dcrat | a7cf2b8af0640c4e52be5e412a07a94afe6aa1675b09099805fa28a83e4736e1

General

Target

650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
Size

2.4MB
MD5

1349a0a7bde438e5cc93199f47e490db
SHA1

75e68693fcb5d159112fa4299a7283138339970d
SHA256

650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68
SHA512

d47a5bb8b0226fed6ba0b86d9a7fff7320e56f320293e677013a465b731b535edc4493df3d510cfe90e97b1129d3e77c723d47c5cb695b24b5dcdbf8aadc5d1e
SSDEEP

49152:KSSml331rbf32zD5TdR+y910zqsVRGQ4kWBYe9ERg8KFqRpB:KSS43odR+yDvQGkPm8rRP

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3268	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1260	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	1260	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4400-132-0x00000000004E0000-0x0000000000754000-memory.dmp	dcrat
C:\Windows\Microsoft.NET\Framework\v1.0.3705\dllhost.exe	dcrat
C:\Windows\Microsoft.NET\Framework\v1.0.3705\dllhost.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

dllhost.exe

pid process

4180 dllhost.exe

pid	process
4180	dllhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 10 IoCs

Processes:

650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\ee2ad38f3d4382	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\sppsvc.exe	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files\Uninstall Information\RuntimeBroker.exe	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files\Uninstall Information\9e8d7a4ca61bd9	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\9e8d7a4ca61bd9	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files\Windows Media Player\es-ES\StartMenuExperienceHost.exe	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files\Windows Media Player\es-ES\55b276f4edf653	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\0a1fd5f707cd16	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe

Drops file in Windows directory 7 IoCs

Processes:

650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe

description	ioc	process
File created	C:\Windows\CSC\upfc.exe	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Windows\Containers\serviced\Idle.exe	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Windows\Containers\serviced\6ccacd8608530f	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Windows\Microsoft.NET\Framework\v1.0.3705\dllhost.exe	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Windows\Microsoft.NET\Framework\v1.0.3705\5940a34987c991	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Windows\Logs\MoSetup\csrss.exe	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
File created	C:\Windows\Logs\MoSetup\886983d96e3d3e	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3128	schtasks.exe
2152	schtasks.exe
4392	schtasks.exe
4164	schtasks.exe
4876	schtasks.exe
1176	schtasks.exe
1356	schtasks.exe
4260	schtasks.exe
224	schtasks.exe
1896	schtasks.exe
4364	schtasks.exe
3436	schtasks.exe
5112	schtasks.exe
4088	schtasks.exe
4612	schtasks.exe
1760	schtasks.exe
2100	schtasks.exe
1092	schtasks.exe
4356	schtasks.exe
2064	schtasks.exe
1816	schtasks.exe
5060	schtasks.exe
1380	schtasks.exe
3360	schtasks.exe
4480	schtasks.exe
2188	schtasks.exe
1460	schtasks.exe
2380	schtasks.exe
676	schtasks.exe
3056	schtasks.exe
1320	schtasks.exe
4328	schtasks.exe
4192	schtasks.exe
212	schtasks.exe
3328	schtasks.exe
1680	schtasks.exe
4804	schtasks.exe
4912	schtasks.exe
1764	schtasks.exe
3268	schtasks.exe
3748	schtasks.exe
1312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exedllhost.exe

pid	process
4400	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
4400	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
4400	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
4400	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
4400	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
4400	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
4400	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
4400	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
4400	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
4400	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
4400	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
4400	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
4400	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
4400	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
4400	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe
4180	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dllhost.exe

pid process

4180 dllhost.exe

pid	process
4180	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	4400	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
Token: SeDebugPrivilege	4180	dllhost.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe

description	pid	process	target process
PID 4400 wrote to memory of 4180	4400	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe	dllhost.exe
PID 4400 wrote to memory of 4180	4400	650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe	dllhost.exe

C:\Users\Admin\AppData\Local\Temp\650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe
"C:\Users\Admin\AppData\Local\Temp\650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\Microsoft.NET\Framework\v1.0.3705\dllhost.exe
"C:\Windows\Microsoft.NET\Framework\v1.0.3705\dllhost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Containers\serviced\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Containers\serviced\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\es-ES\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\es-ES\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\Framework\v1.0.3705\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\v1.0.3705\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\Framework\v1.0.3705\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\MoSetup\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Logs\MoSetup\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\MoSetup\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Pictures\Camera Roll\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Camera Roll\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Pictures\Camera Roll\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\odt\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework\v1.0.3705\dllhost.exe
Filesize
2.4MB

MD5
1349a0a7bde438e5cc93199f47e490db

SHA1
75e68693fcb5d159112fa4299a7283138339970d

SHA256
650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68

SHA512
d47a5bb8b0226fed6ba0b86d9a7fff7320e56f320293e677013a465b731b535edc4493df3d510cfe90e97b1129d3e77c723d47c5cb695b24b5dcdbf8aadc5d1e

Download Submit
C:\Windows\Microsoft.NET\Framework\v1.0.3705\dllhost.exe
Filesize
2.4MB

MD5
1349a0a7bde438e5cc93199f47e490db

SHA1
75e68693fcb5d159112fa4299a7283138339970d

SHA256
650bad83516a0f71114aea13ee9d00667312e4460225c17f1549283a1bb48c68

SHA512
d47a5bb8b0226fed6ba0b86d9a7fff7320e56f320293e677013a465b731b535edc4493df3d510cfe90e97b1129d3e77c723d47c5cb695b24b5dcdbf8aadc5d1e

Download Submit
memory/4180-136-0x0000000000000000-mapping.dmp

Download
memory/4180-140-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/4180-141-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/4400-132-0x00000000004E0000-0x0000000000754000-memory.dmp

Filesize
2.5MB

Download
memory/4400-133-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download
memory/4400-134-0x000000001B460000-0x000000001B4B0000-memory.dmp

Filesize
320KB

Download
memory/4400-135-0x000000001D0C0000-0x000000001D5E8000-memory.dmp

Filesize
5.2MB

Download
memory/4400-139-0x00007FFCFF2D0000-0x00007FFCFFD91000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads