dcrat | c6244c8e4e4cdecd641017d52d344b1db6a23d05fd6a8ad338c8f4f77481f483

General

Target

C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
Size

1.3MB
MD5

6f6a61090a9add724eebbec1c558826b
SHA1

566ea8db4bcea2d078fb71be08bc8e7003e36119
SHA256

c6244c8e4e4cdecd641017d52d344b1db6a23d05fd6a8ad338c8f4f77481f483
SHA512

47d88347a9082186b9667fcf3994d2fe212f09a5665cc82017d48f8833e8a67823b6b66bf3a5dbda5369dd6d1585248389e213a4b3556e8b0b0b66c137eb8aa8
SSDEEP

24576:4LS70OsASkYS827M+8NFNzmJd+eVjW2LGLrk2WKiT:gS70OfRhxW1c2vi

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	364	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	580	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1292-54-0x0000000001290000-0x00000000013E2000-memory.dmp	dcrat
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\taskhost.exe	dcrat
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe	dcrat
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe	dcrat
behavioral1/memory/288-97-0x00000000008B0000-0x0000000000A02000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

lsm.exe

pid process

288 lsm.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
288	lsm.exe

Drops file in Program Files directory 12 IoCs

Processes:

C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe

description	ioc	process
File created	C:\Program Files (x86)\MSBuild\lsm.exe	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Program Files (x86)\MSBuild\101b941d020240	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\b75386f1303e64	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\winlogon.exe	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Program Files\Mozilla Firefox\fonts\69ddcba757bf72	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\cc11b995f2a76d	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\taskhost.exe	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\f3b6ecef712a24	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Program Files\Uninstall Information\spoolsv.exe	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Program Files\Uninstall Information\f3b6ecef712a24	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Program Files\Mozilla Firefox\fonts\smss.exe	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe

Drops file in Windows directory 6 IoCs

Processes:

C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe

description	ioc	process
File created	C:\Windows\Help\System.exe	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Windows\Help\27d1bcfc3c54e0	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Windows\ja-JP\lsass.exe	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Windows\ja-JP\6203df4a6bafc7	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Windows\Performance\WinSAT\DataStore\smss.exe	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
File created	C:\Windows\Performance\WinSAT\DataStore\69ddcba757bf72	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1772	schtasks.exe
1088	schtasks.exe
1588	schtasks.exe
1992	schtasks.exe
1600	schtasks.exe
1832	schtasks.exe
1312	schtasks.exe
1528	schtasks.exe
748	schtasks.exe
1120	schtasks.exe
944	schtasks.exe
1544	schtasks.exe
284	schtasks.exe
1900	schtasks.exe
1168	schtasks.exe
1216	schtasks.exe
1568	schtasks.exe
1884	schtasks.exe
1388	schtasks.exe
1448	schtasks.exe
1912	schtasks.exe
1068	schtasks.exe
1012	schtasks.exe
1948	schtasks.exe
872	schtasks.exe
936	schtasks.exe
240	schtasks.exe
1728	schtasks.exe
1768	schtasks.exe
1832	schtasks.exe
1684	schtasks.exe
1768	schtasks.exe
1428	schtasks.exe
1716	schtasks.exe
1732	schtasks.exe
1836	schtasks.exe
836	schtasks.exe
1132	schtasks.exe
1824	schtasks.exe
1196	schtasks.exe
1068	schtasks.exe
364	schtasks.exe
1184	schtasks.exe
1732	schtasks.exe
1440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exelsm.exe

pid	process
1292	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
1292	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
1292	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
1292	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
1292	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
288	lsm.exe
288	lsm.exe
288	lsm.exe
288	lsm.exe
288	lsm.exe
288	lsm.exe
288	lsm.exe
288	lsm.exe
288	lsm.exe
288	lsm.exe
288	lsm.exe
288	lsm.exe
288	lsm.exe
288	lsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exelsm.exe

description pid process

Token: SeDebugPrivilege 1292 C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
Token: SeDebugPrivilege 288 lsm.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

lsm.exe

pid process

288 lsm.exe

description	pid	process
Token: SeDebugPrivilege	1292	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
Token: SeDebugPrivilege	288	lsm.exe

pid	process
288	lsm.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe

description	pid	process	target process
PID 1292 wrote to memory of 288	1292	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe	lsm.exe
PID 1292 wrote to memory of 288	1292	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe	lsm.exe
PID 1292 wrote to memory of 288	1292	C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe	lsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe
"C:\Users\Admin\AppData\Local\Temp\C6244C8E4E4CDECD641017D52D344B1DB6A23D05FD6A8.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe
"C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Help\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Help\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\f8d1ec42-b1b7-11ed-bba7-be56d16f7d95\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\DataStore\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\DataStore\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\fonts\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\fonts\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\SpeechEngines\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe
Filesize
1.3MB

MD5
6f6a61090a9add724eebbec1c558826b

SHA1
566ea8db4bcea2d078fb71be08bc8e7003e36119

SHA256
c6244c8e4e4cdecd641017d52d344b1db6a23d05fd6a8ad338c8f4f77481f483

SHA512
47d88347a9082186b9667fcf3994d2fe212f09a5665cc82017d48f8833e8a67823b6b66bf3a5dbda5369dd6d1585248389e213a4b3556e8b0b0b66c137eb8aa8

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsm.exe
Filesize
1.3MB

MD5
6f6a61090a9add724eebbec1c558826b

SHA1
566ea8db4bcea2d078fb71be08bc8e7003e36119

SHA256
c6244c8e4e4cdecd641017d52d344b1db6a23d05fd6a8ad338c8f4f77481f483

SHA512
47d88347a9082186b9667fcf3994d2fe212f09a5665cc82017d48f8833e8a67823b6b66bf3a5dbda5369dd6d1585248389e213a4b3556e8b0b0b66c137eb8aa8

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\taskhost.exe
Filesize
1.3MB

MD5
6f6a61090a9add724eebbec1c558826b

SHA1
566ea8db4bcea2d078fb71be08bc8e7003e36119

SHA256
c6244c8e4e4cdecd641017d52d344b1db6a23d05fd6a8ad338c8f4f77481f483

SHA512
47d88347a9082186b9667fcf3994d2fe212f09a5665cc82017d48f8833e8a67823b6b66bf3a5dbda5369dd6d1585248389e213a4b3556e8b0b0b66c137eb8aa8

Download Submit
memory/288-99-0x000000001B390000-0x000000001B410000-memory.dmp

Filesize
512KB

Download
memory/288-108-0x000000001B390000-0x000000001B410000-memory.dmp

Filesize
512KB

Download
memory/288-133-0x000000001B390000-0x000000001B410000-memory.dmp

Filesize
512KB

Download
memory/288-132-0x000000001B390000-0x000000001B410000-memory.dmp

Filesize
512KB

Download
memory/288-131-0x000000001B390000-0x000000001B410000-memory.dmp

Filesize
512KB

Download
memory/288-109-0x000000001B390000-0x000000001B410000-memory.dmp

Filesize
512KB

Download
memory/288-98-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/288-97-0x00000000008B0000-0x0000000000A02000-memory.dmp

Filesize
1.3MB

Download
memory/1292-55-0x000000001B1B0000-0x000000001B230000-memory.dmp

Filesize
512KB

Download
memory/1292-54-0x0000000001290000-0x00000000013E2000-memory.dmp

Filesize
1.3MB

Download
memory/1292-57-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/1292-56-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/1292-58-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/1292-60-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/1292-59-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads