dcrat | 8148b7d10cc4d45ac6c2d1454119161a1ee677ac0986e4dd86e2f38a15b7ac19

General

Target

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
Size

2.1MB
MD5

f26bb4f3cc67c00580554bea3dac5e4a
SHA1

14c7857a8edc29dce1a27379f60f0d9443303627
SHA256

8148b7d10cc4d45ac6c2d1454119161a1ee677ac0986e4dd86e2f38a15b7ac19
SHA512

32c1d95bde25e1807ce7312280106259831057df7da893041c43d3c76def49de500ccb7e87b8c08af7657fdbd22117d9320dc4f9e7eebed85f54b3f2e7418010
SSDEEP

49152:tmyDQOI0/F/LopeanZ6QNo1y80nfLSx9ZEQCUn/ty374FM5YLCbtYY2Zy:kyDRZFTopJhTfe3ZtVy3x1btJv

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	2828	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2828	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4920-132-0x0000000000B00000-0x0000000000D2A000-memory.dmp	dcrat
C:\Recovery\WindowsRE\WmiPrvSE.exe	dcrat
C:\Recovery\WindowsRE\WmiPrvSE.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

WmiPrvSE.exe

pid process

3268 WmiPrvSE.exe

pid	process
3268	WmiPrvSE.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

Drops file in Program Files directory 8 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

description	ioc	process
File created	C:\Program Files\MSBuild\e1ef82546f0b02	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RuntimeBroker.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\9e8d7a4ca61bd9	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\dwm.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\6cb0b6c459d5d3	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Common Files\System.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Common Files\27d1bcfc3c54e0	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\MSBuild\SppExtComObj.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

Drops file in Windows directory 8 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

description	ioc	process
File created	C:\Windows\INF\.NETFramework\040C\27d1bcfc3c54e0	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\Prefetch\ReadyBoot\spoolsv.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\Prefetch\ReadyBoot\f3b6ecef712a24	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\SKB\StartMenuExperienceHost.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\SKB\55b276f4edf653	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\sppsvc.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\0a1fd5f707cd16	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\INF\.NETFramework\040C\System.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
760	schtasks.exe
2128	schtasks.exe
3800	schtasks.exe
2088	schtasks.exe
1152	schtasks.exe
2416	schtasks.exe
2980	schtasks.exe
2928	schtasks.exe
4332	schtasks.exe
3628	schtasks.exe
3544	schtasks.exe
4836	schtasks.exe
3568	schtasks.exe
224	schtasks.exe
4252	schtasks.exe
4456	schtasks.exe
3132	schtasks.exe
4296	schtasks.exe
3528	schtasks.exe
1992	schtasks.exe
4256	schtasks.exe
4676	schtasks.exe
2156	schtasks.exe
2300	schtasks.exe
4624	schtasks.exe
4632	schtasks.exe
1596	schtasks.exe
2228	schtasks.exe
4996	schtasks.exe
3968	schtasks.exe
3536	schtasks.exe
3248	schtasks.exe
608	schtasks.exe
4964	schtasks.exe
1712	schtasks.exe
1896	schtasks.exe
2096	schtasks.exe
548	schtasks.exe
1592	schtasks.exe
2612	schtasks.exe
5080	schtasks.exe
4992	schtasks.exe
2952	schtasks.exe
4652	schtasks.exe
4528	schtasks.exe
1952	schtasks.exe
116	schtasks.exe
3848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exeWmiPrvSE.exe

pid	process
4920	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
4920	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
4920	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
4920	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
4920	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
4920	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
4920	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
4920	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
4920	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
3268	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exeWmiPrvSE.exe

description pid process

Token: SeDebugPrivilege 4920 8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
Token: SeDebugPrivilege 3268 WmiPrvSE.exe

description	pid	process
Token: SeDebugPrivilege	4920	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
Token: SeDebugPrivilege	3268	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

description	pid	process	target process
PID 4920 wrote to memory of 3268	4920	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe	WmiPrvSE.exe
PID 4920 wrote to memory of 3268	4920	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe	WmiPrvSE.exe

C:\Users\Admin\AppData\Local\Temp\8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
"C:\Users\Admin\AppData\Local\Temp\8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920

C:\Recovery\WindowsRE\WmiPrvSE.exe
"C:\Recovery\WindowsRE\WmiPrvSE.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Recent\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Recent\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Recent\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Gadgets\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\SKB\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\SKB\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\SKB\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteDesktops\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\RemotePackages\RemoteDesktops\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\INF\.NETFramework\040C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\INF\.NETFramework\040C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\INF\.NETFramework\040C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\MSBuild\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Videos\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Videos\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\WmiPrvSE.exe
Filesize
2.1MB

MD5
f26bb4f3cc67c00580554bea3dac5e4a

SHA1
14c7857a8edc29dce1a27379f60f0d9443303627

SHA256
8148b7d10cc4d45ac6c2d1454119161a1ee677ac0986e4dd86e2f38a15b7ac19

SHA512
32c1d95bde25e1807ce7312280106259831057df7da893041c43d3c76def49de500ccb7e87b8c08af7657fdbd22117d9320dc4f9e7eebed85f54b3f2e7418010

Download Submit
C:\Recovery\WindowsRE\WmiPrvSE.exe
Filesize
2.1MB

MD5
f26bb4f3cc67c00580554bea3dac5e4a

SHA1
14c7857a8edc29dce1a27379f60f0d9443303627

SHA256
8148b7d10cc4d45ac6c2d1454119161a1ee677ac0986e4dd86e2f38a15b7ac19

SHA512
32c1d95bde25e1807ce7312280106259831057df7da893041c43d3c76def49de500ccb7e87b8c08af7657fdbd22117d9320dc4f9e7eebed85f54b3f2e7418010

Download Submit
memory/3268-136-0x0000000000000000-mapping.dmp

Download
memory/3268-140-0x00007FFBB5250000-0x00007FFBB5D11000-memory.dmp

Filesize
10.8MB

Download
memory/3268-141-0x00007FFBB5250000-0x00007FFBB5D11000-memory.dmp

Filesize
10.8MB

Download
memory/3268-142-0x00007FFBB5250000-0x00007FFBB5D11000-memory.dmp

Filesize
10.8MB

Download
memory/4920-132-0x0000000000B00000-0x0000000000D2A000-memory.dmp

Filesize
2.2MB

Download
memory/4920-133-0x00007FFBB5250000-0x00007FFBB5D11000-memory.dmp

Filesize
10.8MB

Download
memory/4920-134-0x0000000002FA0000-0x0000000002FF0000-memory.dmp

Filesize
320KB

Download
memory/4920-135-0x000000001D1C0000-0x000000001D6E8000-memory.dmp

Filesize
5.2MB

Download
memory/4920-139-0x00007FFBB5250000-0x00007FFBB5D11000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads