dcrat | e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847

General

Target

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
Size

3.0MB
MD5

2600cbb9ad38c10aca6ac4a91900cc84
SHA1

f670e02edea5048e57c089ae4042f1f00a5790f0
SHA256

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847
SHA512

06da17684e3d84105b9872d1b74af780d0ffcbf80c2e2aae08ecde9c7991372feb4498594ec62468049e739ec71c11ddc3bf3aa05ea1875178e235441819a00b
SSDEEP

49152:0f2OK9jJIoFe/S7zrfL3pmRk/5JaANZr/LHFTYUjy3/q3KgW:19jlw8rfjpmRc3/ZvlTtjVj

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2672	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2672	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2308-0-0x00000000001E0000-0x0000000000468000-memory.dmp	dcrat
C:\Program Files (x86)\Microsoft Office\Document Themes 14\winlogon.exe	dcrat
behavioral1/memory/3020-56-0x00000000011F0000-0x0000000001478000-memory.dmp	dcrat
behavioral1/memory/3020-58-0x000000001B2B0000-0x000000001B330000-memory.dmp	dcrat

Detects executables packed with SmartAssembly 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2308-8-0x0000000002220000-0x000000000222C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2308-11-0x000000001AB60000-0x000000001AB6C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Executes dropped EXE 1 IoCs

Processes:

csrss.exe

pid process

3020 csrss.exe

pid	process
3020	csrss.exe

Drops file in Program Files directory 10 IoCs

Processes:

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\0a1fd5f707cd16	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files\7-Zip\Lang\smss.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\cc11b995f2a76d	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files\Microsoft Games\Hearts\ja-JP\0e5077e5dd8080	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files\7-Zip\Lang\69ddcba757bf72	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\winlogon.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files\Microsoft Games\Hearts\ja-JP\e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files\Windows NT\dllhost.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Program Files\Windows NT\5940a34987c991	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe

Drops file in Windows directory 6 IoCs

Processes:

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe

description	ioc	process
File created	C:\Windows\CSC\services.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Windows\CSC\c5b4cb5e9653cc	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\0e5077e5dd8080	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Windows\ServiceProfiles\NetworkService\lsass.exe	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
File created	C:\Windows\ServiceProfiles\NetworkService\6203df4a6bafc7	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2708	schtasks.exe
2756	schtasks.exe
2520	schtasks.exe
896	schtasks.exe
2728	schtasks.exe
2240	schtasks.exe
1628	schtasks.exe
3052	schtasks.exe
3004	schtasks.exe
1996	schtasks.exe
1516	schtasks.exe
2488	schtasks.exe
588	schtasks.exe
1816	schtasks.exe
1844	schtasks.exe
1556	schtasks.exe
920	schtasks.exe
2948	schtasks.exe
1664	schtasks.exe
2428	schtasks.exe
796	schtasks.exe
1676	schtasks.exe
2264	schtasks.exe
1876	schtasks.exe
2592	schtasks.exe
2752	schtasks.exe
2336	schtasks.exe
1984	schtasks.exe
1292	schtasks.exe
2292	schtasks.exe
2536	schtasks.exe
2952	schtasks.exe
2332	schtasks.exe
1952	schtasks.exe
2120	schtasks.exe
2112	schtasks.exe
788	schtasks.exe
2716	schtasks.exe
2732	schtasks.exe
2844	schtasks.exe
2912	schtasks.exe
3016	schtasks.exe
2736	schtasks.exe
1568	schtasks.exe
2816	schtasks.exe
1732	schtasks.exe
1276	schtasks.exe
1620	schtasks.exe
1484	schtasks.exe
2280	schtasks.exe
1884	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.execsrss.exe

pid	process
2308	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2308	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2308	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2308	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2308	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2308	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2308	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2308	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2308	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2308	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
2308	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe
3020	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	2308	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
Token: SeDebugPrivilege	3020	csrss.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.execmd.exe

description	pid	process	target process
PID 2308 wrote to memory of 3008	2308	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe	cmd.exe
PID 2308 wrote to memory of 3008	2308	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe	cmd.exe
PID 2308 wrote to memory of 3008	2308	e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe	cmd.exe
PID 3008 wrote to memory of 1804	3008	cmd.exe	w32tm.exe
PID 3008 wrote to memory of 1804	3008	cmd.exe	w32tm.exe
PID 3008 wrote to memory of 1804	3008	cmd.exe	w32tm.exe
PID 3008 wrote to memory of 3020	3008	cmd.exe	csrss.exe
PID 3008 wrote to memory of 3020	3008	cmd.exe	csrss.exe
PID 3008 wrote to memory of 3020	3008	cmd.exe	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe
"C:\Users\Admin\AppData\Local\Temp\e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zARrBFGb1P.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1804

C:\Users\Default\NetHood\csrss.exe
"C:\Users\Default\NetHood\csrss.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Recent\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Recent\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847e" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\Hearts\ja-JP\e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Hearts\ja-JP\e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847e" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Hearts\ja-JP\e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\CSC\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\CSC\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\CSC\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847e" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847e" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\Acrobat\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Acrobat\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\NetHood\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\NetworkService\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\NetworkService\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\Document Themes 14\winlogon.exe
Filesize
3.0MB

MD5
2600cbb9ad38c10aca6ac4a91900cc84

SHA1
f670e02edea5048e57c089ae4042f1f00a5790f0

SHA256
e62d890d90cb121e7fb678dea021786d5558ba433bc1499580b3e327bc85e847

SHA512
06da17684e3d84105b9872d1b74af780d0ffcbf80c2e2aae08ecde9c7991372feb4498594ec62468049e739ec71c11ddc3bf3aa05ea1875178e235441819a00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zARrBFGb1P.bat
Filesize
199B

MD5
af432a5460e70ed259ba315a3baaa78b

SHA1
47d3a6946160563bacbff7fc6c5aa6902e6dd4b5

SHA256
6c830038158f34bbc8aff0b331926ee48677326023af5dfaa913ea6234cbc22d

SHA512
b620f0c8da4b7d5c2a424aa2ae7e407e3ab41b4ab2bfe1914bdf4e1efddd1b1c4a7666fce27610d66710aad305df4a4d4441032e2bcb954916a91ae2d0f201d2

Download Submit
memory/2308-5-0x00000000022B0000-0x0000000002306000-memory.dmp

Filesize
344KB

Download
memory/2308-13-0x000000001AB80000-0x000000001AB8C000-memory.dmp

Filesize
48KB

Download
memory/2308-4-0x0000000002040000-0x0000000002056000-memory.dmp

Filesize
88KB

Download
memory/2308-0-0x00000000001E0000-0x0000000000468000-memory.dmp

Filesize
2.5MB

Download
memory/2308-6-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2308-7-0x0000000002210000-0x000000000221C000-memory.dmp

Filesize
48KB

Download
memory/2308-8-0x0000000002220000-0x000000000222C000-memory.dmp

Filesize
48KB

Download
memory/2308-9-0x000000001AB90000-0x000000001AB9E000-memory.dmp

Filesize
56KB

Download
memory/2308-10-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/2308-11-0x000000001AB60000-0x000000001AB6C000-memory.dmp

Filesize
48KB

Download
memory/2308-12-0x000000001AB70000-0x000000001AB78000-memory.dmp

Filesize
32KB

Download
memory/2308-3-0x0000000000880000-0x000000000089C000-memory.dmp

Filesize
112KB

Download
memory/2308-2-0x000000001AE70000-0x000000001AEF0000-memory.dmp

Filesize
512KB

Download
memory/2308-1-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2308-53-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/3020-57-0x000007FEF4DD0000-0x000007FEF57BC000-memory.dmp

Filesize
9.9MB

Download
memory/3020-56-0x00000000011F0000-0x0000000001478000-memory.dmp

Filesize
2.5MB

Download
memory/3020-58-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/3020-59-0x0000000000AC0000-0x0000000000B16000-memory.dmp

Filesize
344KB

Download
memory/3020-60-0x0000000000A30000-0x0000000000A42000-memory.dmp

Filesize
72KB

Download
memory/3020-61-0x000007FEF4DD0000-0x000007FEF57BC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads