dcrat | 168dd964cedab347b56461282ab409b5fb19de28f50f635d7071dfce39c04ed5

General

Target

168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
Size

1.1MB
MD5

7b2cc7bd31191fc112de760c996e56a1
SHA1

8c87bbdd79eda5b6f6612a9d828d10924071e959
SHA256

168dd964cedab347b56461282ab409b5fb19de28f50f635d7071dfce39c04ed5
SHA512

9c7b924020c2c7c8d485100429449f4d0221e73ddf4f00ea197efa539a29d9cd74528928371a9640c05f8cf27f2b37348bec7b3d3a9c1006bcc304ebc85fbd7a
SSDEEP

24576:JpyruWBdka5dL1NELih7LqxLBwceZEY2Onj3JniDq0A5BfJXA6:Jpm9nkIdL1WCnwmDZJ2Q3ZB5BfJXA6

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2060	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/212-138-0x0000000000400000-0x0000000000601000-memory.dmp	dcrat
behavioral2/memory/212-187-0x0000000000400000-0x0000000000601000-memory.dmp	dcrat
behavioral2/memory/1140-196-0x0000000000400000-0x0000000000601000-memory.dmp	dcrat
behavioral2/memory/1140-199-0x0000000000400000-0x0000000000601000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe

Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

1140 services.exe

pid	process
1140	services.exe

Drops file in Program Files directory 5 IoCs

Processes:

168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\38384e6a620884	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
File created	C:\Program Files\Microsoft Office\root\RuntimeBroker.exe	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
File created	C:\Program Files\Microsoft Office\root\9e8d7a4ca61bd9	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\taskhostw.exe	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\SearchApp.exe	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe

Drops file in Windows directory 8 IoCs

Processes:

168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe

description	ioc	process
File opened for modification	C:\Windows\addins\System.exe	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
File created	C:\Windows\addins\27d1bcfc3c54e0	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
File created	C:\Windows\WaaS\tasks\sysmon.exe	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
File created	C:\Windows\Provisioning\services.exe	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
File created	C:\Windows\Provisioning\c5b4cb5e9653cc	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
File created	C:\Windows\Offline Web Pages\dllhost.exe	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
File created	C:\Windows\Offline Web Pages\5940a34987c991	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
File created	C:\Windows\addins\System.exe	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3528	schtasks.exe
636	schtasks.exe
1836	schtasks.exe
4640	schtasks.exe
3032	schtasks.exe
624	schtasks.exe
956	schtasks.exe
2248	schtasks.exe
4876	schtasks.exe
5072	schtasks.exe
1292	schtasks.exe
4768	schtasks.exe
4944	schtasks.exe
3792	schtasks.exe
4656	schtasks.exe
2276	schtasks.exe
444	schtasks.exe
1576	schtasks.exe
4076	schtasks.exe
4040	schtasks.exe
2144	schtasks.exe
2324	schtasks.exe
4476	schtasks.exe
1040	schtasks.exe
3220	schtasks.exe
4540	schtasks.exe
8	schtasks.exe
2032	schtasks.exe
4816	schtasks.exe
3332	schtasks.exe
3624	schtasks.exe
3224	schtasks.exe
4156	schtasks.exe
464	schtasks.exe
1116	schtasks.exe
4904	schtasks.exe
4332	schtasks.exe
1344	schtasks.exe
792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exeservices.exe

pid	process
212	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
212	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
212	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
212	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
212	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
212	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
212	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
212	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
212	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
212	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
212	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
1140	services.exe
1140	services.exe
1140	services.exe
1140	services.exe
1140	services.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exeservices.exe

description pid process

Token: SeDebugPrivilege 212 168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
Token: SeDebugPrivilege 1140 services.exe

description	pid	process
Token: SeDebugPrivilege	212	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
Token: SeDebugPrivilege	1140	services.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe

description	pid	process	target process
PID 212 wrote to memory of 1140	212	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe	services.exe
PID 212 wrote to memory of 1140	212	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe	services.exe
PID 212 wrote to memory of 1140	212	168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe
"C:\Users\Admin\AppData\Local\Temp\168DD964CEDAB347B56461282AB409B5FB19DE28F50F6.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\Provisioning\services.exe
"C:\Windows\Provisioning\services.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\addins\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Default User\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\root\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\root\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Desktop\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Music\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Provisioning\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Provisioning\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\Provisioning\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\SetupMetrics\RuntimeBroker.exe
Filesize
1.1MB

MD5
7b2cc7bd31191fc112de760c996e56a1

SHA1
8c87bbdd79eda5b6f6612a9d828d10924071e959

SHA256
168dd964cedab347b56461282ab409b5fb19de28f50f635d7071dfce39c04ed5

SHA512
9c7b924020c2c7c8d485100429449f4d0221e73ddf4f00ea197efa539a29d9cd74528928371a9640c05f8cf27f2b37348bec7b3d3a9c1006bcc304ebc85fbd7a

Download Submit
C:\Windows\Provisioning\services.exe
Filesize
1.1MB

MD5
7b2cc7bd31191fc112de760c996e56a1

SHA1
8c87bbdd79eda5b6f6612a9d828d10924071e959

SHA256
168dd964cedab347b56461282ab409b5fb19de28f50f635d7071dfce39c04ed5

SHA512
9c7b924020c2c7c8d485100429449f4d0221e73ddf4f00ea197efa539a29d9cd74528928371a9640c05f8cf27f2b37348bec7b3d3a9c1006bcc304ebc85fbd7a

Download Submit
C:\Windows\Provisioning\services.exe
Filesize
1.1MB

MD5
7b2cc7bd31191fc112de760c996e56a1

SHA1
8c87bbdd79eda5b6f6612a9d828d10924071e959

SHA256
168dd964cedab347b56461282ab409b5fb19de28f50f635d7071dfce39c04ed5

SHA512
9c7b924020c2c7c8d485100429449f4d0221e73ddf4f00ea197efa539a29d9cd74528928371a9640c05f8cf27f2b37348bec7b3d3a9c1006bcc304ebc85fbd7a

Download Submit
memory/212-147-0x0000000005F50000-0x000000000647C000-memory.dmp

Filesize
5.2MB

Download
memory/212-151-0x00000000065C0000-0x0000000006626000-memory.dmp

Filesize
408KB

Download
memory/212-138-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/212-141-0x0000000005430000-0x00000000059D4000-memory.dmp

Filesize
5.6MB

Download
memory/212-142-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/212-143-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/212-144-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/212-145-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/212-146-0x00000000023E0000-0x0000000002430000-memory.dmp

Filesize
320KB

Download
memory/212-133-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/212-148-0x0000000005B40000-0x0000000005BD2000-memory.dmp

Filesize
584KB

Download
memory/212-137-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/212-136-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/212-135-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/212-134-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/212-187-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1140-188-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1140-189-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1140-190-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1140-191-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1140-192-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1140-196-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/1140-197-0x0000000007410000-0x000000000741A000-memory.dmp

Filesize
40KB

Download
memory/1140-199-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads