dcrat | da42677a574b2f5e9ac01fb0c3436bdf029576f1301d2c7ee6fe0ef30f535b9e

General

Target

tmp.exe
Size

3.7MB
MD5

3046d5ac745d33c5b5ea76db29ccc58e
SHA1

6711bd52d11fb81d34552bda8f7819b97341bd41
SHA256

da42677a574b2f5e9ac01fb0c3436bdf029576f1301d2c7ee6fe0ef30f535b9e
SHA512

b20dfc9b05de7116f52569a8317236d5790f6738bb56131d9bc0b642a38f4c74a90e7b8f1a5fba0d97af33388f1de161530fd11c83fb98565d2d897b572ac074
SSDEEP

98304:3LsCPUwTp1ATLdiRmAAnQ8AoY0JxDow5FXJ8QAyFqbpu8:7KwXAdLPYCUc2QDFmV

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1980	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	1980	schtasks.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\sys.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\sys.exe	dcrat
\Users\Admin\AppData\Local\Temp\sys.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\sys.exe	dcrat
behavioral1/memory/1368-80-0x00000000010C0000-0x0000000001222000-memory.dmp	dcrat
C:\MSOCache\All Users\csrss.exe	dcrat
C:\MSOCache\All Users\csrss.exe	dcrat
behavioral1/memory/2344-89-0x00000000010F0000-0x0000000001252000-memory.dmp	dcrat

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

system.exesys.execsrss.exe

pid process

988 system.exe
1368 sys.exe
2344 csrss.exe
Loads dropped DLL 3 IoCs

Processes:

AppLaunch.exe

pid process

1316 AppLaunch.exe
1316 AppLaunch.exe
1316 AppLaunch.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of SetThreadContext 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 1976 set thread context of 1316 1976 tmp.exe AppLaunch.exe

pid	process
988	system.exe
1368	sys.exe
2344	csrss.exe

pid	process
1316	AppLaunch.exe
1316	AppLaunch.exe
1316	AppLaunch.exe

description	pid	process	target process
PID 1976 set thread context of 1316	1976	tmp.exe	AppLaunch.exe

Drops file in Program Files directory 10 IoCs

Processes:

sys.exe

description	ioc	process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe	sys.exe
File created	C:\Program Files (x86)\Google\153254c336e9cd	sys.exe
File created	C:\Program Files\7-Zip\Lang\886983d96e3d3e	sys.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\cc11b995f2a76d	sys.exe
File created	C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24	sys.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\cc11b995f2a76d	sys.exe
File created	C:\Program Files (x86)\Google\sys.exe	sys.exe
File created	C:\Program Files\7-Zip\Lang\csrss.exe	sys.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe	sys.exe
File created	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	sys.exe

Drops file in Windows directory 9 IoCs

Processes:

sys.exe

description	ioc	process
File created	C:\Windows\Web\Wallpaper\Nature\spoolsv.exe	sys.exe
File created	C:\Windows\Branding\ShellBrd\winlogon.exe	sys.exe
File created	C:\Windows\de-DE\smss.exe	sys.exe
File created	C:\Windows\Performance\WinSAT\DataStore\spoolsv.exe	sys.exe
File created	C:\Windows\Performance\WinSAT\DataStore\f3b6ecef712a24	sys.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\spoolsv.exe	sys.exe
File created	C:\Windows\Web\Wallpaper\Nature\f3b6ecef712a24	sys.exe
File created	C:\Windows\Branding\ShellBrd\cc11b995f2a76d	sys.exe
File created	C:\Windows\de-DE\69ddcba757bf72	sys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
996	schtasks.exe
920	schtasks.exe
2088	schtasks.exe
1756	schtasks.exe
2032	schtasks.exe
1188	schtasks.exe
1840	schtasks.exe
456	schtasks.exe
2136	schtasks.exe
576	schtasks.exe
804	schtasks.exe
1660	schtasks.exe
1840	schtasks.exe
1264	schtasks.exe
2156	schtasks.exe
2200	schtasks.exe
2004	schtasks.exe
2068	schtasks.exe
2240	schtasks.exe
2264	schtasks.exe
1292	schtasks.exe
1780	schtasks.exe
336	schtasks.exe
1976	schtasks.exe
2180	schtasks.exe
2220	schtasks.exe
1180	schtasks.exe
1168	schtasks.exe
1728	schtasks.exe
1568	schtasks.exe
1044	schtasks.exe
2284	schtasks.exe
1472	schtasks.exe
840	schtasks.exe
1812	schtasks.exe
904	schtasks.exe
2116	schtasks.exe
2304	schtasks.exe
1788	schtasks.exe
1616	schtasks.exe
1060	schtasks.exe
1396	schtasks.exe
1708	schtasks.exe
1740	schtasks.exe
1136	schtasks.exe
1396	schtasks.exe
976	schtasks.exe
2020	schtasks.exe
524	schtasks.exe
2008	schtasks.exe
336	schtasks.exe
1108	schtasks.exe
1756	schtasks.exe
828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

sys.execsrss.exe

pid	process
1368	sys.exe
2344	csrss.exe
2344	csrss.exe
2344	csrss.exe
2344	csrss.exe
2344	csrss.exe
2344	csrss.exe
2344	csrss.exe
2344	csrss.exe
2344	csrss.exe
2344	csrss.exe
2344	csrss.exe
2344	csrss.exe
2344	csrss.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AppLaunch.exesys.execsrss.exe

description pid process

Token: SeDebugPrivilege 1316 AppLaunch.exe
Token: SeDebugPrivilege 1368 sys.exe
Token: SeDebugPrivilege 2344 csrss.exe

description	pid	process
Token: SeDebugPrivilege	1316	AppLaunch.exe
Token: SeDebugPrivilege	1368	sys.exe
Token: SeDebugPrivilege	2344	csrss.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

tmp.exeAppLaunch.exesystem.exesys.exe

description	pid	process	target process
PID 1976 wrote to memory of 1316	1976	tmp.exe	AppLaunch.exe
PID 1976 wrote to memory of 1316	1976	tmp.exe	AppLaunch.exe
PID 1976 wrote to memory of 1316	1976	tmp.exe	AppLaunch.exe
PID 1976 wrote to memory of 1316	1976	tmp.exe	AppLaunch.exe
PID 1976 wrote to memory of 1316	1976	tmp.exe	AppLaunch.exe
PID 1976 wrote to memory of 1316	1976	tmp.exe	AppLaunch.exe
PID 1976 wrote to memory of 1316	1976	tmp.exe	AppLaunch.exe
PID 1976 wrote to memory of 1316	1976	tmp.exe	AppLaunch.exe
PID 1976 wrote to memory of 1316	1976	tmp.exe	AppLaunch.exe
PID 1316 wrote to memory of 988	1316	AppLaunch.exe	system.exe
PID 1316 wrote to memory of 988	1316	AppLaunch.exe	system.exe
PID 1316 wrote to memory of 988	1316	AppLaunch.exe	system.exe
PID 1316 wrote to memory of 988	1316	AppLaunch.exe	system.exe
PID 1316 wrote to memory of 988	1316	AppLaunch.exe	system.exe
PID 1316 wrote to memory of 988	1316	AppLaunch.exe	system.exe
PID 1316 wrote to memory of 988	1316	AppLaunch.exe	system.exe
PID 988 wrote to memory of 1148	988	system.exe	cmd.exe
PID 988 wrote to memory of 1148	988	system.exe	cmd.exe
PID 988 wrote to memory of 1148	988	system.exe	cmd.exe
PID 988 wrote to memory of 1148	988	system.exe	cmd.exe
PID 988 wrote to memory of 1148	988	system.exe	cmd.exe
PID 988 wrote to memory of 1148	988	system.exe	cmd.exe
PID 988 wrote to memory of 1148	988	system.exe	cmd.exe
PID 1316 wrote to memory of 1368	1316	AppLaunch.exe	sys.exe
PID 1316 wrote to memory of 1368	1316	AppLaunch.exe	sys.exe
PID 1316 wrote to memory of 1368	1316	AppLaunch.exe	sys.exe
PID 1316 wrote to memory of 1368	1316	AppLaunch.exe	sys.exe
PID 1368 wrote to memory of 2344	1368	sys.exe	csrss.exe
PID 1368 wrote to memory of 2344	1368	sys.exe	csrss.exe
PID 1368 wrote to memory of 2344	1368	sys.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\system.exe
"C:\Users\Admin\AppData\Local\Temp\system.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe
4⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\sys.exe
"C:\Users\Admin\AppData\Local\Temp\sys.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\MSOCache\All Users\csrss.exe
"C:\MSOCache\All Users\csrss.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\Nature\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Nature\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Wallpaper\Nature\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\ShellBrd\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\ShellBrd\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "syss" /sc MINUTE /mo 14 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\sys.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sys" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\sys.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "syss" /sc MINUTE /mo 7 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\sys.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\DataStore\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\DataStore\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "syss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\sys.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sys" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\sys.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "syss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\sys.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\d6223342-1a8a-11ed-b209-a59dca5554ed\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\csrss.exe
Filesize
1.4MB

MD5
bbd5709ac40896d243f619941d4789c3

SHA1
d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

SHA256
d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

SHA512
61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

Download Submit
C:\MSOCache\All Users\csrss.exe
Filesize
1.4MB

MD5
bbd5709ac40896d243f619941d4789c3

SHA1
d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

SHA256
d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

SHA512
61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys.exe
Filesize
1.4MB

MD5
bbd5709ac40896d243f619941d4789c3

SHA1
d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

SHA256
d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

SHA512
61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys.exe
Filesize
1.4MB

MD5
bbd5709ac40896d243f619941d4789c3

SHA1
d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

SHA256
d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

SHA512
61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe
Filesize
2.5MB

MD5
d4c1aa3204a0a20362be094af647d35c

SHA1
f4078cff90e96e64477c3a5ecf9f7b4c5f41a888

SHA256
6b17273197480205ca53e9cca4298dc16346b65ac29d5ca883690ab1ff1b4183

SHA512
2891a2b728d0363a55a15d2159702407ebe7132a325038747240d5768b3e43d85f0ed9bf22c4c4c1cbc1658bd4271bad69ad24117fb6f50f1b2ac1dc9f657ac2

Download Submit
\Users\Admin\AppData\Local\Temp\sys.exe
Filesize
1.4MB

MD5
bbd5709ac40896d243f619941d4789c3

SHA1
d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

SHA256
d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

SHA512
61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

Download Submit
\Users\Admin\AppData\Local\Temp\sys.exe
Filesize
1.4MB

MD5
bbd5709ac40896d243f619941d4789c3

SHA1
d6e45ca38ffcb71b1df4fdd51c628ffdc58ab7b0

SHA256
d2ac899a907641ad38d3d535723be9fd3f581590bb461c93f30d1d2dc5706087

SHA512
61d76a75f6143acf0e15b6b6f2b9d810e71b96a32c25f3083476b1cf23bc4d0a04c609115b7def17a91872134f17aa068a484d97306eb2fdd046d97df297eb92

Download Submit
\Users\Admin\AppData\Local\Temp\system.exe
Filesize
2.5MB

MD5
d4c1aa3204a0a20362be094af647d35c

SHA1
f4078cff90e96e64477c3a5ecf9f7b4c5f41a888

SHA256
6b17273197480205ca53e9cca4298dc16346b65ac29d5ca883690ab1ff1b4183

SHA512
2891a2b728d0363a55a15d2159702407ebe7132a325038747240d5768b3e43d85f0ed9bf22c4c4c1cbc1658bd4271bad69ad24117fb6f50f1b2ac1dc9f657ac2

Download Submit
memory/988-70-0x0000000000000000-mapping.dmp

Download
memory/1148-73-0x0000000000000000-mapping.dmp

Download
memory/1316-68-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1316-59-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/1316-67-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/1316-57-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/1316-66-0x0000000000090000-0x00000000000A8000-memory.dmp

Filesize
96KB

Download
memory/1316-65-0x00000000000A05AE-mapping.dmp

Download
memory/1368-82-0x00000000002E0000-0x00000000002F6000-memory.dmp

Filesize
88KB

Download
memory/1368-80-0x00000000010C0000-0x0000000001222000-memory.dmp

Filesize
1.4MB

Download
memory/1368-81-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/1368-83-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/1368-84-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/1368-85-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/1368-76-0x0000000000000000-mapping.dmp

Download
memory/1976-54-0x0000000000240000-0x00000000007BA000-memory.dmp

Filesize
5.5MB

Download
memory/1976-56-0x0000000000A9F000-0x0000000000AA1000-memory.dmp

Filesize
8KB

Download
memory/2344-86-0x0000000000000000-mapping.dmp

Download
memory/2344-89-0x00000000010F0000-0x0000000001252000-memory.dmp

Filesize
1.4MB

Download
memory/2344-90-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads