dcrat | 1a44d980ad4e809fa458251d28cbf53879a8d844d45eafbffc520d12cca67265

General

Target

Adopt me/Script.exe
Size

722.0MB
MD5

16e7b0ef894bbbf25921e821c3345494
SHA1

293a85ad01ae13f7312cdebc60074dea5cb16531
SHA256

b77e54b53bfbc826658981fb3f200569bd6a16632d00d0ebb00176fa77a985db
SHA512

359f8da700bea3c8274e4dc8d996660882a08e10cabe9d6207c02a42921603c57adfd2b4291da60b3791b499ceb905e0e861ec5986f896d607cdb3ab7a469ee3
SSDEEP

24576:Bp11YGDkjwJsoGlWVwW25mKMc0uyEHcuhkypo9ePXEntalf3:BpfY5UsoGlqe5mKMc06kypSesI

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	3184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	3184	schtasks.exe

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/1716-140-0x0000000000400000-0x0000000000456000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Script.exeScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Script.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	Script.exe

Executes dropped EXE 1 IoCs

Processes:

explorer.exe

pid process

3568 explorer.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Script.exe

description pid process target process

PID 4076 set thread context of 1716 4076 Script.exe Script.exe

pid	process
3568	explorer.exe

description	pid	process	target process
PID 4076 set thread context of 1716	4076	Script.exe	Script.exe

Drops file in Program Files directory 5 IoCs

Processes:

Script.exe

description	ioc	process
File created	C:\Program Files\Windows Mail\dwm.exe	Script.exe
File opened for modification	C:\Program Files\Windows Mail\dwm.exe	Script.exe
File created	C:\Program Files\Windows Mail\6cb0b6c459d5d3	Script.exe
File created	C:\Program Files\Common Files\RuntimeBroker.exe	Script.exe
File created	C:\Program Files\Common Files\9e8d7a4ca61bd9	Script.exe

Drops file in Windows directory 10 IoCs

Processes:

Script.exe

description	ioc	process
File created	C:\Windows\Prefetch\ReadyBoot\eddb19405b7ce1	Script.exe
File created	C:\Windows\de-DE\5940a34987c991	Script.exe
File created	C:\Windows\ShellComponents\System.exe	Script.exe
File created	C:\Windows\ShellComponents\27d1bcfc3c54e0	Script.exe
File created	C:\Windows\GameBarPresenceWriter\explorer.exe	Script.exe
File created	C:\Windows\Prefetch\ReadyBoot\backgroundTaskHost.exe	Script.exe
File created	C:\Windows\de-DE\dllhost.exe	Script.exe
File created	C:\Windows\GameBarPresenceWriter\7a0fd90576e088	Script.exe
File created	C:\Windows\Offline Web Pages\smss.exe	Script.exe
File created	C:\Windows\Offline Web Pages\69ddcba757bf72	Script.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1928	schtasks.exe
3288	schtasks.exe
1260	schtasks.exe
4404	schtasks.exe
1332	schtasks.exe
3968	schtasks.exe
2988	schtasks.exe
4152	schtasks.exe
2300	schtasks.exe
2844	schtasks.exe
2072	schtasks.exe
3464	schtasks.exe
4296	schtasks.exe
4780	schtasks.exe
5076	schtasks.exe
4792	schtasks.exe
4740	schtasks.exe
5052	schtasks.exe
2660	schtasks.exe
2776	schtasks.exe
3128	schtasks.exe
4500	schtasks.exe
2944	schtasks.exe
3608	schtasks.exe
4736	schtasks.exe
4892	schtasks.exe
4364	schtasks.exe
672	schtasks.exe
2164	schtasks.exe
1536	schtasks.exe
1168	schtasks.exe
3376	schtasks.exe
1020	schtasks.exe
2500	schtasks.exe
112	schtasks.exe
3756	schtasks.exe
4160	schtasks.exe
3660	schtasks.exe
4352	schtasks.exe
3572	schtasks.exe
1540	schtasks.exe
3116	schtasks.exe
2160	schtasks.exe
3764	schtasks.exe
4340	schtasks.exe
32	schtasks.exe
4344	schtasks.exe
404	schtasks.exe
5004	schtasks.exe
4680	schtasks.exe
4384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

Script.exepowershell.exe

pid	process
1716	Script.exe
2760	powershell.exe
1716	Script.exe
1716	Script.exe
2760	powershell.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe
1716	Script.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Script.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1716 Script.exe
Token: SeDebugPrivilege 2760 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1716	Script.exe
Token: SeDebugPrivilege	2760	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

Script.exeScript.exe

description	pid	process	target process
PID 4076 wrote to memory of 2760	4076	Script.exe	powershell.exe
PID 4076 wrote to memory of 2760	4076	Script.exe	powershell.exe
PID 4076 wrote to memory of 2760	4076	Script.exe	powershell.exe
PID 4076 wrote to memory of 1716	4076	Script.exe	Script.exe
PID 4076 wrote to memory of 1716	4076	Script.exe	Script.exe
PID 4076 wrote to memory of 1716	4076	Script.exe	Script.exe
PID 4076 wrote to memory of 1716	4076	Script.exe	Script.exe
PID 4076 wrote to memory of 1716	4076	Script.exe	Script.exe
PID 4076 wrote to memory of 1716	4076	Script.exe	Script.exe
PID 4076 wrote to memory of 1716	4076	Script.exe	Script.exe
PID 4076 wrote to memory of 1716	4076	Script.exe	Script.exe
PID 1716 wrote to memory of 3568	1716	Script.exe	explorer.exe
PID 1716 wrote to memory of 3568	1716	Script.exe	explorer.exe
PID 1716 wrote to memory of 3568	1716	Script.exe	explorer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Adopt me\Script.exe
"C:\Users\Admin\AppData\Local\Temp\Adopt me\Script.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Adopt me\Script.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Users\Admin\AppData\Local\Temp\Adopt me\Script.exe
"C:\Users\Admin\AppData\Local\Temp\Adopt me\Script.exe"
2⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\GameBarPresenceWriter\explorer.exe
"C:\Windows\GameBarPresenceWriter\explorer.exe"
3⤵
- Executes dropped EXE
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Common Files\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellComponents\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ShellComponents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellComponents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\GameBarPresenceWriter\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\GameBarPresenceWriter\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\odt\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Default\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Script.exe.log
Filesize
1KB

MD5
33d62ef2c354f839a8b2b987e6ee41e7

SHA1
d76f64ac411a61f3f232f7f9f7b179bd34042226

SHA256
f6a84062cb11ccf802324692c2c4c48543377cf717d98efd5de695ed6d0a97d9

SHA512
d68a426b2f4646bb45e2267d60680166a8effb9a461e5a07756ba13a3bdf36b27e6e9777d945d03a62362e6976e92214c53ffc7c4f03ec28d3fcfc9a442c5e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j0reqb5c.zth.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Default\taskhostw.exe
Filesize
593.0MB

MD5
93fac4f3c3b667ee3d042bbea1e7bbd8

SHA1
290c20c9737433d48cf765283e4fb9e2813d515a

SHA256
24d60561659bb8cd3e2127770c7542ff5dec9d26f663cbec1632865fa6235cd1

SHA512
bffeb43a4af8cb5e3d553dacbef941cfb94ba0b56de1912484b0c839a4d5a51d9537a0664689845534528c39fb4e7f1fff5f7dbeab89497a9e40b0b2de5b06b5

Download Submit
C:\Windows\GameBarPresenceWriter\explorer.exe
Filesize
164.5MB

MD5
5c09d88da6971debe47d7bdc56d79df0

SHA1
c5d8d3d1fabf228c4b85caa101f632f0ef5439c9

SHA256
3113f49221e71ef50b457440eed1afb997b8358d1dee0534b23f6cf3dba1d830

SHA512
8e0356894828839c3126d8a16f68550b4442cdc522092544391056ca98c6a311794e76c4e6587a42998ebd9b6a42748a4f5675037f1fea8b34301fa259977103

Download Submit
C:\Windows\GameBarPresenceWriter\explorer.exe
Filesize
167.6MB

MD5
79d7f020b902c3485fbf35819077d00f

SHA1
e850440cb269939757a9f715eb7b0a33d4d323be

SHA256
21c27b928499cf0f7099203c5f9bf32015be55bf17a7c647b85d7a0f0e4e7ab9

SHA512
7f357b12bd11574364cb6fca2d89135142558a8da3b9eac04efc3b203ecd3e4ab285bfd02aa664fe060cbbda81d65364494bcfda8413f1fec791a306ed7861ef

Download Submit
memory/1716-140-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1716-158-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/2760-141-0x0000000002380000-0x00000000023B6000-memory.dmp

Filesize
216KB

Download
memory/2760-164-0x0000000004A10000-0x0000000004A42000-memory.dmp

Filesize
200KB

Download
memory/2760-143-0x0000000004DB0000-0x00000000053D8000-memory.dmp

Filesize
6.2MB

Download
memory/2760-144-0x0000000004CD0000-0x0000000004CF2000-memory.dmp

Filesize
136KB

Download
memory/2760-145-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/2760-184-0x00000000072D0000-0x00000000072D8000-memory.dmp

Filesize
32KB

Download
memory/2760-146-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/2760-156-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/2760-157-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/2760-183-0x00000000072F0000-0x000000000730A000-memory.dmp

Filesize
104KB

Download
memory/2760-159-0x0000000005C90000-0x0000000005CAE000-memory.dmp

Filesize
120KB

Download
memory/2760-162-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/2760-163-0x000000007F240000-0x000000007F250000-memory.dmp

Filesize
64KB

Download
memory/2760-182-0x00000000071E0000-0x00000000071EE000-memory.dmp

Filesize
56KB

Download
memory/2760-165-0x0000000070DB0000-0x0000000070DFC000-memory.dmp

Filesize
304KB

Download
memory/2760-175-0x00000000049F0000-0x0000000004A0E000-memory.dmp

Filesize
120KB

Download
memory/2760-176-0x00000000075F0000-0x0000000007C6A000-memory.dmp

Filesize
6.5MB

Download
memory/2760-177-0x0000000006FB0000-0x0000000006FCA000-memory.dmp

Filesize
104KB

Download
memory/2760-178-0x0000000007020000-0x000000000702A000-memory.dmp

Filesize
40KB

Download
memory/2760-179-0x0000000007230000-0x00000000072C6000-memory.dmp

Filesize
600KB

Download
memory/3568-228-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/4076-133-0x0000000000360000-0x0000000000478000-memory.dmp

Filesize
1.1MB

Download
memory/4076-138-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/4076-139-0x0000000006A80000-0x0000000006B1C000-memory.dmp

Filesize
624KB

Download
memory/4076-137-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/4076-136-0x0000000004FD0000-0x0000000004FDA000-memory.dmp

Filesize
40KB

Download
memory/4076-135-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download
memory/4076-134-0x0000000005350000-0x00000000058F4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads