dcrat | c66b91cd0446d231445052af25b86edc15127b4313e40457f6697850da21810d

General

Target

1e9d648839d6df31421c48fc5a58fdb1.exe
Size

1.3MB
MD5

1e9d648839d6df31421c48fc5a58fdb1
SHA1

8824a936225692b169bf16491e85f71149a15a90
SHA256

c66b91cd0446d231445052af25b86edc15127b4313e40457f6697850da21810d
SHA512

02a41349d165462c777970bbc41c5b3b86ad2b5af68c62e7f6e248fb3e169d9ac065039630848d1631a0e10ef43b6870d69c85f20e24904c8e638b6cf8e0f7ea
SSDEEP

24576:kOHLrVJI42Vq2TjMqmMdTjtFSV3pwcaHigoqOIW1Khv:h1JCVm5UxFsGVl

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2016	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2016	schtasks.exe

Executes dropped EXE 1 IoCs

Processes:

spoolsv.exe

pid process

2092 spoolsv.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2092	spoolsv.exe

Drops file in Program Files directory 7 IoCs

Processes:

1e9d648839d6df31421c48fc5a58fdb1.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lsass.exe	1e9d648839d6df31421c48fc5a58fdb1.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\6203df4a6bafc7	1e9d648839d6df31421c48fc5a58fdb1.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\taskhost.exe	1e9d648839d6df31421c48fc5a58fdb1.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\b75386f1303e64	1e9d648839d6df31421c48fc5a58fdb1.exe
File created	C:\Program Files\Java\1e9d648839d6df31421c48fc5a58fdb1.exe	1e9d648839d6df31421c48fc5a58fdb1.exe
File opened for modification	C:\Program Files\Java\1e9d648839d6df31421c48fc5a58fdb1.exe	1e9d648839d6df31421c48fc5a58fdb1.exe
File created	C:\Program Files\Java\2eff06abb17bdd	1e9d648839d6df31421c48fc5a58fdb1.exe

Drops file in Windows directory 12 IoCs

Processes:

1e9d648839d6df31421c48fc5a58fdb1.exe

description	ioc	process
File created	C:\Windows\Performance\WinSAT\DataStore\2eff06abb17bdd	1e9d648839d6df31421c48fc5a58fdb1.exe
File created	C:\Windows\ehome\f3b6ecef712a24	1e9d648839d6df31421c48fc5a58fdb1.exe
File created	C:\Windows\AppCompat\Programs\taskhost.exe	1e9d648839d6df31421c48fc5a58fdb1.exe
File created	C:\Windows\AppCompat\Programs\b75386f1303e64	1e9d648839d6df31421c48fc5a58fdb1.exe
File created	C:\Windows\SchCache\886983d96e3d3e	1e9d648839d6df31421c48fc5a58fdb1.exe
File created	C:\Windows\DigitalLocker\System.exe	1e9d648839d6df31421c48fc5a58fdb1.exe
File created	C:\Windows\DigitalLocker\27d1bcfc3c54e0	1e9d648839d6df31421c48fc5a58fdb1.exe
File created	C:\Windows\Performance\WinSAT\DataStore\1e9d648839d6df31421c48fc5a58fdb1.exe	1e9d648839d6df31421c48fc5a58fdb1.exe
File created	C:\Windows\ehome\spoolsv.exe	1e9d648839d6df31421c48fc5a58fdb1.exe
File created	C:\Windows\SchCache\csrss.exe	1e9d648839d6df31421c48fc5a58fdb1.exe
File created	C:\Windows\Offline Web Pages\1e9d648839d6df31421c48fc5a58fdb1.exe	1e9d648839d6df31421c48fc5a58fdb1.exe
File created	C:\Windows\Offline Web Pages\2eff06abb17bdd	1e9d648839d6df31421c48fc5a58fdb1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
768	schtasks.exe
2040	schtasks.exe
548	schtasks.exe
1536	schtasks.exe
1740	schtasks.exe
1496	schtasks.exe
1472	schtasks.exe
584	schtasks.exe
696	schtasks.exe
1188	schtasks.exe
1068	schtasks.exe
2064	schtasks.exe
1116	schtasks.exe
1700	schtasks.exe
808	schtasks.exe
1392	schtasks.exe
2012	schtasks.exe
1696	schtasks.exe
1492	schtasks.exe
1564	schtasks.exe
1784	schtasks.exe
1620	schtasks.exe
1588	schtasks.exe
1000	schtasks.exe
1216	schtasks.exe
2036	schtasks.exe
1000	schtasks.exe
924	schtasks.exe
1692	schtasks.exe
2012	schtasks.exe
1972	schtasks.exe
996	schtasks.exe
112	schtasks.exe
1948	schtasks.exe
1780	schtasks.exe
1952	schtasks.exe
1280	schtasks.exe
1808	schtasks.exe
1576	schtasks.exe
1108	schtasks.exe
1292	schtasks.exe
1716	schtasks.exe
1188	schtasks.exe
1596	schtasks.exe
1788	schtasks.exe
1184	schtasks.exe
1368	schtasks.exe
828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

1e9d648839d6df31421c48fc5a58fdb1.exespoolsv.exe

pid	process
1720	1e9d648839d6df31421c48fc5a58fdb1.exe
1720	1e9d648839d6df31421c48fc5a58fdb1.exe
1720	1e9d648839d6df31421c48fc5a58fdb1.exe
2092	spoolsv.exe
2092	spoolsv.exe
2092	spoolsv.exe
2092	spoolsv.exe
2092	spoolsv.exe
2092	spoolsv.exe
2092	spoolsv.exe
2092	spoolsv.exe
2092	spoolsv.exe
2092	spoolsv.exe
2092	spoolsv.exe
2092	spoolsv.exe
2092	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1e9d648839d6df31421c48fc5a58fdb1.exespoolsv.exe

description pid process

Token: SeDebugPrivilege 1720 1e9d648839d6df31421c48fc5a58fdb1.exe
Token: SeDebugPrivilege 2092 spoolsv.exe

description	pid	process
Token: SeDebugPrivilege	1720	1e9d648839d6df31421c48fc5a58fdb1.exe
Token: SeDebugPrivilege	2092	spoolsv.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1e9d648839d6df31421c48fc5a58fdb1.exe

description	pid	process	target process
PID 1720 wrote to memory of 2092	1720	1e9d648839d6df31421c48fc5a58fdb1.exe	spoolsv.exe
PID 1720 wrote to memory of 2092	1720	1e9d648839d6df31421c48fc5a58fdb1.exe	spoolsv.exe
PID 1720 wrote to memory of 2092	1720	1e9d648839d6df31421c48fc5a58fdb1.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\1e9d648839d6df31421c48fc5a58fdb1.exe
"C:\Users\Admin\AppData\Local\Temp\1e9d648839d6df31421c48fc5a58fdb1.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\ehome\spoolsv.exe
"C:\Windows\ehome\spoolsv.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e9d648839d6df31421c48fc5a58fdb11" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\1e9d648839d6df31421c48fc5a58fdb1.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e9d648839d6df31421c48fc5a58fdb1" /sc ONLOGON /tr "'C:\Program Files\Java\1e9d648839d6df31421c48fc5a58fdb1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e9d648839d6df31421c48fc5a58fdb11" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\1e9d648839d6df31421c48fc5a58fdb1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e9d648839d6df31421c48fc5a58fdb11" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\1e9d648839d6df31421c48fc5a58fdb1.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e9d648839d6df31421c48fc5a58fdb1" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\1e9d648839d6df31421c48fc5a58fdb1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e9d648839d6df31421c48fc5a58fdb11" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\DataStore\1e9d648839d6df31421c48fc5a58fdb1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\ehome\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ehome\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\ehome\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\AppCompat\Programs\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\AppCompat\Programs\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SchCache\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\Sample Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e9d648839d6df31421c48fc5a58fdb11" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\1e9d648839d6df31421c48fc5a58fdb1.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e9d648839d6df31421c48fc5a58fdb1" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\1e9d648839d6df31421c48fc5a58fdb1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e9d648839d6df31421c48fc5a58fdb11" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\1e9d648839d6df31421c48fc5a58fdb1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ehome\spoolsv.exe
Filesize
1.3MB

MD5
1e9d648839d6df31421c48fc5a58fdb1

SHA1
8824a936225692b169bf16491e85f71149a15a90

SHA256
c66b91cd0446d231445052af25b86edc15127b4313e40457f6697850da21810d

SHA512
02a41349d165462c777970bbc41c5b3b86ad2b5af68c62e7f6e248fb3e169d9ac065039630848d1631a0e10ef43b6870d69c85f20e24904c8e638b6cf8e0f7ea

Download Submit
C:\Windows\ehome\spoolsv.exe
Filesize
1.3MB

MD5
1e9d648839d6df31421c48fc5a58fdb1

SHA1
8824a936225692b169bf16491e85f71149a15a90

SHA256
c66b91cd0446d231445052af25b86edc15127b4313e40457f6697850da21810d

SHA512
02a41349d165462c777970bbc41c5b3b86ad2b5af68c62e7f6e248fb3e169d9ac065039630848d1631a0e10ef43b6870d69c85f20e24904c8e638b6cf8e0f7ea

Download Submit
memory/1720-54-0x0000000001170000-0x00000000012CA000-memory.dmp

Filesize
1.4MB

Download
memory/1720-55-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1720-56-0x0000000000470000-0x000000000048C000-memory.dmp

Filesize
112KB

Download
memory/1720-57-0x00000000005A0000-0x00000000005B6000-memory.dmp

Filesize
88KB

Download
memory/1720-58-0x00000000001D0000-0x00000000001DE000-memory.dmp

Filesize
56KB

Download
memory/1720-59-0x0000000000350000-0x000000000035E000-memory.dmp

Filesize
56KB

Download
memory/1720-60-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2092-61-0x0000000000000000-mapping.dmp

Download
memory/2092-64-0x0000000000CC0000-0x0000000000E1A000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads