	file.exe
4920	file.exe
4920	file.exe
4920	file.exe
4920	file.exe
4920	file.exe
4920	file.exe
4920	file.exe
4920	file.exe
4920	file.exe
4920	file.exe
4920	file.exe
4920	file.exe
4920	file.exe
4920	file.exe
4920	file.exe
4920	file.exe
4920	file.exe
4920	file.exe
4920	file.exe
2464	dwm.exe
2464	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe
4012	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	file.exe
Token: SeDebugPrivilege	4920	file.exe
Token: SeDebugPrivilege	2464	dwm.exe
Token: SeDebugPrivilege	4012	dwm.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2688	file.exe
2688	file.exe
2464	dwm.exe
2464	dwm.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 4092	2688	file.exe	85
PID 2688 wrote to memory of 4092	2688	file.exe	85
PID 2688 wrote to memory of 4092	2688	file.exe	85
PID 2688 wrote to memory of 4920	2688	file.exe	86
PID 2688 wrote to memory of 4920	2688	file.exe	86
PID 2688 wrote to memory of 4920	2688	file.exe	86
PID 2688 wrote to memory of 4920	2688	file.exe	86
PID 2688 wrote to memory of 4920	2688	file.exe	86
PID 2688 wrote to memory of 4920	2688	file.exe	86
PID 2688 wrote to memory of 4920	2688	file.exe	86
PID 2688 wrote to memory of 4920	2688	file.exe	86
PID 4920 wrote to memory of 2308	4920	file.exe	126
PID 4920 wrote to memory of 2308	4920	file.exe	126
PID 4920 wrote to memory of 2308	4920	file.exe	126
PID 2308 wrote to memory of 1432	2308	cmd.exe	128
PID 2308 wrote to memory of 1432	2308	cmd.exe	128
PID 2308 wrote to memory of 1432	2308	cmd.exe	128
PID 1432 wrote to memory of 2128	1432	w32tm.exe	129
PID 1432 wrote to memory of 2128	1432	w32tm.exe	129
PID 2308 wrote to memory of 2464	2308	cmd.exe	130
PID 2308 wrote to memory of 2464	2308	cmd.exe	130
PID 2308 wrote to memory of 2464	2308	cmd.exe	130
PID 2464 wrote to memory of 2860	2464	dwm.exe	137
PID 2464 wrote to memory of 2860	2464	dwm.exe	137
PID 2464 wrote to memory of 2860	2464	dwm.exe	137
PID 2464 wrote to memory of 4012	2464	dwm.exe	138
PID 2464 wrote to memory of 4012	2464	dwm.exe	138
PID 2464 wrote to memory of 4012	2464	dwm.exe	138
PID 2464 wrote to memory of 4012	2464	dwm.exe	138
PID 2464 wrote to memory of 4012	2464	dwm.exe	138
PID 2464 wrote to memory of 4012	2464	dwm.exe	138
PID 2464 wrote to memory of 4012	2464	dwm.exe	138
PID 2464 wrote to memory of 4012	2464	dwm.exe	138

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "{path}"
  2⤵
  PID:4092
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "{path}"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\erJM54RgIE.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2128
  - - C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe
      "C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe
        
        "{path}"
        5⤵
        Executes dropped EXE
        
        PID:2860
    - - C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe
        
        "{path}"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\odt\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\IdentityCRL\production\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\production\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\IdentityCRL\production\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Temp\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe

Filesize
685KB

MD5
f46ec173d8bde278bd30b1ea98139b82

SHA1
449d0804551bddab7e74b5f49075844c7eb5910b

SHA256
01e7e40df68d964bc66f0b36b986abe39b395baedf8f2067378c395bedffd59e

SHA512
721f2ce3d13a44d2a5a601fdb4448acb710397295e5f4992ba53a268072d36fba19e1758ed7d9e59e77ea71de353b3e0460cde7fb931d75439dd5926513b8bf3

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe

Filesize
685KB

MD5
f46ec173d8bde278bd30b1ea98139b82

SHA1
449d0804551bddab7e74b5f49075844c7eb5910b

SHA256
01e7e40df68d964bc66f0b36b986abe39b395baedf8f2067378c395bedffd59e

SHA512
721f2ce3d13a44d2a5a601fdb4448acb710397295e5f4992ba53a268072d36fba19e1758ed7d9e59e77ea71de353b3e0460cde7fb931d75439dd5926513b8bf3

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe

Filesize
685KB

MD5
f46ec173d8bde278bd30b1ea98139b82

SHA1
449d0804551bddab7e74b5f49075844c7eb5910b

SHA256
01e7e40df68d964bc66f0b36b986abe39b395baedf8f2067378c395bedffd59e

SHA512
721f2ce3d13a44d2a5a601fdb4448acb710397295e5f4992ba53a268072d36fba19e1758ed7d9e59e77ea71de353b3e0460cde7fb931d75439dd5926513b8bf3

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\en-US\dwm.exe

Filesize
685KB

MD5
f46ec173d8bde278bd30b1ea98139b82

SHA1
449d0804551bddab7e74b5f49075844c7eb5910b

SHA256
01e7e40df68d964bc66f0b36b986abe39b395baedf8f2067378c395bedffd59e

SHA512
721f2ce3d13a44d2a5a601fdb4448acb710397295e5f4992ba53a268072d36fba19e1758ed7d9e59e77ea71de353b3e0460cde7fb931d75439dd5926513b8bf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
C:\Users\Admin\AppData\Local\Temp\erJM54RgIE.bat

Filesize
229B

MD5
face9c882cc687f6b991cbe09c3ec993

SHA1
844d9cc80ba4fae75772671ef554245ba2f7ff77

SHA256
ef066aad2efa28dca448665a69a8c08a7208e10508181212b56b1b3aac3ed26d

SHA512
e7450675f873f3f70c57333e8273a1dc036e766196769932d22dbbe159fa36b5dd11d097ecae347b897e0a4bc2f9899861063310290b54261549e4102490c497

Download Submit
memory/2688-132-0x0000000000B20000-0x0000000000BD2000-memory.dmp

Filesize
712KB

Download
memory/2688-136-0x0000000005560000-0x000000000556A000-memory.dmp

Filesize
40KB

Download
memory/2688-135-0x0000000005650000-0x00000000056EC000-memory.dmp

Filesize
624KB

Download
memory/2688-134-0x0000000005590000-0x0000000005622000-memory.dmp

Filesize
584KB

Download
memory/2688-133-0x0000000005C00000-0x00000000061A4000-memory.dmp

Filesize
5.6MB

Download
memory/4920-141-0x00000000067C0000-0x0000000006826000-memory.dmp

Filesize
408KB

Download
memory/4920-139-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download