dcrat | 3a9470103bc418e35d2d2a6dd529a6ed86efdbb5b9cf9829470e0c34dc83745c

General

Target

5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
Size

382KB
MD5

aacf5c0709892fb2b34a58f13a509a72
SHA1

5d96eee503b2e50f32ead6f0a2c9d53d1a8629e2
SHA256

5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95
SHA512

bf707ec37d4151e8c6790c365635a6c577a8f19cbe81eaa7c8b4100f4def6a2a177796700f2ffc7317b306e52004ccb4aff1eba8457448235a06c8947cd806c7
SSDEEP

6144:aZOyN3U5qAkANOhVTu0chaE4OJ5rBM/vt9APsOYrDSIbd7C53WTvL1wCqy:aZNE5hAhVnE48S/vt92YDSE7xLx

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	4328	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	4328	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2996-133-0x0000000000D50000-0x0000000000DB6000-memory.dmp	dcrat
C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backgroundTaskHost.exe	dcrat
C:\Recovery\WindowsRE\unsecapp.exe	dcrat
C:\Recovery\WindowsRE\unsecapp.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe

Executes dropped EXE 1 IoCs

Processes:

unsecapp.exe

pid process

4472 unsecapp.exe

pid	process
4472	unsecapp.exe

Drops file in Program Files directory 10 IoCs

Processes:

5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\eddb19405b7ce1	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\sppsvc.exe	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\0a1fd5f707cd16	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\24dbde2999530e	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\explorer.exe	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
File created	C:\Program Files\7-Zip\Lang\csrss.exe	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backgroundTaskHost.exe	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\7a0fd90576e088	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
File created	C:\Program Files\7-Zip\Lang\886983d96e3d3e	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\WmiPrvSE.exe	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe

Drops file in Windows directory 6 IoCs

Processes:

5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe

description	ioc	process
File created	C:\Windows\Containers\serviced\csrss.exe	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
File created	C:\Windows\Containers\serviced\886983d96e3d3e	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-wmiv2-wmidcom-dll_31bf3856ad364e35_10.0.19041.1_none_fbef575a7739e915\sppsvc.exe	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
File created	C:\Windows\servicing\FodMetadata\metadata\OfficeClickToRun.exe	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
File created	C:\Windows\fr-FR\RuntimeBroker.exe	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
File created	C:\Windows\fr-FR\9e8d7a4ca61bd9	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1560	schtasks.exe
4724	schtasks.exe
1156	schtasks.exe
4288	schtasks.exe
4784	schtasks.exe
4108	schtasks.exe
4912	schtasks.exe
4488	schtasks.exe
4736	schtasks.exe
2612	schtasks.exe
4900	schtasks.exe
3220	schtasks.exe
3928	schtasks.exe
4600	schtasks.exe
972	schtasks.exe
2840	schtasks.exe
4772	schtasks.exe
4428	schtasks.exe
948	schtasks.exe
4660	schtasks.exe
4904	schtasks.exe
1176	schtasks.exe
4752	schtasks.exe
3288	schtasks.exe
460	schtasks.exe
640	schtasks.exe
1344	schtasks.exe
1748	schtasks.exe
520	schtasks.exe
3976	schtasks.exe
4364	schtasks.exe
376	schtasks.exe
1512	schtasks.exe
3972	schtasks.exe
4100	schtasks.exe
2876	schtasks.exe
4324	schtasks.exe
2728	schtasks.exe
1788	schtasks.exe
228	schtasks.exe
2792	schtasks.exe
5036	schtasks.exe

Modifies registry class 1 IoCs

Processes:

5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exeunsecapp.exe

pid	process
2996	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
2996	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
2996	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
4472	unsecapp.exe
4472	unsecapp.exe
4472	unsecapp.exe
4472	unsecapp.exe
4472	unsecapp.exe
4472	unsecapp.exe
4472	unsecapp.exe
4472	unsecapp.exe
4472	unsecapp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

unsecapp.exe

pid process

4472 unsecapp.exe

pid	process
4472	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exeunsecapp.exe

description	pid	process
Token: SeDebugPrivilege	2996	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
Token: SeDebugPrivilege	4472	unsecapp.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.execmd.exe

description	pid	process	target process
PID 2996 wrote to memory of 1324	2996	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe	cmd.exe
PID 2996 wrote to memory of 1324	2996	5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe	cmd.exe
PID 1324 wrote to memory of 3240	1324	cmd.exe	w32tm.exe
PID 1324 wrote to memory of 3240	1324	cmd.exe	w32tm.exe
PID 1324 wrote to memory of 4472	1324	cmd.exe	unsecapp.exe
PID 1324 wrote to memory of 4472	1324	cmd.exe	unsecapp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe
"C:\Users\Admin\AppData\Local\Temp\5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dotzmuRRFE.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:3240

C:\Recovery\WindowsRE\unsecapp.exe
"C:\Recovery\WindowsRE\unsecapp.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Containers\serviced\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Containers\serviced\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\odt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre1.8.0_66\lib\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Java\jre1.8.0_66\lib\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre1.8.0_66\lib\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\backgroundTaskHost.exe

Filesize
382KB

MD5
aacf5c0709892fb2b34a58f13a509a72

SHA1
5d96eee503b2e50f32ead6f0a2c9d53d1a8629e2

SHA256
5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95

SHA512
bf707ec37d4151e8c6790c365635a6c577a8f19cbe81eaa7c8b4100f4def6a2a177796700f2ffc7317b306e52004ccb4aff1eba8457448235a06c8947cd806c7

Download Submit
C:\Recovery\WindowsRE\unsecapp.exe

Filesize
382KB

MD5
aacf5c0709892fb2b34a58f13a509a72

SHA1
5d96eee503b2e50f32ead6f0a2c9d53d1a8629e2

SHA256
5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95

SHA512
bf707ec37d4151e8c6790c365635a6c577a8f19cbe81eaa7c8b4100f4def6a2a177796700f2ffc7317b306e52004ccb4aff1eba8457448235a06c8947cd806c7

Download Submit
C:\Recovery\WindowsRE\unsecapp.exe

Filesize
382KB

MD5
aacf5c0709892fb2b34a58f13a509a72

SHA1
5d96eee503b2e50f32ead6f0a2c9d53d1a8629e2

SHA256
5f8c9693df7c4cd7a96790a86f3728b3f572084b2e52bf93c6f9f1e2ff438a95

SHA512
bf707ec37d4151e8c6790c365635a6c577a8f19cbe81eaa7c8b4100f4def6a2a177796700f2ffc7317b306e52004ccb4aff1eba8457448235a06c8947cd806c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dotzmuRRFE.bat

Filesize
199B

MD5
226d1b50bc37e69d75aa8bfe9e1547fa

SHA1
05632634ce7860eb3d5a973b2353897c81c19861

SHA256
9b9f7c202256035ea203a590426195337c84536fe364b5b3cbfb809238ff8655

SHA512
ce9aa7175b872f8271efd7af8b49d4638a382ab5d212284ebc1c266f237687ee0f790383e55000d09cf8b02f56a19fde75de034361698b908f9a8e0a078fd520

Download Submit
memory/2996-133-0x0000000000D50000-0x0000000000DB6000-memory.dmp

Filesize
408KB

Download
memory/2996-136-0x000000001BA90000-0x000000001BAA0000-memory.dmp

Filesize
64KB

Download
memory/2996-143-0x000000001BA90000-0x000000001BAA0000-memory.dmp

Filesize
64KB

Download
memory/4472-173-0x000000001AFA0000-0x000000001AFB0000-memory.dmp

Filesize
64KB

Download
memory/4472-174-0x000000001AFE0000-0x000000001B12E000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads