dcrat | 7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033

Analysis

max time kernel
18s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23-03-2023 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe
Size

10.0MB
MD5

718c1a4f0cdacf94d4d6ad97e06a459f
SHA1

f7ea9a4f39e415c15ef563ecd4f381013e52d3a7
SHA256

7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033
SHA512

8a3d55db0a4eae644922895e140269f22f8214af875bf3544255bcc1be6b1de9a1274b1dd41cc4ac5826a9ac5e1d8d216994891dc124c01ba722db214652f80e
SSDEEP

196608:2JJ8G/X6v9189c+HzrMyU59NSOWQqA00aWOj/AoDvVq:2JJTCv8cEnMrrNSOhLPOj/Pv

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	824	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	824	schtasks.exe

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1700-54-0x0000000000400000-0x00000000015D9000-memory.dmp	dcrat
C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe	dcrat
behavioral1/memory/1700-64-0x0000000000400000-0x00000000015D9000-memory.dmp	dcrat
C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe	dcrat
C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe	dcrat
\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe	dcrat
\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe	dcrat
behavioral1/memory/1700-76-0x0000000000400000-0x00000000015D9000-memory.dmp	dcrat
behavioral1/memory/908-82-0x0000000000E70000-0x000000000101E000-memory.dmp	dcrat
behavioral1/memory/908-84-0x000000001B2A0000-0x000000001B320000-memory.dmp	dcrat
C:\Windows\Downloaded Program Files\conhost_8.exe	dcrat
C:\Windows\Downloaded Program Files\conhost_8.exe	dcrat
behavioral1/memory/1904-134-0x0000000001390000-0x000000000153E000-memory.dmp	dcrat

Executes dropped EXE 4 IoCs

Processes:

bl_fontreviewmonitordllrefsvc.execonhost_8.exeMASTER 8BP.execonhost_8.exe

pid process

908 bl_fontreviewmonitordllrefsvc.exe
376 conhost_8.exe
1964 MASTER 8BP.exe
1904 conhost_8.exe

Loads dropped DLL 8 IoCs

Processes:

7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exeWerFault.exe

pid	process
1700	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe
1700	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe
1700	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe
1700	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe
1680	WerFault.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe

pid process

1700 7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe

Drops file in Program Files directory 8 IoCs

Processes:

bl_fontreviewmonitordllrefsvc.exe

description	ioc	process
File created	C:\Program Files\Windows Sidebar\ja-JP\sppsvc.exe	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\0a1fd5f707cd16	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files\Internet Explorer\ja-JP\csrss.exe	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files\Internet Explorer\ja-JP\886983d96e3d3e	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files\Internet Explorer\ja-JP\smss.exe	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files\Internet Explorer\ja-JP\69ddcba757bf72	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files\7-Zip\Lang\taskhost.exe	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Program Files\7-Zip\Lang\b75386f1303e64	bl_fontreviewmonitordllrefsvc.exe

Drops file in Windows directory 6 IoCs

Processes:

bl_fontreviewmonitordllrefsvc.exe

description	ioc	process
File created	C:\Windows\Downloaded Program Files\conhost_8.exe	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Windows\Downloaded Program Files\b02870d6c03c64	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Windows\it-IT\services.exe	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Windows\it-IT\c5b4cb5e9653cc	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Windows\LiveKernelReports\MASTER 8BP.exe	bl_fontreviewmonitordllrefsvc.exe
File created	C:\Windows\LiveKernelReports\3531ffc0f07ae4	bl_fontreviewmonitordllrefsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1680 1964 WerFault.exe MASTER 8BP.exe

pid	pid_target	process	target process
1680	1964	WerFault.exe	MASTER 8BP.exe

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1692	schtasks.exe
1168	schtasks.exe
1700	schtasks.exe
1656	schtasks.exe
436	schtasks.exe
1112	schtasks.exe
1952	schtasks.exe
924	schtasks.exe
932	schtasks.exe
1792	schtasks.exe
560	schtasks.exe
1656	schtasks.exe
1664	schtasks.exe
524	schtasks.exe
1604	schtasks.exe
1052	schtasks.exe
1276	schtasks.exe
1772	schtasks.exe
856	schtasks.exe
1996	schtasks.exe
1920	schtasks.exe
1176	schtasks.exe
1556	schtasks.exe
1624	schtasks.exe
1704	schtasks.exe
2040	schtasks.exe
240	schtasks.exe
1056	schtasks.exe
1940	schtasks.exe
1956	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

bl_fontreviewmonitordllrefsvc.exepowershell.exe

pid	process
908	bl_fontreviewmonitordllrefsvc.exe
908	bl_fontreviewmonitordllrefsvc.exe
908	bl_fontreviewmonitordllrefsvc.exe
908	bl_fontreviewmonitordllrefsvc.exe
908	bl_fontreviewmonitordllrefsvc.exe
908	bl_fontreviewmonitordllrefsvc.exe
908	bl_fontreviewmonitordllrefsvc.exe
908	bl_fontreviewmonitordllrefsvc.exe
908	bl_fontreviewmonitordllrefsvc.exe
908	bl_fontreviewmonitordllrefsvc.exe
1824	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

bl_fontreviewmonitordllrefsvc.exepowershell.execonhost_8.exe

description	pid	process
Token: SeDebugPrivilege	908	bl_fontreviewmonitordllrefsvc.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	1904	conhost_8.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe

pid process

1700 7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exeMASTER 8BP.exebl_fontreviewmonitordllrefsvc.execmd.execonhost_8.exe

description	pid	process	target process
PID 1700 wrote to memory of 908	1700	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	bl_fontreviewmonitordllrefsvc.exe
PID 1700 wrote to memory of 908	1700	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	bl_fontreviewmonitordllrefsvc.exe
PID 1700 wrote to memory of 908	1700	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	bl_fontreviewmonitordllrefsvc.exe
PID 1700 wrote to memory of 908	1700	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	bl_fontreviewmonitordllrefsvc.exe
PID 1700 wrote to memory of 376	1700	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	conhost_8.exe
PID 1700 wrote to memory of 376	1700	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	conhost_8.exe
PID 1700 wrote to memory of 376	1700	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	conhost_8.exe
PID 1700 wrote to memory of 376	1700	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	conhost_8.exe
PID 1700 wrote to memory of 1964	1700	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	MASTER 8BP.exe
PID 1700 wrote to memory of 1964	1700	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	MASTER 8BP.exe
PID 1700 wrote to memory of 1964	1700	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	MASTER 8BP.exe
PID 1700 wrote to memory of 1964	1700	7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe	MASTER 8BP.exe
PID 1964 wrote to memory of 1680	1964	MASTER 8BP.exe	WerFault.exe
PID 1964 wrote to memory of 1680	1964	MASTER 8BP.exe	WerFault.exe
PID 1964 wrote to memory of 1680	1964	MASTER 8BP.exe	WerFault.exe
PID 1964 wrote to memory of 1680	1964	MASTER 8BP.exe	WerFault.exe
PID 908 wrote to memory of 1824	908	bl_fontreviewmonitordllrefsvc.exe	powershell.exe
PID 908 wrote to memory of 1824	908	bl_fontreviewmonitordllrefsvc.exe	powershell.exe
PID 908 wrote to memory of 1824	908	bl_fontreviewmonitordllrefsvc.exe	powershell.exe
PID 908 wrote to memory of 1572	908	bl_fontreviewmonitordllrefsvc.exe	cmd.exe
PID 908 wrote to memory of 1572	908	bl_fontreviewmonitordllrefsvc.exe	cmd.exe
PID 908 wrote to memory of 1572	908	bl_fontreviewmonitordllrefsvc.exe	cmd.exe
PID 1572 wrote to memory of 1032	1572	cmd.exe	w32tm.exe
PID 1572 wrote to memory of 1032	1572	cmd.exe	w32tm.exe
PID 1572 wrote to memory of 1032	1572	cmd.exe	w32tm.exe
PID 1572 wrote to memory of 1904	1572	cmd.exe	conhost_8.exe
PID 1572 wrote to memory of 1904	1572	cmd.exe	conhost_8.exe
PID 1572 wrote to memory of 1904	1572	cmd.exe	conhost_8.exe
PID 376 wrote to memory of 1284	376	conhost_8.exe	powershell.exe
PID 376 wrote to memory of 1284	376	conhost_8.exe	powershell.exe
PID 376 wrote to memory of 1284	376	conhost_8.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe
"C:\Users\Admin\AppData\Local\Temp\7afbf498fc56475c7960c67595374fc5d84235b381ac1193bd4ebefa3ed0e033.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe
"C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nCS3PLly1U.bat"
3⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
4⤵
PID:1032

C:\Windows\Downloaded Program Files\conhost_8.exe
"C:\Windows\Downloaded Program Files\conhost_8.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Users\Admin\AppData\Roaming\conhost_8.exe
"C:\Users\Admin\AppData\Roaming\conhost_8.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe
"C:\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 188
3⤵
- Loads dropped DLL
- Program crash
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost_8c" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\conhost_8.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost_8" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\conhost_8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost_8c" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\conhost_8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\ja-JP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Downloads\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MASTER 8BPM" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\MASTER 8BP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MASTER 8BP" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\MASTER 8BP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MASTER 8BPM" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\MASTER 8BP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost_8c" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost_8.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost_8" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost_8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost_8c" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost_8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1052

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe
Filesize
2.1MB

MD5
3ee631ed0386c88faaad83c97ade2dcd

SHA1
308ac9da54565404430b220881c76f49793c0e9f

SHA256
be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6

SHA512
976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe
Filesize
2.1MB

MD5
3ee631ed0386c88faaad83c97ade2dcd

SHA1
308ac9da54565404430b220881c76f49793c0e9f

SHA256
be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6

SHA512
976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nCS3PLly1U.bat
Filesize
214B

MD5
6cfb640f3d0bc2f6419f34c270d980ee

SHA1
d35ee59109ec80a9dcda2a9ae7f8c70729674299

SHA256
16b01c3708409958f9e8169d775620414e3f483e00ec6eb38f667c8c43d9b476

SHA512
ec3153edba4b5ab537878033a9ba98c9afc35c0b7bca2497c443f3bc821cd0238a84cb14fe33eb8f6b51102e9971110710b2100f19e626fef41101096b498b52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
49e00ab90e4c169885da76d92bd1bb7b

SHA1
653306f93718408f82679b55d9109709075a89f6

SHA256
0465ee668031a938d07e0874c70dd2d248d65567bac4d883965363451fac1fe8

SHA512
bfb676d32413923ca5552fea4a4c1aae93aa4db336b4193a54ede21f7c307b733504dec24d8c00a1af9b2f1dc959db5c5508a074b039ed7e6b1b51b4165bdb3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AI9X0NP2IYTG5NSN8FL6.temp
Filesize
7KB

MD5
49e00ab90e4c169885da76d92bd1bb7b

SHA1
653306f93718408f82679b55d9109709075a89f6

SHA256
0465ee668031a938d07e0874c70dd2d248d65567bac4d883965363451fac1fe8

SHA512
bfb676d32413923ca5552fea4a4c1aae93aa4db336b4193a54ede21f7c307b733504dec24d8c00a1af9b2f1dc959db5c5508a074b039ed7e6b1b51b4165bdb3b

Download Submit
C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe
Filesize
1.6MB

MD5
0ea53df77445bfbde349bd4eed09dae1

SHA1
b4df1111097fbfb9a9ea3ad86ac130716fea12d0

SHA256
83f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335

SHA512
4396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357

Download Submit
C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe
Filesize
1.6MB

MD5
0ea53df77445bfbde349bd4eed09dae1

SHA1
b4df1111097fbfb9a9ea3ad86ac130716fea12d0

SHA256
83f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335

SHA512
4396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357

Download Submit
C:\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe
Filesize
1.6MB

MD5
0ea53df77445bfbde349bd4eed09dae1

SHA1
b4df1111097fbfb9a9ea3ad86ac130716fea12d0

SHA256
83f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335

SHA512
4396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357

Download Submit
C:\Users\Admin\AppData\Roaming\conhost_8.exe
Filesize
2.0MB

MD5
b521b2a220a99d820b688d4ad5db8067

SHA1
08e97a2e4871b789d3388fd51479710626b69a92

SHA256
55371f430ea0369bf4e079f39558a4c6c5462b19ddc9f16f064286288f50a12b

SHA512
2e4d9b8d556a609abae4dfedf18136618fb1bb8f77d3a596c97bffc2edde9dec147456dcf586c00de9a438b789599fe288de8117109b6b04db9045279b3caca1

Download Submit
C:\Windows\Downloaded Program Files\conhost_8.exe
Filesize
1.6MB

MD5
0ea53df77445bfbde349bd4eed09dae1

SHA1
b4df1111097fbfb9a9ea3ad86ac130716fea12d0

SHA256
83f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335

SHA512
4396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357

Download Submit
C:\Windows\Downloaded Program Files\conhost_8.exe
Filesize
1.6MB

MD5
0ea53df77445bfbde349bd4eed09dae1

SHA1
b4df1111097fbfb9a9ea3ad86ac130716fea12d0

SHA256
83f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335

SHA512
4396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357

Download Submit
\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe
Filesize
2.1MB

MD5
3ee631ed0386c88faaad83c97ade2dcd

SHA1
308ac9da54565404430b220881c76f49793c0e9f

SHA256
be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6

SHA512
976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d

Download Submit
\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe
Filesize
2.1MB

MD5
3ee631ed0386c88faaad83c97ade2dcd

SHA1
308ac9da54565404430b220881c76f49793c0e9f

SHA256
be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6

SHA512
976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d

Download Submit
\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe
Filesize
2.1MB

MD5
3ee631ed0386c88faaad83c97ade2dcd

SHA1
308ac9da54565404430b220881c76f49793c0e9f

SHA256
be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6

SHA512
976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d

Download Submit
\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe
Filesize
2.1MB

MD5
3ee631ed0386c88faaad83c97ade2dcd

SHA1
308ac9da54565404430b220881c76f49793c0e9f

SHA256
be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6

SHA512
976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d

Download Submit
\Users\Admin\AppData\Local\Temp\MASTER 8BP.exe
Filesize
2.1MB

MD5
3ee631ed0386c88faaad83c97ade2dcd

SHA1
308ac9da54565404430b220881c76f49793c0e9f

SHA256
be66aee2bca9fe25b83908cb03dd991670725c754df97b2ea66eeca5e3d1f8c6

SHA512
976f1d04125ff29c4ef90efc2fd91db9cb146261a14c68a04169c955755a53d3f8c436c5c41a93564b4aa4800317e0b61b170ebc409eb346f5ae29762e518e0d

Download Submit
\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe
Filesize
1.6MB

MD5
0ea53df77445bfbde349bd4eed09dae1

SHA1
b4df1111097fbfb9a9ea3ad86ac130716fea12d0

SHA256
83f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335

SHA512
4396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357

Download Submit
\Users\Admin\AppData\Roaming\bl_fontreviewmonitordllrefsvc.exe
Filesize
1.6MB

MD5
0ea53df77445bfbde349bd4eed09dae1

SHA1
b4df1111097fbfb9a9ea3ad86ac130716fea12d0

SHA256
83f1a1d7936de3a686abf664e40790ab48bc2043cee630a7f96954935886f335

SHA512
4396c5815c3e2613083e4866d60a363f7cc6a38647abcacfcc7500d2b1654da4821b0c597368c490325196607c40ad80f19b12f87e8594c1e88f2a02a7a73357

Download Submit
\Users\Admin\AppData\Roaming\conhost_8.exe
Filesize
2.0MB

MD5
b521b2a220a99d820b688d4ad5db8067

SHA1
08e97a2e4871b789d3388fd51479710626b69a92

SHA256
55371f430ea0369bf4e079f39558a4c6c5462b19ddc9f16f064286288f50a12b

SHA512
2e4d9b8d556a609abae4dfedf18136618fb1bb8f77d3a596c97bffc2edde9dec147456dcf586c00de9a438b789599fe288de8117109b6b04db9045279b3caca1

Download Submit
memory/376-115-0x000000013F540000-0x000000013F755000-memory.dmp

Filesize
2.1MB

Download
memory/908-89-0x0000000000200000-0x000000000020A000-memory.dmp

Filesize
40KB

Download
memory/908-84-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/908-87-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/908-88-0x00000000007C0000-0x00000000007D0000-memory.dmp

Filesize
64KB

Download
memory/908-82-0x0000000000E70000-0x000000000101E000-memory.dmp

Filesize
1.7MB

Download
memory/908-90-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/908-91-0x00000000007F0000-0x00000000007FC000-memory.dmp

Filesize
48KB

Download
memory/908-92-0x000000001B2A0000-0x000000001B320000-memory.dmp

Filesize
512KB

Download
memory/908-93-0x00000000009A0000-0x00000000009AE000-memory.dmp

Filesize
56KB

Download
memory/908-95-0x00000000009C0000-0x00000000009CC000-memory.dmp

Filesize
48KB

Download
memory/908-94-0x00000000009B0000-0x00000000009B8000-memory.dmp

Filesize
32KB

Download
memory/908-96-0x00000000009D0000-0x00000000009DC000-memory.dmp

Filesize
48KB

Download
memory/908-85-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/908-86-0x0000000000580000-0x0000000000596000-memory.dmp

Filesize
88KB

Download
memory/1284-141-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/1284-142-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/1700-77-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1700-54-0x0000000000400000-0x00000000015D9000-memory.dmp

Filesize
17.8MB

Download
memory/1700-76-0x0000000000400000-0x00000000015D9000-memory.dmp

Filesize
17.8MB

Download
memory/1700-64-0x0000000000400000-0x00000000015D9000-memory.dmp

Filesize
17.8MB

Download
memory/1824-129-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/1824-131-0x0000000002490000-0x0000000002510000-memory.dmp

Filesize
512KB

Download
memory/1824-127-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/1824-130-0x000000000249B000-0x00000000024D2000-memory.dmp

Filesize
220KB

Download
memory/1824-128-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/1904-134-0x0000000001390000-0x000000000153E000-memory.dmp

Filesize
1.7MB

Download
memory/1904-135-0x0000000000C40000-0x0000000000CC0000-memory.dmp

Filesize
512KB

Download
memory/1904-143-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads