dcrat | 0102ee1516fd47fc9cb7ffb31c922e747cc5ce638e2fb0d5e133275e271cd492

General

Target

Fortnite.exe
Size

1.1MB
MD5

f795b0bb519a53aa55f3a1f8b421708d
SHA1

18b0c53280f120d18e224ef389e21a09902da4f4
SHA256

0102ee1516fd47fc9cb7ffb31c922e747cc5ce638e2fb0d5e133275e271cd492
SHA512

d3a1908461508c6bf322e1aa809b6b04ed27e0722957fcdf5d4f828060f4d4ba76d415ba56b8dad1d9d07129603590fc75699d98014fd79f3bfb8ea051e70180
SSDEEP

24576:U2G/nvxW3Ww0tEiau4VjR/qCUzDG6bNUa1BMJWl:UbA30klYS6b26

Score

10^/10

dcrat evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	1324	schtasks.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Windows\syscom32.exe	dcrat
C:\Windows\syscom32.exe	dcrat
behavioral1/memory/584-65-0x0000000000930000-0x0000000000A06000-memory.dmp	dcrat
C:\Windows\es-ES\lsm.exe	dcrat
C:\Program Files (x86)\Microsoft Office\csrss.exe	dcrat
C:\Program Files (x86)\Microsoft Office\csrss.exe	dcrat
behavioral1/memory/2452-112-0x0000000000F50000-0x0000000001026000-memory.dmp	dcrat
behavioral1/memory/2452-114-0x000000001AF40000-0x000000001AFC0000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

syscom32.execsrss.exe

pid process

584 syscom32.exe
2452 csrss.exe
Drops file in System32 directory 2 IoCs

Processes:

syscom32.exe

description ioc process

File created C:\Windows\System32\WMIADAP.exe syscom32.exe
File created C:\Windows\System32\75a57c1bdf437c syscom32.exe

pid	process
584	syscom32.exe
2452	csrss.exe

description	ioc	process
File created	C:\Windows\System32\WMIADAP.exe	syscom32.exe
File created	C:\Windows\System32\75a57c1bdf437c	syscom32.exe

Drops file in Program Files directory 15 IoCs

Processes:

syscom32.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\syscom32.exe	syscom32.exe
File created	C:\Program Files (x86)\Microsoft Office\csrss.exe	syscom32.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\b75386f1303e64	syscom32.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\fc1a6a7a09e09f	syscom32.exe
File created	C:\Program Files\Google\Chrome\Application\cmd.exe	syscom32.exe
File created	C:\Program Files\Google\Chrome\Application\ebf1f9fa8afd6d	syscom32.exe
File created	C:\Program Files\VideoLAN\VLC\fc1a6a7a09e09f	syscom32.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\088424020bedd6	syscom32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\6ccacd8608530f	syscom32.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\taskhost.exe	syscom32.exe
File created	C:\Program Files\VideoLAN\VLC\syscom32.exe	syscom32.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Idle.exe	syscom32.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\syscom32.exe	syscom32.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe	syscom32.exe
File created	C:\Program Files (x86)\Microsoft Office\886983d96e3d3e	syscom32.exe

Drops file in Windows directory 15 IoCs

Processes:

Fortnite.exesyscom32.exe

description	ioc	process
File created	C:\Windows\kkLuA.bat	Fortnite.exe
File created	C:\Windows\es-ES\lsm.exe	syscom32.exe
File created	C:\Windows\Resources\Ease of Access Themes\56085415360792	syscom32.exe
File created	C:\Windows\Setup\State\WmiPrvSE.exe	syscom32.exe
File created	C:\Windows\syscom32.exe	Fortnite.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_7081930	Fortnite.exe
File created	C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe	Fortnite.exe
File opened for modification	C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe	Fortnite.exe
File created	C:\Windows\es-ES\101b941d020240	syscom32.exe
File created	C:\Windows\assembly\System.exe	syscom32.exe
File opened for modification	C:\Windows\kkLuA.bat	Fortnite.exe
File opened for modification	C:\Windows\syscom32.exe	Fortnite.exe
File created	C:\Windows\Resources\Ease of Access Themes\wininit.exe	syscom32.exe
File created	C:\Windows\Setup\State\24dbde2999530e	syscom32.exe
File created	C:\Windows\assembly\27d1bcfc3c54e0	syscom32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
836	schtasks.exe
1816	schtasks.exe
1756	schtasks.exe
1388	schtasks.exe
1784	schtasks.exe
1944	schtasks.exe
2000	schtasks.exe
2136	schtasks.exe
1688	schtasks.exe
1944	schtasks.exe
664	schtasks.exe
1752	schtasks.exe
1580	schtasks.exe
2156	schtasks.exe
340	schtasks.exe
1160	schtasks.exe
1832	schtasks.exe
876	schtasks.exe
620	schtasks.exe
1596	schtasks.exe
1000	schtasks.exe
548	schtasks.exe
1700	schtasks.exe
1156	schtasks.exe
1720	schtasks.exe
280	schtasks.exe
1812	schtasks.exe
2080	schtasks.exe
1544	schtasks.exe
1088	schtasks.exe
932	schtasks.exe
1548	schtasks.exe
1980	schtasks.exe
1964	schtasks.exe
996	schtasks.exe
108	schtasks.exe
1964	schtasks.exe
1544	schtasks.exe
1408	schtasks.exe
1536	schtasks.exe
1600	schtasks.exe
880	schtasks.exe
2112	schtasks.exe
2188	schtasks.exe
2208	schtasks.exe
1708	schtasks.exe
456	schtasks.exe
1724	schtasks.exe
2060	schtasks.exe
2228	schtasks.exe
1148	schtasks.exe
980	schtasks.exe
396	schtasks.exe
2020	schtasks.exe
1412	schtasks.exe
1156	schtasks.exe
1592	schtasks.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2312 reg.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

syscom32.execsrss.exe

pid process

584 syscom32.exe
2452 csrss.exe
2452 csrss.exe
2452 csrss.exe
2452 csrss.exe
2452 csrss.exe
2452 csrss.exe
2452 csrss.exe
2452 csrss.exe
2452 csrss.exe

pid	process
2312	reg.exe

pid	process
584	syscom32.exe
2452	csrss.exe
2452	csrss.exe
2452	csrss.exe
2452	csrss.exe
2452	csrss.exe
2452	csrss.exe
2452	csrss.exe
2452	csrss.exe
2452	csrss.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

syscom32.execsrss.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	584	syscom32.exe
Token: SeDebugPrivilege	2452	csrss.exe
Token: 33	2544	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2544	AUDIODG.EXE
Token: 33	2544	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2544	AUDIODG.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

Fortnite.exeWScript.execmd.exesyscom32.execmd.exe

description	pid	process	target process
PID 1096 wrote to memory of 852	1096	Fortnite.exe	WScript.exe
PID 1096 wrote to memory of 852	1096	Fortnite.exe	WScript.exe
PID 1096 wrote to memory of 852	1096	Fortnite.exe	WScript.exe
PID 1096 wrote to memory of 852	1096	Fortnite.exe	WScript.exe
PID 852 wrote to memory of 1920	852	WScript.exe	cmd.exe
PID 852 wrote to memory of 1920	852	WScript.exe	cmd.exe
PID 852 wrote to memory of 1920	852	WScript.exe	cmd.exe
PID 852 wrote to memory of 1920	852	WScript.exe	cmd.exe
PID 1920 wrote to memory of 584	1920	cmd.exe	syscom32.exe
PID 1920 wrote to memory of 584	1920	cmd.exe	syscom32.exe
PID 1920 wrote to memory of 584	1920	cmd.exe	syscom32.exe
PID 1920 wrote to memory of 584	1920	cmd.exe	syscom32.exe
PID 584 wrote to memory of 2280	584	syscom32.exe	cmd.exe
PID 584 wrote to memory of 2280	584	syscom32.exe	cmd.exe
PID 584 wrote to memory of 2280	584	syscom32.exe	cmd.exe
PID 1920 wrote to memory of 2312	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 2312	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 2312	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 2312	1920	cmd.exe	reg.exe
PID 2280 wrote to memory of 2324	2280	cmd.exe	w32tm.exe
PID 2280 wrote to memory of 2324	2280	cmd.exe	w32tm.exe
PID 2280 wrote to memory of 2324	2280	cmd.exe	w32tm.exe
PID 2280 wrote to memory of 2452	2280	cmd.exe	csrss.exe
PID 2280 wrote to memory of 2452	2280	cmd.exe	csrss.exe
PID 2280 wrote to memory of 2452	2280	cmd.exe	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Fortnite.exe
"C:\Users\Admin\AppData\Local\Temp\Fortnite.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\kkLuA.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\syscom32.exe
"C:\Windows\syscom32.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T8oDnCNIas.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:2324

C:\Program Files (x86)\Microsoft Office\csrss.exe
"C:\Program Files (x86)\Microsoft Office\csrss.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "syscom32s" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\syscom32.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "syscom32" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\syscom32.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "syscom32s" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\syscom32.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\System32\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Ease of Access Themes\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Media Renderer\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Media Renderer\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Setup\State\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "syscom32s" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\syscom32.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "syscom32" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\syscom32.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "syscom32s" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\syscom32.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\assembly\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\assembly\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\a8e30002-b1b4-11ed-a8b7-cee1c2fbb193\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2344

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x584
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\csrss.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Program Files (x86)\Microsoft Office\csrss.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\T8oDnCNIas.bat
Filesize
214B

MD5
dd3592addd7bd187795ca7edc92fab4e

SHA1
a1911a196538c73c35e469426e130c0602b53f83

SHA256
671cb8ffc9656e89d075faec814fc0d746a38f053f1e87b5d595ad20a6ac8896

SHA512
0132e8f345210afc06b41778bb6e6621f5d8ef1ab8c54796cadd1b95e1e4c690b936b34c5f6e7b36f93ccda3cb795ea654c8a5adc3d45b60fdd2bcb65bd7f328

Download Submit
C:\Windows\es-ES\lsm.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Windows\kkLuA.bat
Filesize
137B

MD5
eddbf02b8f63229a6f4670d77d49f965

SHA1
84dc5aa13c3a7144742df74e28da6a7ad9177a69

SHA256
12646d50947198b1c27be43e89905ce71902c186c21f1abbe0dc16919d4ce7ae

SHA512
be87f2ec9e7371a7999b8c552af765374d8c5c186df18dea61caa5ca57b1ac9e95b194a31d459e090a5cb32c7908af3e90cb4b2576ccfc191a6043879436681d

Download Submit
C:\Windows\syscom32.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Windows\syscom32.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe
Filesize
189B

MD5
c7c7ffa475aef8dff75df4c55df974af

SHA1
ef0427f4f4091c69d488443079477b1d4416e9b2

SHA256
19a4bf5506db87cf645f4a6e9af79b85e0d04ac4e7bc948585510dfe99d5ef16

SHA512
72fa6c18a83eb5edb303a85de4fb5f759a570aa5281525da6021cc1f0613257fbb5305f7a1bf6f6e3337d9ef707776a372b938f6ae6be777b7e6fe18a9dcba66

Download Submit
memory/584-72-0x000000001AC90000-0x000000001AD10000-memory.dmp

Filesize
512KB

Download
memory/584-65-0x0000000000930000-0x0000000000A06000-memory.dmp

Filesize
856KB

Download
memory/2452-112-0x0000000000F50000-0x0000000001026000-memory.dmp

Filesize
856KB

Download
memory/2452-113-0x000000001AF40000-0x000000001AFC0000-memory.dmp

Filesize
512KB

Download
memory/2452-114-0x000000001AF40000-0x000000001AFC0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads