dcrat | a7cf2b8af0640c4e52be5e412a07a94afe6aa1675b09099805fa28a83e4736e1

General

Target

650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
Size

2.4MB
MD5

1349a0a7bde438e5cc93199f47e490db
SHA1

75e68693fcb5d159112fa4299a7283138339970d
SHA256

650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68
SHA512

d47a5bb8b0226fed6ba0b86d9a7fff7320e56f320293e677013a465b731b535edc4493df3d510cfe90e97b1129d3e77c723d47c5cb695b24b5dcdbf8aadc5d1e
SSDEEP

49152:KSSml331rbf32zD5TdR+y910zqsVRGQ4kWBYe9ERg8KFqRpB:KSS43odR+yDvQGkPm8rRP

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	1852	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	1852	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1172-54-0x00000000000D0000-0x0000000000344000-memory.dmp	dcrat
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe	dcrat
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe	dcrat
behavioral1/memory/1444-70-0x0000000001050000-0x00000000012C4000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

taskhost.exe

pid process

1444 taskhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1444	taskhost.exe

Drops file in Program Files directory 13 IoCs

Processes:

650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Media Player\it-IT\spoolsv.exe	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\winlogon.exe	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\b75386f1303e64	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\886983d96e3d3e	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\WMIADAP.exe	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files\Windows Media Player\it-IT\spoolsv.exe	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files\Windows Media Player\it-IT\f3b6ecef712a24	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsass.exe	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6203df4a6bafc7	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\cc11b995f2a76d	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\csrss.exe	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\75a57c1bdf437c	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe

Drops file in Windows directory 3 IoCs

Processes:

650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_en-us_19328f568d3b4e53\lsass.exe	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Windows\DigitalLocker\fr-FR\dwm.exe	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Windows\DigitalLocker\fr-FR\6cb0b6c459d5d3	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2004	schtasks.exe
1260	schtasks.exe
1832	schtasks.exe
1280	schtasks.exe
1812	schtasks.exe
1332	schtasks.exe
968	schtasks.exe
1540	schtasks.exe
764	schtasks.exe
932	schtasks.exe
1648	schtasks.exe
1668	schtasks.exe
1488	schtasks.exe
1960	schtasks.exe
1568	schtasks.exe
1644	schtasks.exe
1528	schtasks.exe
764	schtasks.exe
940	schtasks.exe
1280	schtasks.exe
1564	schtasks.exe
292	schtasks.exe
564	schtasks.exe
2044	schtasks.exe
1924	schtasks.exe
636	schtasks.exe
1756	schtasks.exe
1912	schtasks.exe
752	schtasks.exe
1672	schtasks.exe
880	schtasks.exe
1964	schtasks.exe
1332	schtasks.exe
1680	schtasks.exe
1468	schtasks.exe
640	schtasks.exe
292	schtasks.exe
1292	schtasks.exe
1264	schtasks.exe
1828	schtasks.exe
1648	schtasks.exe
1912	schtasks.exe
1672	schtasks.exe
360	schtasks.exe
2004	schtasks.exe
1628	schtasks.exe
752	schtasks.exe
844	schtasks.exe
1848	schtasks.exe
1864	schtasks.exe
932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exetaskhost.exe

pid	process
1172	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
1172	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
1172	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
1444	taskhost.exe
1444	taskhost.exe
1444	taskhost.exe
1444	taskhost.exe
1444	taskhost.exe
1444	taskhost.exe
1444	taskhost.exe
1444	taskhost.exe
1444	taskhost.exe
1444	taskhost.exe
1444	taskhost.exe
1444	taskhost.exe
1444	taskhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	1172	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
Token: SeDebugPrivilege	1444	taskhost.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.execmd.exe

description	pid	process	target process
PID 1172 wrote to memory of 2008	1172	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe	cmd.exe
PID 1172 wrote to memory of 2008	1172	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe	cmd.exe
PID 1172 wrote to memory of 2008	1172	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe	cmd.exe
PID 2008 wrote to memory of 436	2008	cmd.exe	w32tm.exe
PID 2008 wrote to memory of 436	2008	cmd.exe	w32tm.exe
PID 2008 wrote to memory of 436	2008	cmd.exe	w32tm.exe
PID 2008 wrote to memory of 1444	2008	cmd.exe	taskhost.exe
PID 2008 wrote to memory of 1444	2008	cmd.exe	taskhost.exe
PID 2008 wrote to memory of 1444	2008	cmd.exe	taskhost.exe

C:\Users\Admin\AppData\Local\Temp\650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
"C:\Users\Admin\AppData\Local\Temp\650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u1EJnjMs4F.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:436

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe
"C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Templates\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\c11c4da2-1a8a-11ed-8505-e0b24281b398\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\DigitalLocker\fr-FR\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe

Filesize
2.4MB

MD5
1349a0a7bde438e5cc93199f47e490db

SHA1
75e68693fcb5d159112fa4299a7283138339970d

SHA256
650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68

SHA512
d47a5bb8b0226fed6ba0b86d9a7fff7320e56f320293e677013a465b731b535edc4493df3d510cfe90e97b1129d3e77c723d47c5cb695b24b5dcdbf8aadc5d1e

Download Submit
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe

Filesize
2.4MB

MD5
1349a0a7bde438e5cc93199f47e490db

SHA1
75e68693fcb5d159112fa4299a7283138339970d

SHA256
650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68

SHA512
d47a5bb8b0226fed6ba0b86d9a7fff7320e56f320293e677013a465b731b535edc4493df3d510cfe90e97b1129d3e77c723d47c5cb695b24b5dcdbf8aadc5d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1EJnjMs4F.bat

Filesize
248B

MD5
0e247291c823ecb69e1e88442973b85c

SHA1
a80570d8a09b1e7a71d5e01bb910a8bc76c54cf8

SHA256
cc1ad33d997b6db11ca9238a983fe60a0e2d6a20319242d574a92f48d1488c8b

SHA512
6dab142c0b7d2aeeaf327b7bd4941b4f168929d09cc6a7de4290cc19c9ef3bdf62d521c0ce0dd1fb67bb5b213d7a10ac4d4ccffb000e8bdc5f535bf53be9d63c

Download Submit
memory/436-66-0x0000000000000000-mapping.dmp

Download
memory/1172-58-0x000000001AE70000-0x000000001AEC6000-memory.dmp

Filesize
344KB

Download
memory/1172-54-0x00000000000D0000-0x0000000000344000-memory.dmp

Filesize
2.5MB

Download
memory/1172-60-0x00000000009B0000-0x00000000009BE000-memory.dmp

Filesize
56KB

Download
memory/1172-61-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/1172-62-0x0000000002010000-0x0000000002018000-memory.dmp

Filesize
32KB

Download
memory/1172-63-0x0000000002020000-0x000000000202C000-memory.dmp

Filesize
48KB

Download
memory/1172-55-0x0000000000960000-0x000000000097C000-memory.dmp

Filesize
112KB

Download
memory/1172-59-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/1172-57-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1172-56-0x0000000000980000-0x0000000000996000-memory.dmp

Filesize
88KB

Download
memory/1444-68-0x0000000000000000-mapping.dmp

Download
memory/1444-70-0x0000000001050000-0x00000000012C4000-memory.dmp

Filesize
2.5MB

Download
memory/1444-71-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/2008-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads