dcrat | cd349d60bec07656d19b9c1c515ea91bf0b8479119efee85b695003e41016cb0

General

Target

file.exe
Size

1.1MB
MD5

891e40a67cf2947614a49eac3e5da46f
SHA1

e4d356ec2ff910b8d3e65d13eb44be72aefa6eb4
SHA256

cd349d60bec07656d19b9c1c515ea91bf0b8479119efee85b695003e41016cb0
SHA512

3cd15f70c1cc5b93203fad9c460cb2ed2c795afd96366a28d6dbc291f1972f5f0ac7712d41216376eb65a25cdc0a20a4702059634080fbf786c1f1315067b505
SSDEEP

24576:u2G/nvxW3WieC48NP/nX2UYv1BmaH+a7BMq:ubA3jBHnGUYvNH+8

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	1412	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1412	schtasks.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\hyperAgentFontruntimecrt\reviewHost.exe	dcrat
C:\hyperAgentFontruntimecrt\reviewHost.exe	dcrat
\hyperAgentFontruntimecrt\reviewHost.exe	dcrat
C:\hyperAgentFontruntimecrt\reviewHost.exe	dcrat
behavioral1/memory/1184-65-0x0000000000B50000-0x0000000000C26000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe	dcrat
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe	dcrat
behavioral1/memory/2460-69-0x0000000000DE0000-0x0000000000EB6000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

reviewHost.execsrss.exe

pid process

1184 reviewHost.exe
2460 csrss.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

432 cmd.exe
432 cmd.exe

pid	process
432	cmd.exe
432	cmd.exe

Drops file in Program Files directory 13 IoCs

Processes:

reviewHost.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\en-US\wininit.exe	reviewHost.exe
File created	C:\Program Files\7-Zip\Lang\csrss.exe	reviewHost.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe	reviewHost.exe
File created	C:\Program Files (x86)\Google\Update\lsm.exe	reviewHost.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe	reviewHost.exe
File created	C:\Program Files (x86)\Uninstall Information\69ddcba757bf72	reviewHost.exe
File created	C:\Program Files\Windows Sidebar\en-US\wininit.exe	reviewHost.exe
File created	C:\Program Files\7-Zip\Lang\886983d96e3d3e	reviewHost.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\69ddcba757bf72	reviewHost.exe
File created	C:\Program Files (x86)\Google\Update\101b941d020240	reviewHost.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\56085415360792	reviewHost.exe
File created	C:\Program Files (x86)\Uninstall Information\smss.exe	reviewHost.exe
File created	C:\Program Files\Windows Sidebar\en-US\56085415360792	reviewHost.exe

Drops file in Windows directory 6 IoCs

Processes:

reviewHost.exe

description	ioc	process
File created	C:\Windows\Branding\Basebrd\it-IT\dwm.exe	reviewHost.exe
File created	C:\Windows\Branding\Basebrd\it-IT\6cb0b6c459d5d3	reviewHost.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\WmiPrvSE.exe	reviewHost.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\24dbde2999530e	reviewHost.exe
File created	C:\Windows\Tasks\winlogon.exe	reviewHost.exe
File created	C:\Windows\Tasks\cc11b995f2a76d	reviewHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1612	schtasks.exe
1240	schtasks.exe
1860	schtasks.exe
1956	schtasks.exe
2084	schtasks.exe
2380	schtasks.exe
2404	schtasks.exe
924	schtasks.exe
1816	schtasks.exe
1680	schtasks.exe
1620	schtasks.exe
1892	schtasks.exe
1592	schtasks.exe
2224	schtasks.exe
556	schtasks.exe
2184	schtasks.exe
2244	schtasks.exe
1640	schtasks.exe
1720	schtasks.exe
2316	schtasks.exe
1684	schtasks.exe
2020	schtasks.exe
384	schtasks.exe
996	schtasks.exe
1936	schtasks.exe
1716	schtasks.exe
1752	schtasks.exe
2356	schtasks.exe
992	schtasks.exe
1256	schtasks.exe
848	schtasks.exe
2132	schtasks.exe
2208	schtasks.exe
2336	schtasks.exe
1680	schtasks.exe
1156	schtasks.exe
928	schtasks.exe
1760	schtasks.exe
640	schtasks.exe
2064	schtasks.exe
2116	schtasks.exe
2160	schtasks.exe
2292	schtasks.exe
684	schtasks.exe
1400	schtasks.exe
620	schtasks.exe
1756	schtasks.exe
2272	schtasks.exe
2424	schtasks.exe
1704	schtasks.exe
1700	schtasks.exe
476	schtasks.exe
1668	schtasks.exe
1972	schtasks.exe
852	schtasks.exe
1596	schtasks.exe
1552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

reviewHost.execsrss.exe

pid	process
1184	reviewHost.exe
1184	reviewHost.exe
1184	reviewHost.exe
1184	reviewHost.exe
1184	reviewHost.exe
2460	csrss.exe
2460	csrss.exe
2460	csrss.exe
2460	csrss.exe
2460	csrss.exe
2460	csrss.exe
2460	csrss.exe
2460	csrss.exe
2460	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

reviewHost.execsrss.exe

description pid process

Token: SeDebugPrivilege 1184 reviewHost.exe
Token: SeDebugPrivilege 2460 csrss.exe

description	pid	process
Token: SeDebugPrivilege	1184	reviewHost.exe
Token: SeDebugPrivilege	2460	csrss.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

file.exeWScript.execmd.exereviewHost.exe

description	pid	process	target process
PID 2024 wrote to memory of 2020	2024	file.exe	WScript.exe
PID 2024 wrote to memory of 2020	2024	file.exe	WScript.exe
PID 2024 wrote to memory of 2020	2024	file.exe	WScript.exe
PID 2024 wrote to memory of 2020	2024	file.exe	WScript.exe
PID 2020 wrote to memory of 432	2020	WScript.exe	cmd.exe
PID 2020 wrote to memory of 432	2020	WScript.exe	cmd.exe
PID 2020 wrote to memory of 432	2020	WScript.exe	cmd.exe
PID 2020 wrote to memory of 432	2020	WScript.exe	cmd.exe
PID 432 wrote to memory of 1184	432	cmd.exe	reviewHost.exe
PID 432 wrote to memory of 1184	432	cmd.exe	reviewHost.exe
PID 432 wrote to memory of 1184	432	cmd.exe	reviewHost.exe
PID 432 wrote to memory of 1184	432	cmd.exe	reviewHost.exe
PID 1184 wrote to memory of 2460	1184	reviewHost.exe	csrss.exe
PID 1184 wrote to memory of 2460	1184	reviewHost.exe	csrss.exe
PID 1184 wrote to memory of 2460	1184	reviewHost.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hyperAgentFontruntimecrt\knppr2OhYNrDcsHABVUWa9t9.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\hyperAgentFontruntimecrt\8coh2Db8oe1OMJcuBsHgyEY4Vgv.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432

C:\hyperAgentFontruntimecrt\reviewHost.exe
"C:\hyperAgentFontruntimecrt\reviewHost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe
"C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\Basebrd\it-IT\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\Basebrd\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\Downloads\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\hyperAgentFontruntimecrt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\hyperAgentFontruntimecrt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\hyperAgentFontruntimecrt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Tasks\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\ed738222-6219-11ed-b5ae-5e34c4ab0fa3\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe

Filesize
829KB

MD5
d192ab81723626b35758ff6cf3f86748

SHA1
7e7789e60919d9a23766306eb92a9876c16f988f

SHA256
92799cc9b2176d9d8b8ef1647ac797649759856f4cde425851bb5c815ba451f3

SHA512
2a99f3924f1c78139ebd87be8e77bc0ace6742aae3778e87af0f9743320c80397f791dcf787b10964333fbdbdbefdd1a45a84934aecbd1b0709bdaabccb068a7

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe

Filesize
829KB

MD5
d192ab81723626b35758ff6cf3f86748

SHA1
7e7789e60919d9a23766306eb92a9876c16f988f

SHA256
92799cc9b2176d9d8b8ef1647ac797649759856f4cde425851bb5c815ba451f3

SHA512
2a99f3924f1c78139ebd87be8e77bc0ace6742aae3778e87af0f9743320c80397f791dcf787b10964333fbdbdbefdd1a45a84934aecbd1b0709bdaabccb068a7

Download Submit
C:\hyperAgentFontruntimecrt\8coh2Db8oe1OMJcuBsHgyEY4Vgv.bat

Filesize
44B

MD5
dee5d18f8b03004aedda53a4f918bdd6

SHA1
981bd345473f200a185ce5068641a8c1ef5bc9a1

SHA256
c6363b2447b1155461ca9a15577d9d41234cfd4bfa38c600dbddce982d3c845c

SHA512
a8c7c45e3d3d63cfa02756bf8d28bd25ad40fc2b8d500d92771a81da956b67c045fcb6cedc8cae9bab84213bea29b88e7bef08f9815a55618215ab2028b37ff4

Download Submit
C:\hyperAgentFontruntimecrt\knppr2OhYNrDcsHABVUWa9t9.vbe

Filesize
228B

MD5
b622f5403cab06388a6e7e74971b9ed5

SHA1
72a3b926c643768fcf6d185e8ca9335a2f3b5fe6

SHA256
56b3436fc9e59276a6362243c0dd815ea65fa8ec3986f57b52d8886134db9352

SHA512
cf8e5a421cd75d62ea66aa84499db7c29039bec38b4d925ef6f09d15f14bab8961fe7ed4ff73b828cdce4e900bb6b58b7aaf2c6b0715302b11e5ed2f287ba75d

Download Submit
C:\hyperAgentFontruntimecrt\reviewHost.exe

Filesize
829KB

MD5
d192ab81723626b35758ff6cf3f86748

SHA1
7e7789e60919d9a23766306eb92a9876c16f988f

SHA256
92799cc9b2176d9d8b8ef1647ac797649759856f4cde425851bb5c815ba451f3

SHA512
2a99f3924f1c78139ebd87be8e77bc0ace6742aae3778e87af0f9743320c80397f791dcf787b10964333fbdbdbefdd1a45a84934aecbd1b0709bdaabccb068a7

Download Submit
C:\hyperAgentFontruntimecrt\reviewHost.exe

Filesize
829KB

MD5
d192ab81723626b35758ff6cf3f86748

SHA1
7e7789e60919d9a23766306eb92a9876c16f988f

SHA256
92799cc9b2176d9d8b8ef1647ac797649759856f4cde425851bb5c815ba451f3

SHA512
2a99f3924f1c78139ebd87be8e77bc0ace6742aae3778e87af0f9743320c80397f791dcf787b10964333fbdbdbefdd1a45a84934aecbd1b0709bdaabccb068a7

Download Submit
\hyperAgentFontruntimecrt\reviewHost.exe

Filesize
829KB

MD5
d192ab81723626b35758ff6cf3f86748

SHA1
7e7789e60919d9a23766306eb92a9876c16f988f

SHA256
92799cc9b2176d9d8b8ef1647ac797649759856f4cde425851bb5c815ba451f3

SHA512
2a99f3924f1c78139ebd87be8e77bc0ace6742aae3778e87af0f9743320c80397f791dcf787b10964333fbdbdbefdd1a45a84934aecbd1b0709bdaabccb068a7

Download Submit
\hyperAgentFontruntimecrt\reviewHost.exe

Filesize
829KB

MD5
d192ab81723626b35758ff6cf3f86748

SHA1
7e7789e60919d9a23766306eb92a9876c16f988f

SHA256
92799cc9b2176d9d8b8ef1647ac797649759856f4cde425851bb5c815ba451f3

SHA512
2a99f3924f1c78139ebd87be8e77bc0ace6742aae3778e87af0f9743320c80397f791dcf787b10964333fbdbdbefdd1a45a84934aecbd1b0709bdaabccb068a7

Download Submit
memory/432-59-0x0000000000000000-mapping.dmp

Download
memory/1184-63-0x0000000000000000-mapping.dmp

Download
memory/1184-65-0x0000000000B50000-0x0000000000C26000-memory.dmp

Filesize
856KB

Download
memory/2020-55-0x0000000000000000-mapping.dmp

Download
memory/2024-54-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/2460-66-0x0000000000000000-mapping.dmp

Download
memory/2460-69-0x0000000000DE0000-0x0000000000EB6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads