dcrat | 11aa233605f898d03e961ce0b0015071b89376ac36ed4d4faeb3d44073096f29

General

Target

bf1b4357d7462cf24d08b3dee21a1d66.exe
Size

2.1MB
MD5

bf1b4357d7462cf24d08b3dee21a1d66
SHA1

3d087a8956fa7e03cfd0bfe7d4b981d7f2806e38
SHA256

11aa233605f898d03e961ce0b0015071b89376ac36ed4d4faeb3d44073096f29
SHA512

0cb9ae25b25a65cd3a29726b0ee8cb2fec1fe7b1f4de3f41e5019cf99737dc2439efa6f7a0d3594496523e0bf57203c2e4d9c6b25471508907c7110fe91dcb31
SSDEEP

49152:C5yY3TmvJfJMip/gR7JUzzRdMAafI5bOgdHE:CICY3vpWJydMAa8bdE

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3552	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4072	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	392	schtasks.exe

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/628-133-0x0000000000090000-0x00000000005DA000-memory.dmp	dcrat
behavioral2/memory/628-134-0x0000000000090000-0x00000000005DA000-memory.dmp	dcrat
behavioral2/memory/628-144-0x0000000000090000-0x00000000005DA000-memory.dmp	dcrat
behavioral2/memory/2676-147-0x0000000000090000-0x00000000005DA000-memory.dmp	dcrat
behavioral2/memory/2676-148-0x0000000000090000-0x00000000005DA000-memory.dmp	dcrat
behavioral2/memory/2676-149-0x0000000000090000-0x00000000005DA000-memory.dmp	dcrat
behavioral2/memory/2676-154-0x0000000000090000-0x00000000005DA000-memory.dmp	dcrat
behavioral2/memory/3596-156-0x0000000000090000-0x00000000005DA000-memory.dmp	dcrat
behavioral2/memory/3596-157-0x0000000000090000-0x00000000005DA000-memory.dmp	dcrat
behavioral2/memory/3596-158-0x0000000000090000-0x00000000005DA000-memory.dmp	dcrat
behavioral2/memory/3596-162-0x0000000000090000-0x00000000005DA000-memory.dmp	dcrat
behavioral2/memory/532-167-0x00000000005F0000-0x0000000000B3A000-memory.dmp	dcrat
behavioral2/memory/532-168-0x00000000005F0000-0x0000000000B3A000-memory.dmp	dcrat
behavioral2/memory/532-169-0x00000000005F0000-0x0000000000B3A000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

smss.exe

pid process

532 smss.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
532	smss.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

Processes:

bf1b4357d7462cf24d08b3dee21a1d66.exebf1b4357d7462cf24d08b3dee21a1d66.exebf1b4357d7462cf24d08b3dee21a1d66.exesmss.exe

pid	process
628	bf1b4357d7462cf24d08b3dee21a1d66.exe
628	bf1b4357d7462cf24d08b3dee21a1d66.exe
2676	bf1b4357d7462cf24d08b3dee21a1d66.exe
3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe

Drops file in Program Files directory 23 IoCs

Processes:

bf1b4357d7462cf24d08b3dee21a1d66.exebf1b4357d7462cf24d08b3dee21a1d66.exebf1b4357d7462cf24d08b3dee21a1d66.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\images\7a0fd90576e088	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\taskhostw.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files (x86)\Windows Defender\sihost.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files (x86)\Microsoft.NET\OfficeClickToRun.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files\Windows Defender\es-ES\services.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files\Internet Explorer\System.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files (x86)\Internet Explorer\images\explorer.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ea9f0e6c9e2dcd	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\ea1d8f6d871115	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\services.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files (x86)\Windows Defender\66fc9ff0ee96c2	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\6ccacd8608530f	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files\Windows Defender\es-ES\c5b4cb5e9653cc	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files (x86)\Microsoft.NET\e6c9b481da804f	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files\Internet Explorer\27d1bcfc3c54e0	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\upfc.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files (x86)\MSBuild\taskhostw.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files (x86)\MSBuild\ea9f0e6c9e2dcd	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\c5b4cb5e9653cc	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\9e8d7a4ca61bd9	bf1b4357d7462cf24d08b3dee21a1d66.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\OfficeClickToRun.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe

Drops file in Windows directory 13 IoCs

Processes:

bf1b4357d7462cf24d08b3dee21a1d66.exebf1b4357d7462cf24d08b3dee21a1d66.exebf1b4357d7462cf24d08b3dee21a1d66.exe

description	ioc	process
File created	C:\Windows\DigitalLocker\en-US\sihost.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Windows\DigitalLocker\en-US\66fc9ff0ee96c2	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Windows\Panther\UnattendGC\fontdrvhost.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
File opened for modification	C:\Windows\Panther\UnattendGC\fontdrvhost.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Windows\DiagTrack\csrss.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Windows\DiagTrack\886983d96e3d3e	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Windows\addins\explorer.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Windows\addins\7a0fd90576e088	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Windows\InputMethod\wininit.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Windows\Logs\9e8d7a4ca61bd9	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Windows\Panther\UnattendGC\5b884080fd4f94	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Windows\InputMethod\56085415360792	bf1b4357d7462cf24d08b3dee21a1d66.exe
File created	C:\Windows\Logs\RuntimeBroker.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4680	schtasks.exe
2300	schtasks.exe
1912	schtasks.exe
4360	schtasks.exe
4444	schtasks.exe
4712	schtasks.exe
984	schtasks.exe
3640	schtasks.exe
2216	schtasks.exe
3876	schtasks.exe
2052	schtasks.exe
800	schtasks.exe
1532	schtasks.exe
4452	schtasks.exe
3844	schtasks.exe
364	schtasks.exe
2872	schtasks.exe
3992	schtasks.exe
5108	schtasks.exe
4840	schtasks.exe
2712	schtasks.exe
4632	schtasks.exe
216	schtasks.exe
4172	schtasks.exe
5036	schtasks.exe
4116	schtasks.exe
4868	schtasks.exe
1600	schtasks.exe
4936	schtasks.exe
2464	schtasks.exe
1288	schtasks.exe
1640	schtasks.exe
4460	schtasks.exe
3628	schtasks.exe
1780	schtasks.exe
3640	schtasks.exe
216	schtasks.exe
4064	schtasks.exe
1116	schtasks.exe
1540	schtasks.exe
1484	schtasks.exe
4360	schtasks.exe
1004	schtasks.exe
3112	schtasks.exe
3304	schtasks.exe
5032	schtasks.exe
5056	schtasks.exe
4972	schtasks.exe
4512	schtasks.exe
4460	schtasks.exe
4196	schtasks.exe
3080	schtasks.exe
3524	schtasks.exe
1004	schtasks.exe
4748	schtasks.exe
800	schtasks.exe
4888	schtasks.exe
4964	schtasks.exe
4736	schtasks.exe
4072	schtasks.exe
3044	schtasks.exe
1204	schtasks.exe
2932	schtasks.exe
1420	schtasks.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

bf1b4357d7462cf24d08b3dee21a1d66.exebf1b4357d7462cf24d08b3dee21a1d66.exebf1b4357d7462cf24d08b3dee21a1d66.exesmss.exe

pid	process
628	bf1b4357d7462cf24d08b3dee21a1d66.exe
628	bf1b4357d7462cf24d08b3dee21a1d66.exe
628	bf1b4357d7462cf24d08b3dee21a1d66.exe
628	bf1b4357d7462cf24d08b3dee21a1d66.exe
628	bf1b4357d7462cf24d08b3dee21a1d66.exe
628	bf1b4357d7462cf24d08b3dee21a1d66.exe
628	bf1b4357d7462cf24d08b3dee21a1d66.exe
628	bf1b4357d7462cf24d08b3dee21a1d66.exe
628	bf1b4357d7462cf24d08b3dee21a1d66.exe
628	bf1b4357d7462cf24d08b3dee21a1d66.exe
628	bf1b4357d7462cf24d08b3dee21a1d66.exe
628	bf1b4357d7462cf24d08b3dee21a1d66.exe
628	bf1b4357d7462cf24d08b3dee21a1d66.exe
628	bf1b4357d7462cf24d08b3dee21a1d66.exe
628	bf1b4357d7462cf24d08b3dee21a1d66.exe
2676	bf1b4357d7462cf24d08b3dee21a1d66.exe
2676	bf1b4357d7462cf24d08b3dee21a1d66.exe
2676	bf1b4357d7462cf24d08b3dee21a1d66.exe
2676	bf1b4357d7462cf24d08b3dee21a1d66.exe
2676	bf1b4357d7462cf24d08b3dee21a1d66.exe
2676	bf1b4357d7462cf24d08b3dee21a1d66.exe
2676	bf1b4357d7462cf24d08b3dee21a1d66.exe
3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe
532	smss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bf1b4357d7462cf24d08b3dee21a1d66.exebf1b4357d7462cf24d08b3dee21a1d66.exebf1b4357d7462cf24d08b3dee21a1d66.exesmss.exe

description	pid	process
Token: SeDebugPrivilege	628	bf1b4357d7462cf24d08b3dee21a1d66.exe
Token: SeDebugPrivilege	2676	bf1b4357d7462cf24d08b3dee21a1d66.exe
Token: SeDebugPrivilege	3596	bf1b4357d7462cf24d08b3dee21a1d66.exe
Token: SeDebugPrivilege	532	smss.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

bf1b4357d7462cf24d08b3dee21a1d66.exebf1b4357d7462cf24d08b3dee21a1d66.exebf1b4357d7462cf24d08b3dee21a1d66.exesmss.exe

pid process

628 bf1b4357d7462cf24d08b3dee21a1d66.exe
2676 bf1b4357d7462cf24d08b3dee21a1d66.exe
3596 bf1b4357d7462cf24d08b3dee21a1d66.exe
532 smss.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

bf1b4357d7462cf24d08b3dee21a1d66.execmd.exew32tm.exebf1b4357d7462cf24d08b3dee21a1d66.execmd.exew32tm.exebf1b4357d7462cf24d08b3dee21a1d66.execmd.exew32tm.exe

description	pid	process	target process
PID 628 wrote to memory of 3868	628	bf1b4357d7462cf24d08b3dee21a1d66.exe	cmd.exe
PID 628 wrote to memory of 3868	628	bf1b4357d7462cf24d08b3dee21a1d66.exe	cmd.exe
PID 628 wrote to memory of 3868	628	bf1b4357d7462cf24d08b3dee21a1d66.exe	cmd.exe
PID 3868 wrote to memory of 3128	3868	cmd.exe	w32tm.exe
PID 3868 wrote to memory of 3128	3868	cmd.exe	w32tm.exe
PID 3868 wrote to memory of 3128	3868	cmd.exe	w32tm.exe
PID 3128 wrote to memory of 4040	3128	w32tm.exe	w32tm.exe
PID 3128 wrote to memory of 4040	3128	w32tm.exe	w32tm.exe
PID 3868 wrote to memory of 2676	3868	cmd.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
PID 3868 wrote to memory of 2676	3868	cmd.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
PID 3868 wrote to memory of 2676	3868	cmd.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
PID 2676 wrote to memory of 4584	2676	bf1b4357d7462cf24d08b3dee21a1d66.exe	cmd.exe
PID 2676 wrote to memory of 4584	2676	bf1b4357d7462cf24d08b3dee21a1d66.exe	cmd.exe
PID 2676 wrote to memory of 4584	2676	bf1b4357d7462cf24d08b3dee21a1d66.exe	cmd.exe
PID 4584 wrote to memory of 4968	4584	cmd.exe	w32tm.exe
PID 4584 wrote to memory of 4968	4584	cmd.exe	w32tm.exe
PID 4584 wrote to memory of 4968	4584	cmd.exe	w32tm.exe
PID 4968 wrote to memory of 1536	4968	w32tm.exe	w32tm.exe
PID 4968 wrote to memory of 1536	4968	w32tm.exe	w32tm.exe
PID 4584 wrote to memory of 3596	4584	cmd.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
PID 4584 wrote to memory of 3596	4584	cmd.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
PID 4584 wrote to memory of 3596	4584	cmd.exe	bf1b4357d7462cf24d08b3dee21a1d66.exe
PID 3596 wrote to memory of 1396	3596	bf1b4357d7462cf24d08b3dee21a1d66.exe	cmd.exe
PID 3596 wrote to memory of 1396	3596	bf1b4357d7462cf24d08b3dee21a1d66.exe	cmd.exe
PID 3596 wrote to memory of 1396	3596	bf1b4357d7462cf24d08b3dee21a1d66.exe	cmd.exe
PID 1396 wrote to memory of 4040	1396	cmd.exe	w32tm.exe
PID 1396 wrote to memory of 4040	1396	cmd.exe	w32tm.exe
PID 1396 wrote to memory of 4040	1396	cmd.exe	w32tm.exe
PID 4040 wrote to memory of 1008	4040	w32tm.exe	w32tm.exe
PID 4040 wrote to memory of 1008	4040	w32tm.exe	w32tm.exe
PID 1396 wrote to memory of 532	1396	cmd.exe	smss.exe
PID 1396 wrote to memory of 532	1396	cmd.exe	smss.exe
PID 1396 wrote to memory of 532	1396	cmd.exe	smss.exe

C:\Users\Admin\AppData\Local\Temp\bf1b4357d7462cf24d08b3dee21a1d66.exe
"C:\Users\Admin\AppData\Local\Temp\bf1b4357d7462cf24d08b3dee21a1d66.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MxCEQ3oJVK.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3868

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\bf1b4357d7462cf24d08b3dee21a1d66.exe
"C:\Users\Admin\AppData\Local\Temp\bf1b4357d7462cf24d08b3dee21a1d66.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JRYdRgoQuz.bat"
4⤵
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
5⤵
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\bf1b4357d7462cf24d08b3dee21a1d66.exe
"C:\Users\Admin\AppData\Local\Temp\bf1b4357d7462cf24d08b3dee21a1d66.exe"
5⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9yKkpXlrrD.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\SysWOW64\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:1008

C:\odt\smss.exe
"C:\odt\smss.exe"
7⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\UnattendGC\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\Panther\UnattendGC\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\DiagTrack\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\DiagTrack\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\DiagTrack\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Oracle\Java\installcache_x64\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Oracle\Java\installcache_x64\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Oracle\Java\installcache_x64\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\odt\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\addins\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\en-US\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\images\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\images\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\upfc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\upfc.exe'" /rl HIGHEST /f
1⤵
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\odt\smss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\ssh\Idle.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\ssh\Idle.exe'" /rl HIGHEST /f
1⤵
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\ssh\Idle.exe'" /rl HIGHEST /f
1⤵
PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\services.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\StartMenuExperienceHost.exe'" /f
1⤵
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Documents\My Music\OfficeClickToRun.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Music\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\My Music\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f
1⤵
- Creates scheduled task(s)
PID:364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\sihost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\sihost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\sihost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\InputMethod\wininit.exe'" /f
1⤵
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\InputMethod\wininit.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\InputMethod\wininit.exe'" /rl HIGHEST /f
1⤵
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\RuntimeBroker.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bf1b4357d7462cf24d08b3dee21a1d66.exe.log
Filesize
1KB

MD5
e1b159e530af554c42b6b6f3aefbd4de

SHA1
281d3767129c8aa8fc8867515578dee1eb7f39ba

SHA256
94b7640dce6d228f0d89f1d504c7143397ffa2af6adf910b501d9d51583f463e

SHA512
f373930c1dfab5e3029af93880c2f3bfc16413aaa28a563d4b953f93066facfe1ee1213e5facb6b92df79b2b3d2a2866df7c15fa2d6fe0a359186688aa7e99f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9yKkpXlrrD.bat
Filesize
180B

MD5
78062385f3742a6f8393d32e06deacad

SHA1
2f85590afc078212e87ced4ab07c48de18392002

SHA256
984dfbf013f0697096a790861fc78bdd590988e087f9301d1f5dc65cf847b0ca

SHA512
b54fc6289ecfff6f93f9cb1e0b747e933873a0c9c9d81a01c714d6fc996f8fd856c9886a5994fc294d7b8130d2a21833aec9596d6f8873766efc6f3bb370d126

Download Submit
C:\Users\Admin\AppData\Local\Temp\JRYdRgoQuz.bat
Filesize
235B

MD5
08cb52f5e0e3110b8a166403315540a2

SHA1
f38a2db714bbdc1fab8231184f7d99caca20a993

SHA256
e73fc5aa69257b8595a0d5eb50bb11b3c037ac3ebe3420aa928c8df87df722c4

SHA512
c861ec7fc791e9cf376eb05f5c92e3ecaf21e9803aa7d7179e5d0eaa008ee1b675c4d0922a69fb5a25faba67ba6831b81fbe6a0c4fd5f0818cb6ffcb981ed083

Download Submit
C:\Users\Admin\AppData\Local\Temp\MxCEQ3oJVK.bat
Filesize
235B

MD5
9d2da55286d22df018841bd64d330d61

SHA1
35ee8c7ba11b74287518aa1e43232e427f1cbf21

SHA256
b3d70e8ffcc21a38af90222ca56dd21d4580588b85649af887042cca1f697850

SHA512
9b6e669d9ba55d0152f3e6102bc569a657cc9e9bdd59382ac4ec2893015e1103738debdacd475b1097b98456637a9a475c5f2de4132c718116948709b81a7c1d

Download Submit
C:\odt\smss.exe
Filesize
2.1MB

MD5
bf1b4357d7462cf24d08b3dee21a1d66

SHA1
3d087a8956fa7e03cfd0bfe7d4b981d7f2806e38

SHA256
11aa233605f898d03e961ce0b0015071b89376ac36ed4d4faeb3d44073096f29

SHA512
0cb9ae25b25a65cd3a29726b0ee8cb2fec1fe7b1f4de3f41e5019cf99737dc2439efa6f7a0d3594496523e0bf57203c2e4d9c6b25471508907c7110fe91dcb31

Download Submit
C:\odt\smss.exe
Filesize
2.1MB

MD5
bf1b4357d7462cf24d08b3dee21a1d66

SHA1
3d087a8956fa7e03cfd0bfe7d4b981d7f2806e38

SHA256
11aa233605f898d03e961ce0b0015071b89376ac36ed4d4faeb3d44073096f29

SHA512
0cb9ae25b25a65cd3a29726b0ee8cb2fec1fe7b1f4de3f41e5019cf99737dc2439efa6f7a0d3594496523e0bf57203c2e4d9c6b25471508907c7110fe91dcb31

Download Submit
memory/532-169-0x00000000005F0000-0x0000000000B3A000-memory.dmp

Filesize
5.3MB

Download
memory/532-164-0x0000000000000000-mapping.dmp

Download
memory/532-170-0x00000000005F0000-0x0000000000B3A000-memory.dmp

Filesize
5.3MB

Download
memory/532-167-0x00000000005F0000-0x0000000000B3A000-memory.dmp

Filesize
5.3MB

Download
memory/532-168-0x00000000005F0000-0x0000000000B3A000-memory.dmp

Filesize
5.3MB

Download
memory/628-132-0x0000000000090000-0x00000000005DA000-memory.dmp

Filesize
5.3MB

Download
memory/628-144-0x0000000000090000-0x00000000005DA000-memory.dmp

Filesize
5.3MB

Download
memory/628-138-0x0000000007F80000-0x00000000084AC000-memory.dmp

Filesize
5.2MB

Download
memory/628-137-0x0000000006040000-0x00000000060D2000-memory.dmp

Filesize
584KB

Download
memory/628-136-0x0000000005F00000-0x0000000005F50000-memory.dmp

Filesize
320KB

Download
memory/628-139-0x00000000061B0000-0x0000000006216000-memory.dmp

Filesize
408KB

Download
memory/628-135-0x0000000006370000-0x0000000006914000-memory.dmp

Filesize
5.6MB

Download
memory/628-134-0x0000000000090000-0x00000000005DA000-memory.dmp

Filesize
5.3MB

Download
memory/628-133-0x0000000000090000-0x00000000005DA000-memory.dmp

Filesize
5.3MB

Download
memory/1008-163-0x0000000000000000-mapping.dmp

Download
memory/1396-159-0x0000000000000000-mapping.dmp

Download
memory/1536-153-0x0000000000000000-mapping.dmp

Download
memory/2676-149-0x0000000000090000-0x00000000005DA000-memory.dmp

Filesize
5.3MB

Download
memory/2676-145-0x0000000000000000-mapping.dmp

Download
memory/2676-147-0x0000000000090000-0x00000000005DA000-memory.dmp

Filesize
5.3MB

Download
memory/2676-154-0x0000000000090000-0x00000000005DA000-memory.dmp

Filesize
5.3MB

Download
memory/2676-148-0x0000000000090000-0x00000000005DA000-memory.dmp

Filesize
5.3MB

Download
memory/3128-142-0x0000000000000000-mapping.dmp

Download
memory/3596-158-0x0000000000090000-0x00000000005DA000-memory.dmp

Filesize
5.3MB

Download
memory/3596-162-0x0000000000090000-0x00000000005DA000-memory.dmp

Filesize
5.3MB

Download
memory/3596-157-0x0000000000090000-0x00000000005DA000-memory.dmp

Filesize
5.3MB

Download
memory/3596-156-0x0000000000090000-0x00000000005DA000-memory.dmp

Filesize
5.3MB

Download
memory/3596-155-0x0000000000000000-mapping.dmp

Download
memory/3868-140-0x0000000000000000-mapping.dmp

Download
memory/4040-161-0x0000000000000000-mapping.dmp

Download
memory/4040-143-0x0000000000000000-mapping.dmp

Download
memory/4584-150-0x0000000000000000-mapping.dmp

Download
memory/4968-152-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads