dcrat | 5a8b4862e2819123cc9d2f271fbe0c602f871b39c616235ba1e3bdb7c5e1543c

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad531536d5ea6ac2b629e7e1e.exe
Size

1.4MB
MD5

ad531536d5ea6ac2b629e7e1ea63e5bb
SHA1

74324e685a1a676d50f80009eb677f1218da6c67
SHA256

5a8b4862e2819123cc9d2f271fbe0c602f871b39c616235ba1e3bdb7c5e1543c
SHA512

00f354214b546311cdfa7697e961f43b8ca423ccb04e791f8ae32cf49e7d3fc368b8ce651a036778bf58dcd3fab43858e2dd1c1e35625124e98f43318b3d447f
SSDEEP

24576:OdWjIqrUgLy1ouH8irAmYmctqudaQtrk0xf+LVmyhharuHrc95z:+UIqHLyTUm1qaKF+hmCdo9

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	1624	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	1624	schtasks.exe	82

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/848-133-0x0000000000D60000-0x0000000000ED6000-memory.dmp	dcrat
behavioral2/files/0x0006000000023203-145.dat	dcrat
behavioral2/files/0x00060000000231f3-247.dat	dcrat
behavioral2/files/0x00060000000231f3-248.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	ad531536d5ea6ac2b629e7e1e.exe

Executes dropped EXE 1 IoCs

pid	Process
4548	unsecapp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ipinfo.io
13	ipinfo.io

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Multimedia Platform\unsecapp.exe	ad531536d5ea6ac2b629e7e1e.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\c5b4cb5e9653cc	ad531536d5ea6ac2b629e7e1e.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe	ad531536d5ea6ac2b629e7e1e.exe
File created	C:\Program Files\Windows Multimedia Platform\29c1c3cc0f7685	ad531536d5ea6ac2b629e7e1e.exe
File created	C:\Program Files\Google\Chrome\Application\22eafd247d37c3	ad531536d5ea6ac2b629e7e1e.exe
File created	C:\Program Files\Windows Multimedia Platform\5b884080fd4f94	ad531536d5ea6ac2b629e7e1e.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCX8AFD.tmp	ad531536d5ea6ac2b629e7e1e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\RCX939C.tmp	ad531536d5ea6ac2b629e7e1e.exe
File created	C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe	ad531536d5ea6ac2b629e7e1e.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCX9BED.tmp	ad531536d5ea6ac2b629e7e1e.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\unsecapp.exe	ad531536d5ea6ac2b629e7e1e.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\services.exe	ad531536d5ea6ac2b629e7e1e.exe
File created	C:\Program Files\Google\Chrome\Application\TextInputHost.exe	ad531536d5ea6ac2b629e7e1e.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCX86D4.tmp	ad531536d5ea6ac2b629e7e1e.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\services.exe	ad531536d5ea6ac2b629e7e1e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\TextInputHost.exe	ad531536d5ea6ac2b629e7e1e.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\Links\RuntimeBroker.exe	ad531536d5ea6ac2b629e7e1e.exe
File created	C:\Windows\ServiceProfiles\LocalService\Links\9e8d7a4ca61bd9	ad531536d5ea6ac2b629e7e1e.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Links\RCX97D4.tmp	ad531536d5ea6ac2b629e7e1e.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Links\RuntimeBroker.exe	ad531536d5ea6ac2b629e7e1e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2868	schtasks.exe
3520	schtasks.exe
1092	schtasks.exe
4756	schtasks.exe
388	schtasks.exe
1564	schtasks.exe
5004	schtasks.exe
3080	schtasks.exe
4712	schtasks.exe
2660	schtasks.exe
948	schtasks.exe
3696	schtasks.exe
3852	schtasks.exe
2100	schtasks.exe
5076	schtasks.exe
2364	schtasks.exe
2784	schtasks.exe
4804	schtasks.exe
4420	schtasks.exe
4020	schtasks.exe
1236	schtasks.exe
2064	schtasks.exe
3692	schtasks.exe
568	schtasks.exe
540	schtasks.exe
3748	schtasks.exe
2860	schtasks.exe
1456	schtasks.exe
4228	schtasks.exe
1972	schtasks.exe
5040	schtasks.exe
2120	schtasks.exe
4108	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000_Classes\Local Settings	ad531536d5ea6ac2b629e7e1e.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
848	ad531536d5ea6ac2b629e7e1e.exe
848	ad531536d5ea6ac2b629e7e1e.exe
848	ad531536d5ea6ac2b629e7e1e.exe
848	ad531536d5ea6ac2b629e7e1e.exe
848	ad531536d5ea6ac2b629e7e1e.exe
848	ad531536d5ea6ac2b629e7e1e.exe
848	ad531536d5ea6ac2b629e7e1e.exe
848	ad531536d5ea6ac2b629e7e1e.exe
848	ad531536d5ea6ac2b629e7e1e.exe
4548	unsecapp.exe
4548	unsecapp.exe
4548	unsecapp.exe
4548	unsecapp.exe
4548	unsecapp.exe
4548	unsecapp.exe
4548	unsecapp.exe
4548	unsecapp.exe
4548	unsecapp.exe
4548	unsecapp.exe
4548	unsecapp.exe
4548	unsecapp.exe
4548	unsecapp.exe
4548	unsecapp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4548	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	ad531536d5ea6ac2b629e7e1e.exe
Token: SeDebugPrivilege	4548	unsecapp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4548	unsecapp.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1708	848	ad531536d5ea6ac2b629e7e1e.exe	116
PID 848 wrote to memory of 1708	848	ad531536d5ea6ac2b629e7e1e.exe	116
PID 1708 wrote to memory of 3952	1708	cmd.exe	118
PID 1708 wrote to memory of 3952	1708	cmd.exe	118
PID 1708 wrote to memory of 4548	1708	cmd.exe	119
PID 1708 wrote to memory of 4548	1708	cmd.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ad531536d5ea6ac2b629e7e1e.exe
"C:\Users\Admin\AppData\Local\Temp\ad531536d5ea6ac2b629e7e1e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OcRLEbieog.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3952
- - C:\Program Files\Windows Multimedia Platform\unsecapp.exe
    "C:\Program Files\Windows Multimedia Platform\unsecapp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Searches\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\Searches\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Searches\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\LocalService\Links\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Links\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\LocalService\Links\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\odt\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Multimedia Platform\unsecapp.exe

Filesize
1.4MB

MD5
ad531536d5ea6ac2b629e7e1ea63e5bb

SHA1
74324e685a1a676d50f80009eb677f1218da6c67

SHA256
5a8b4862e2819123cc9d2f271fbe0c602f871b39c616235ba1e3bdb7c5e1543c

SHA512
00f354214b546311cdfa7697e961f43b8ca423ccb04e791f8ae32cf49e7d3fc368b8ce651a036778bf58dcd3fab43858e2dd1c1e35625124e98f43318b3d447f

Download Submit
C:\Program Files\Windows Multimedia Platform\unsecapp.exe

Filesize
1.4MB

MD5
ad531536d5ea6ac2b629e7e1ea63e5bb

SHA1
74324e685a1a676d50f80009eb677f1218da6c67

SHA256
5a8b4862e2819123cc9d2f271fbe0c602f871b39c616235ba1e3bdb7c5e1543c

SHA512
00f354214b546311cdfa7697e961f43b8ca423ccb04e791f8ae32cf49e7d3fc368b8ce651a036778bf58dcd3fab43858e2dd1c1e35625124e98f43318b3d447f

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
1.4MB

MD5
ad531536d5ea6ac2b629e7e1ea63e5bb

SHA1
74324e685a1a676d50f80009eb677f1218da6c67

SHA256
5a8b4862e2819123cc9d2f271fbe0c602f871b39c616235ba1e3bdb7c5e1543c

SHA512
00f354214b546311cdfa7697e961f43b8ca423ccb04e791f8ae32cf49e7d3fc368b8ce651a036778bf58dcd3fab43858e2dd1c1e35625124e98f43318b3d447f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcRLEbieog.bat

Filesize
222B

MD5
04a3da66ab4d849ca9404d37087a75a7

SHA1
682c7f46421b009ce3da50b564d70e5bdab01157

SHA256
7004e9024a83bb8a4ff70602469abe717bc0b1248a379d49477349f573fe77ab

SHA512
06e95129c8e557a6cd40cd6e4a9ca1605f39c1540e3696da4d6e2d875fbb2d774ed98254b3ae2f44a299418dec4cf28fff4860ddc81c11a5f405c487ea9a36b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9630E.tmp

Filesize
1024B

MD5
7289ba56efb8fada79718936f78871e4

SHA1
fd675b7073d1c371e4078275073786b606a4c5f3

SHA256
e824b2c2a1cf2faaa6f4bd8959eddcd19803890ece623e96a91f3b80bb283920

SHA512
4fb41602804742ed335537d6f22cbe25225c0cf62d5179282351add6b895e298b650713df4c33db3c5ef022e8752af3b37c1f2d29c32edbe81c3c284d95330f5

Download Submit
memory/848-136-0x000000001C7D0000-0x000000001CCF8000-memory.dmp

Filesize
5.2MB

Download
memory/848-135-0x000000001C080000-0x000000001C0D0000-memory.dmp

Filesize
320KB

Download
memory/848-134-0x000000001BAF0000-0x000000001BB00000-memory.dmp

Filesize
64KB

Download
memory/848-133-0x0000000000D60000-0x0000000000ED6000-memory.dmp

Filesize
1.5MB

Download
memory/4548-249-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/4548-251-0x000000001CB80000-0x000000001CD42000-memory.dmp

Filesize
1.8MB

Download
memory/4548-302-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download
memory/4548-303-0x0000000002A40000-0x0000000002A50000-memory.dmp

Filesize
64KB

Download