dcrat | 56c6f0d228895d66b602e7c81e4e54e7bf9d42d922272dcb3e35c422d375cbd9

General

Target

a99334c099cac557b3bc62ae7654d3b4.exe
Size

1.5MB
MD5

a99334c099cac557b3bc62ae7654d3b4
SHA1

e1c5e919cd32b2ef32a04920a9992bce6f9e677d
SHA256

56c6f0d228895d66b602e7c81e4e54e7bf9d42d922272dcb3e35c422d375cbd9
SHA512

3238f9a88d0284142731d66e2c94ef88208acadfa3996086237bc076fb05491edd955670fafd47642ed77a47cb971cafd73fb0a10e293842ccfab0aa254eef66
SSDEEP

24576:VSMRshqVg7knYt0srvDhKaU80v3X3Po/ZLJVwZZ+Z5bNAsTio:0OXMTt0KbhU8GeZLLI85bNAs

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3884	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2808	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	2808	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4652-132-0x00000000003F0000-0x000000000056A000-memory.dmp	dcrat
C:\Program Files (x86)\Windows Media Player\en-US\spoolsv.exe	dcrat
C:\Program Files (x86)\Windows Media Player\en-US\spoolsv.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

spoolsv.exe

pid process

4068 spoolsv.exe

pid	process
4068	spoolsv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a99334c099cac557b3bc62ae7654d3b4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	a99334c099cac557b3bc62ae7654d3b4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 11 IoCs

Processes:

a99334c099cac557b3bc62ae7654d3b4.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\taskhostw.exe	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Program Files\Uninstall Information\WmiPrvSE.exe	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Program Files\WindowsApps\dwm.exe	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\spoolsv.exe	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\f3b6ecef712a24	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\ea9f0e6c9e2dcd	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Program Files\Uninstall Information\24dbde2999530e	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Program Files (x86)\Microsoft\Edge\csrss.exe	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Program Files (x86)\Microsoft\Edge\886983d96e3d3e	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\c5b4cb5e9653cc	a99334c099cac557b3bc62ae7654d3b4.exe

Drops file in Windows directory 10 IoCs

Processes:

a99334c099cac557b3bc62ae7654d3b4.exe

description	ioc	process
File created	C:\Windows\L2Schemas\7a0fd90576e088	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Windows\bcastdvr\69ddcba757bf72	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Windows\security\c5b4cb5e9653cc	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Windows\Panther\actionqueue\dllhost.exe	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Windows\L2Schemas\explorer.exe	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Windows\bcastdvr\smss.exe	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Windows\security\services.exe	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Windows\Panther\actionqueue\5940a34987c991	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Windows\SchCache\dllhost.exe	a99334c099cac557b3bc62ae7654d3b4.exe
File created	C:\Windows\SchCache\5940a34987c991	a99334c099cac557b3bc62ae7654d3b4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4336	schtasks.exe
5052	schtasks.exe
4772	schtasks.exe
4952	schtasks.exe
2656	schtasks.exe
3588	schtasks.exe
4312	schtasks.exe
4720	schtasks.exe
3464	schtasks.exe
3332	schtasks.exe
4916	schtasks.exe
4912	schtasks.exe
4988	schtasks.exe
4536	schtasks.exe
4752	schtasks.exe
1180	schtasks.exe
3440	schtasks.exe
2200	schtasks.exe
208	schtasks.exe
2084	schtasks.exe
1876	schtasks.exe
792	schtasks.exe
1448	schtasks.exe
4616	schtasks.exe
4932	schtasks.exe
3652	schtasks.exe
4848	schtasks.exe
2472	schtasks.exe
5000	schtasks.exe
2316	schtasks.exe
372	schtasks.exe
4384	schtasks.exe
1880	schtasks.exe
2324	schtasks.exe
4240	schtasks.exe
4220	schtasks.exe
3996	schtasks.exe
4372	schtasks.exe
4684	schtasks.exe
2660	schtasks.exe
2188	schtasks.exe
672	schtasks.exe
624	schtasks.exe
3884	schtasks.exe
4228	schtasks.exe
116	schtasks.exe
2064	schtasks.exe
4824	schtasks.exe
4584	schtasks.exe
804	schtasks.exe
1240	schtasks.exe
1400	schtasks.exe
1552	schtasks.exe
4084	schtasks.exe
3004	schtasks.exe
3200	schtasks.exe
1140	schtasks.exe

Modifies registry class 1 IoCs

Processes:

a99334c099cac557b3bc62ae7654d3b4.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	a99334c099cac557b3bc62ae7654d3b4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a99334c099cac557b3bc62ae7654d3b4.exespoolsv.exe

pid	process
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4652	a99334c099cac557b3bc62ae7654d3b4.exe
4068	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe
4068	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a99334c099cac557b3bc62ae7654d3b4.exespoolsv.exe

description pid process

Token: SeDebugPrivilege 4652 a99334c099cac557b3bc62ae7654d3b4.exe
Token: SeDebugPrivilege 4068 spoolsv.exe

description	pid	process
Token: SeDebugPrivilege	4652	a99334c099cac557b3bc62ae7654d3b4.exe
Token: SeDebugPrivilege	4068	spoolsv.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

a99334c099cac557b3bc62ae7654d3b4.execmd.exe

description	pid	process	target process
PID 4652 wrote to memory of 3516	4652	a99334c099cac557b3bc62ae7654d3b4.exe	cmd.exe
PID 4652 wrote to memory of 3516	4652	a99334c099cac557b3bc62ae7654d3b4.exe	cmd.exe
PID 3516 wrote to memory of 4552	3516	cmd.exe	w32tm.exe
PID 3516 wrote to memory of 4552	3516	cmd.exe	w32tm.exe
PID 3516 wrote to memory of 4068	3516	cmd.exe	spoolsv.exe
PID 3516 wrote to memory of 4068	3516	cmd.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\a99334c099cac557b3bc62ae7654d3b4.exe
"C:\Users\Admin\AppData\Local\Temp\a99334c099cac557b3bc62ae7654d3b4.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y7afBW9UHb.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:4552

C:\Program Files (x86)\Windows Media Player\en-US\spoolsv.exe
"C:\Program Files (x86)\Windows Media Player\en-US\spoolsv.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\bcastdvr\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\bcastdvr\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\security\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\security\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\security\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft\Edge\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\Edge\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Panther\actionqueue\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Panther\actionqueue\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SchCache\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a99334c099cac557b3bc62ae7654d3b4a" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\a99334c099cac557b3bc62ae7654d3b4.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a99334c099cac557b3bc62ae7654d3b4" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\a99334c099cac557b3bc62ae7654d3b4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a99334c099cac557b3bc62ae7654d3b4a" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\a99334c099cac557b3bc62ae7654d3b4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\en-US\spoolsv.exe
Filesize
1.5MB

MD5
a99334c099cac557b3bc62ae7654d3b4

SHA1
e1c5e919cd32b2ef32a04920a9992bce6f9e677d

SHA256
56c6f0d228895d66b602e7c81e4e54e7bf9d42d922272dcb3e35c422d375cbd9

SHA512
3238f9a88d0284142731d66e2c94ef88208acadfa3996086237bc076fb05491edd955670fafd47642ed77a47cb971cafd73fb0a10e293842ccfab0aa254eef66

Download Submit
C:\Program Files (x86)\Windows Media Player\en-US\spoolsv.exe
Filesize
1.5MB

MD5
a99334c099cac557b3bc62ae7654d3b4

SHA1
e1c5e919cd32b2ef32a04920a9992bce6f9e677d

SHA256
56c6f0d228895d66b602e7c81e4e54e7bf9d42d922272dcb3e35c422d375cbd9

SHA512
3238f9a88d0284142731d66e2c94ef88208acadfa3996086237bc076fb05491edd955670fafd47642ed77a47cb971cafd73fb0a10e293842ccfab0aa254eef66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y7afBW9UHb.bat
Filesize
226B

MD5
a529de7fcd06e390a1f85fd4e150807c

SHA1
4d1a11c074a92a15e296863290400ac3d2b40469

SHA256
2f1f9e923a8820fda68727e3bfad978d17373413968b45ba1ea3464fc5af5f88

SHA512
3c1f71f7048f76cb6d44cf5bf58950e1537ae54859f6ad39fee2af0cdcb17d1c0a0eabe45e7fe1d2c61a7fce6ee7a83d3e3d1bf2d1074b7a1feb63a68e0b1d95

Download Submit
memory/3516-136-0x0000000000000000-mapping.dmp

Download
memory/4068-140-0x0000000000000000-mapping.dmp

Download
memory/4068-143-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmp

Filesize
10.8MB

Download
memory/4068-144-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmp

Filesize
10.8MB

Download
memory/4552-138-0x0000000000000000-mapping.dmp

Download
memory/4652-135-0x000000001CE90000-0x000000001D3B8000-memory.dmp

Filesize
5.2MB

Download
memory/4652-139-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmp

Filesize
10.8MB

Download
memory/4652-134-0x000000001C730000-0x000000001C780000-memory.dmp

Filesize
320KB

Download
memory/4652-132-0x00000000003F0000-0x000000000056A000-memory.dmp

Filesize
1.5MB

Download
memory/4652-133-0x00007FFE097D0000-0x00007FFE0A291000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads