dcrat | 0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc

General

Target

0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe
Size

1.1MB
MD5

48e5ef4a0ca234c29ceecab25fe23d91
SHA1

058fec1d069ba2dd6f7ef3af7ff65066b5b9f7b9
SHA256

0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc
SHA512

6ba2d8666b43f80e86e1fbf8f4a694d1fe165d86d467ace38094adc585f77a68665dfa7ea7f2dc55ea8977971926b0cc947f410738e8670d8b344471f07dd65b
SSDEEP

24576:U2G/nvxW3Ww0tLmbqJB7ioiB9yzs9/Hi+i01ZxtYZH:UbA30Lmby7Or9vDE

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2488	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2488	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\ReviewHost\brokercrt.exe	dcrat
behavioral1/memory/2456-13-0x0000000001270000-0x0000000001346000-memory.dmp	dcrat
behavioral1/memory/1424-72-0x0000000000800000-0x00000000008D6000-memory.dmp	dcrat
behavioral1/memory/1424-76-0x000000001B0A0000-0x000000001B120000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

Processes:

brokercrt.exebrokercrt.execsrss.exe

pid process

2456 brokercrt.exe
1752 brokercrt.exe
1424 csrss.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2712 cmd.exe
2712 cmd.exe
Drops file in System32 directory 2 IoCs

Processes:

brokercrt.exe

description ioc process

File created C:\Windows\System32\th-TH\cmd.exe brokercrt.exe
File created C:\Windows\System32\th-TH\ebf1f9fa8afd6d brokercrt.exe

pid	process
2712	cmd.exe
2712	cmd.exe

description	ioc	process
File created	C:\Windows\System32\th-TH\cmd.exe	brokercrt.exe
File created	C:\Windows\System32\th-TH\ebf1f9fa8afd6d	brokercrt.exe

Drops file in Program Files directory 16 IoCs

Processes:

brokercrt.exebrokercrt.exe

description	ioc	process
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\f3b6ecef712a24	brokercrt.exe
File created	C:\Program Files\Windows Mail\it-IT\csrss.exe	brokercrt.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\csrss.exe	brokercrt.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\csrss.exe	brokercrt.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\886983d96e3d3e	brokercrt.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\spoolsv.exe	brokercrt.exe
File created	C:\Program Files\Windows Sidebar\de-DE\winlogon.exe	brokercrt.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\886983d96e3d3e	brokercrt.exe
File created	C:\Program Files\Windows Media Player\es-ES\7a0fd90576e088	brokercrt.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\6cb0b6c459d5d3	brokercrt.exe
File created	C:\Program Files\Windows Sidebar\de-DE\cc11b995f2a76d	brokercrt.exe
File created	C:\Program Files\Windows Media Player\es-ES\explorer.exe	brokercrt.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\dwm.exe	brokercrt.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\csrss.exe	brokercrt.exe
File created	C:\Program Files\Windows Mail\it-IT\886983d96e3d3e	brokercrt.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\886983d96e3d3e	brokercrt.exe

Drops file in Windows directory 6 IoCs

Processes:

brokercrt.exebrokercrt.exe

description	ioc	process
File created	C:\Windows\inf\ASP.NET_4.0.30319\0804\wininit.exe	brokercrt.exe
File created	C:\Windows\inf\ASP.NET_4.0.30319\0804\56085415360792	brokercrt.exe
File created	C:\Windows\Performance\WinSAT\lsm.exe	brokercrt.exe
File created	C:\Windows\Performance\WinSAT\101b941d020240	brokercrt.exe
File created	C:\Windows\PLA\Templates\services.exe	brokercrt.exe
File created	C:\Windows\PLA\Templates\c5b4cb5e9653cc	brokercrt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1076	schtasks.exe
1700	schtasks.exe
2404	schtasks.exe
2284	schtasks.exe
2928	schtasks.exe
1540	schtasks.exe
2368	schtasks.exe
1100	schtasks.exe
2168	schtasks.exe
2984	schtasks.exe
2124	schtasks.exe
960	schtasks.exe
2952	schtasks.exe
2952	schtasks.exe
696	schtasks.exe
1980	schtasks.exe
2472	schtasks.exe
2804	schtasks.exe
1992	schtasks.exe
1576	schtasks.exe
2440	schtasks.exe
2360	schtasks.exe
1288	schtasks.exe
1560	schtasks.exe
864	schtasks.exe
2620	schtasks.exe
1476	schtasks.exe
1856	schtasks.exe
1620	schtasks.exe
1940	schtasks.exe
756	schtasks.exe
2008	schtasks.exe
1692	schtasks.exe
1812	schtasks.exe
372	schtasks.exe
900	schtasks.exe
2112	schtasks.exe
2308	schtasks.exe
2896	schtasks.exe
1556	schtasks.exe
1744	schtasks.exe
816	schtasks.exe
1964	schtasks.exe
2020	schtasks.exe
1080	schtasks.exe
560	schtasks.exe
2820	schtasks.exe
2656	schtasks.exe
2684	schtasks.exe
620	schtasks.exe
1144	schtasks.exe
2500	schtasks.exe
2328	schtasks.exe
2648	schtasks.exe
552	schtasks.exe
2632	schtasks.exe
2556	schtasks.exe
2572	schtasks.exe
3020	schtasks.exe
1236	schtasks.exe
1760	schtasks.exe
1004	schtasks.exe
2460	schtasks.exe
1724	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

brokercrt.exebrokercrt.execsrss.exe

pid	process
2456	brokercrt.exe
2456	brokercrt.exe
2456	brokercrt.exe
2456	brokercrt.exe
2456	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1752	brokercrt.exe
1424	csrss.exe
1424	csrss.exe
1424	csrss.exe
1424	csrss.exe
1424	csrss.exe
1424	csrss.exe
1424	csrss.exe
1424	csrss.exe
1424	csrss.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

brokercrt.exebrokercrt.execsrss.exe

description pid process

Token: SeDebugPrivilege 2456 brokercrt.exe
Token: SeDebugPrivilege 1752 brokercrt.exe
Token: SeDebugPrivilege 1424 csrss.exe

description	pid	process
Token: SeDebugPrivilege	2456	brokercrt.exe
Token: SeDebugPrivilege	1752	brokercrt.exe
Token: SeDebugPrivilege	1424	csrss.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exeWScript.execmd.exebrokercrt.exebrokercrt.execmd.exe

description	pid	process	target process
PID 1664 wrote to memory of 2856	1664	0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe	WScript.exe
PID 1664 wrote to memory of 2856	1664	0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe	WScript.exe
PID 1664 wrote to memory of 2856	1664	0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe	WScript.exe
PID 1664 wrote to memory of 2856	1664	0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe	WScript.exe
PID 2856 wrote to memory of 2712	2856	WScript.exe	cmd.exe
PID 2856 wrote to memory of 2712	2856	WScript.exe	cmd.exe
PID 2856 wrote to memory of 2712	2856	WScript.exe	cmd.exe
PID 2856 wrote to memory of 2712	2856	WScript.exe	cmd.exe
PID 2712 wrote to memory of 2456	2712	cmd.exe	brokercrt.exe
PID 2712 wrote to memory of 2456	2712	cmd.exe	brokercrt.exe
PID 2712 wrote to memory of 2456	2712	cmd.exe	brokercrt.exe
PID 2712 wrote to memory of 2456	2712	cmd.exe	brokercrt.exe
PID 2456 wrote to memory of 1752	2456	brokercrt.exe	brokercrt.exe
PID 2456 wrote to memory of 1752	2456	brokercrt.exe	brokercrt.exe
PID 2456 wrote to memory of 1752	2456	brokercrt.exe	brokercrt.exe
PID 1752 wrote to memory of 2472	1752	brokercrt.exe	cmd.exe
PID 1752 wrote to memory of 2472	1752	brokercrt.exe	cmd.exe
PID 1752 wrote to memory of 2472	1752	brokercrt.exe	cmd.exe
PID 2472 wrote to memory of 2784	2472	cmd.exe	w32tm.exe
PID 2472 wrote to memory of 2784	2472	cmd.exe	w32tm.exe
PID 2472 wrote to memory of 2784	2472	cmd.exe	w32tm.exe
PID 2472 wrote to memory of 1424	2472	cmd.exe	csrss.exe
PID 2472 wrote to memory of 1424	2472	cmd.exe	csrss.exe
PID 2472 wrote to memory of 1424	2472	cmd.exe	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe
"C:\Users\Admin\AppData\Local\Temp\0641afd15fce62b273a73f7c8df67b4f192c4056ec788937d6d52a2e814c2ddc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ReviewHost\LGlGhCGbVntC7HCLV0QyeYWp.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ReviewHost\Qtt5UtOWbMYxPmztsNxVxiRIZauHb.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712

C:\ReviewHost\brokercrt.exe
"C:\ReviewHost\brokercrt.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456

C:\ReviewHost\brokercrt.exe
"C:\ReviewHost\brokercrt.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GH2jDclRkv.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:2784

C:\Program Files\Microsoft Office\Office14\1033\csrss.exe
"C:\Program Files\Microsoft Office\Office14\1033\csrss.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\ReviewHost\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ReviewHost\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\ReviewHost\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\ReviewHost\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\ReviewHost\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\ReviewHost\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\inf\ASP.NET_4.0.30319\0804\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\inf\ASP.NET_4.0.30319\0804\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\inf\ASP.NET_4.0.30319\0804\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f9e55a2-d10b-11ee-8d36-fdfbfcab7b96\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\System32\th-TH\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\System32\th-TH\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\th-TH\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Network Sharing\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Network Sharing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\ReviewHost\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\ReviewHost\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\ReviewHost\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\Templates\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\PLA\Templates\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ReviewHost\LGlGhCGbVntC7HCLV0QyeYWp.vbe
Filesize
216B

MD5
7b4906d1cb87de73f115581dcaf9e232

SHA1
0e02caa3ce91fc59267606430158c7d3e112b700

SHA256
9c3b3e61ce002f1d33d5228dbbf535400f16646f1d83747251ff7849c5a32495

SHA512
5f6f967a49c329a6946bbe0c2d43ad4751d9a914ddf244c1055fb0678a1982f60401dbdbde153b2027652e23eb83e2ac7d9be77a897d5023435e3aef65aabb96

Download Submit
C:\ReviewHost\Qtt5UtOWbMYxPmztsNxVxiRIZauHb.bat
Filesize
29B

MD5
17370288e4e03fad288831ae1f887483

SHA1
8afdd43b5b01ee9517981e8e285113e2a08305f2

SHA256
ab7fe15930980a0b150427e5a7bda9234292fa63e6358654ea2e356ddbceaf66

SHA512
00e0253a0ca8ac0e8f44b716ed4357ac4790d2809172fdc5385607a888449e03f634444ac8e8689615a0ad7ed162f6b42ec4e0b2aecea532c66575d047f22162

Download Submit
C:\Users\Admin\AppData\Local\Temp\GH2jDclRkv.bat
Filesize
222B

MD5
34b419624ddf18cabdd96eff93503ca7

SHA1
6a501232e8d41af41a73d3d16da06c0e35379395

SHA256
50362809454dcf948a3c9a2c34a4015f6d35cd3439c2e95b64e1fa051696d2c6

SHA512
a3f4972dd2f106e5119a9909c64edc79b1209cc7af8ff62b8c51c2aa9981f040dd6580029288749d99687987574f340c532098f420f46dae6a2d1d28dfe54779

Download Submit
\ReviewHost\brokercrt.exe
Filesize
828KB

MD5
96b975481850add8ccb0353227eceb87

SHA1
f201465c8e9eef2193c0023e5593f901d0c2a7f0

SHA256
0032fb8bb3e91a8063a769e8504814f02222448c01b61e3990b35316525057c9

SHA512
27a4100a0f3b8e859436859f2ed23207ce7d4236d42881b6d79b1591816864921a00d98693a60d6c9444dbefd95c3833bc86ec0a20953f9d3b249ea7f527b6b4

Download Submit
memory/1424-73-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/1424-76-0x000000001B0A0000-0x000000001B120000-memory.dmp

Filesize
512KB

Download
memory/1424-75-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

Filesize
9.9MB

Download
memory/1424-74-0x000000001B0A0000-0x000000001B120000-memory.dmp

Filesize
512KB

Download
memory/1424-72-0x0000000000800000-0x00000000008D6000-memory.dmp

Filesize
856KB

Download
memory/1752-33-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1752-34-0x0000000000FD0000-0x0000000001050000-memory.dmp

Filesize
512KB

Download
memory/1752-69-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2456-14-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2456-35-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2456-15-0x000000001B020000-0x000000001B0A0000-memory.dmp

Filesize
512KB

Download
memory/2456-13-0x0000000001270000-0x0000000001346000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads