dcrat | 0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3

General

Target

1610d005e2af505e573a49eecd7dadb7.exe
Size

1.3MB
MD5

1610d005e2af505e573a49eecd7dadb7
SHA1

a1ddc7111c710191d364cfba6943d8be87d4f454
SHA256

0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3
SHA512

5bd3f7ca3359e0fbe8e6b6d2ff9f007cdc2c19325c2bc24194814fe2d72fef32104d1739a6f37f4ca94a3779ee1715ec25f50e8c4dc8bac8e8397813b73feda8
SSDEEP

24576:xALTck+Rs8xdbtVhrETeQ35YaUccQEt5bSCi03FAx:xAnc1xQTeQ1ULi0

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	5108	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	508	5108	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/856-1-0x0000000000840000-0x0000000000990000-memory.dmp	dcrat
C:\Windows\es-ES\dwm.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1610d005e2af505e573a49eecd7dadb7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	1610d005e2af505e573a49eecd7dadb7.exe

Executes dropped EXE 1 IoCs

Processes:

sysmon.exe

pid process

2268 sysmon.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2268	sysmon.exe

Drops file in System32 directory 2 IoCs

Processes:

1610d005e2af505e573a49eecd7dadb7.exe

description	ioc	process
File created	C:\Windows\System32\F12\it-IT\smss.exe	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Windows\System32\F12\it-IT\69ddcba757bf72	1610d005e2af505e573a49eecd7dadb7.exe

Drops file in Program Files directory 12 IoCs

Processes:

1610d005e2af505e573a49eecd7dadb7.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\55b276f4edf653	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Program Files (x86)\Windows Defender\29c1c3cc0f7685	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\upfc.exe	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\backgroundTaskHost.exe	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Program Files\Microsoft Office\Office16\fontdrvhost.exe	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Program Files\Microsoft Office\Office16\5b884080fd4f94	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Program Files (x86)\Windows Defender\unsecapp.exe	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\ea1d8f6d871115	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\eddb19405b7ce1	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Program Files\MsEdgeCrashpad\fontdrvhost.exe	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Program Files\MsEdgeCrashpad\5b884080fd4f94	1610d005e2af505e573a49eecd7dadb7.exe

Drops file in Windows directory 9 IoCs

Processes:

1610d005e2af505e573a49eecd7dadb7.exe

description	ioc	process
File created	C:\Windows\es-ES\dwm.exe	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Windows\ShellExperiences\msedge.exe	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Windows\ShellExperiences\61a52ddc9dd915	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Windows\Speech\msedge.exe	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Windows\Speech\61a52ddc9dd915	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Windows\apppatch\en-US\smss.exe	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Windows\es-ES\6cb0b6c459d5d3	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Windows\apppatch\en-US\69ddcba757bf72	1610d005e2af505e573a49eecd7dadb7.exe
File created	C:\Windows\OCR\en-us\spoolsv.exe	1610d005e2af505e573a49eecd7dadb7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3096	schtasks.exe
1524	schtasks.exe
392	schtasks.exe
2728	schtasks.exe
2616	schtasks.exe
1788	schtasks.exe
2176	schtasks.exe
2672	schtasks.exe
4480	schtasks.exe
4312	schtasks.exe
1648	schtasks.exe
1736	schtasks.exe
1048	schtasks.exe
4340	schtasks.exe
1172	schtasks.exe
400	schtasks.exe
1836	schtasks.exe
1716	schtasks.exe
60	schtasks.exe
2772	schtasks.exe
508	schtasks.exe
3728	schtasks.exe
4640	schtasks.exe
5104	schtasks.exe
1680	schtasks.exe
5084	schtasks.exe
436	schtasks.exe
4652	schtasks.exe
1464	schtasks.exe
2596	schtasks.exe
1732	schtasks.exe
1400	schtasks.exe
3588	schtasks.exe
1444	schtasks.exe
3276	schtasks.exe
1516	schtasks.exe
4432	schtasks.exe
3272	schtasks.exe
836	schtasks.exe
1112	schtasks.exe
2700	schtasks.exe
632	schtasks.exe
4676	schtasks.exe
4928	schtasks.exe
3712	schtasks.exe
4520	schtasks.exe
2904	schtasks.exe
3036	schtasks.exe
8	schtasks.exe
1668	schtasks.exe
2584	schtasks.exe
2268	schtasks.exe
3232	schtasks.exe
1628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

1610d005e2af505e573a49eecd7dadb7.exesysmon.exe

pid	process
856	1610d005e2af505e573a49eecd7dadb7.exe
856	1610d005e2af505e573a49eecd7dadb7.exe
856	1610d005e2af505e573a49eecd7dadb7.exe
856	1610d005e2af505e573a49eecd7dadb7.exe
856	1610d005e2af505e573a49eecd7dadb7.exe
856	1610d005e2af505e573a49eecd7dadb7.exe
856	1610d005e2af505e573a49eecd7dadb7.exe
856	1610d005e2af505e573a49eecd7dadb7.exe
856	1610d005e2af505e573a49eecd7dadb7.exe
856	1610d005e2af505e573a49eecd7dadb7.exe
856	1610d005e2af505e573a49eecd7dadb7.exe
856	1610d005e2af505e573a49eecd7dadb7.exe
856	1610d005e2af505e573a49eecd7dadb7.exe
856	1610d005e2af505e573a49eecd7dadb7.exe
856	1610d005e2af505e573a49eecd7dadb7.exe
856	1610d005e2af505e573a49eecd7dadb7.exe
856	1610d005e2af505e573a49eecd7dadb7.exe
856	1610d005e2af505e573a49eecd7dadb7.exe
2268	sysmon.exe
2268	sysmon.exe
2268	sysmon.exe
2268	sysmon.exe
2268	sysmon.exe
2268	sysmon.exe
2268	sysmon.exe
2268	sysmon.exe
2268	sysmon.exe
2268	sysmon.exe
2268	sysmon.exe
2268	sysmon.exe
2268	sysmon.exe
2268	sysmon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sysmon.exe

pid process

2268 sysmon.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1610d005e2af505e573a49eecd7dadb7.exesysmon.exe

description pid process

Token: SeDebugPrivilege 856 1610d005e2af505e573a49eecd7dadb7.exe
Token: SeDebugPrivilege 2268 sysmon.exe

pid	process
2268	sysmon.exe

description	pid	process
Token: SeDebugPrivilege	856	1610d005e2af505e573a49eecd7dadb7.exe
Token: SeDebugPrivilege	2268	sysmon.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

1610d005e2af505e573a49eecd7dadb7.exe

description	pid	process	target process
PID 856 wrote to memory of 2268	856	1610d005e2af505e573a49eecd7dadb7.exe	sysmon.exe
PID 856 wrote to memory of 2268	856	1610d005e2af505e573a49eecd7dadb7.exe	sysmon.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1610d005e2af505e573a49eecd7dadb7.exe
"C:\Users\Admin\AppData\Local\Temp\1610d005e2af505e573a49eecd7dadb7.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\Searches\sysmon.exe
"C:\Users\Admin\Searches\sysmon.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Default User\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellExperiences\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellExperiences\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Users\Public\AccountPictures\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\Speech\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Windows\Speech\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office16\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office16\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Searches\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\Searches\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\MsEdgeCrashpad\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\MsEdgeCrashpad\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1610d005e2af505e573a49eecd7dadb71" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\1610d005e2af505e573a49eecd7dadb7.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1610d005e2af505e573a49eecd7dadb7" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\1610d005e2af505e573a49eecd7dadb7.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1610d005e2af505e573a49eecd7dadb71" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\1610d005e2af505e573a49eecd7dadb7.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\apppatch\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\apppatch\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\apppatch\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\System32\F12\it-IT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\F12\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\F12\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4324,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=1324 /prefetch:8
1⤵
PID:2388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\es-ES\dwm.exe
Filesize
1.3MB

MD5
1610d005e2af505e573a49eecd7dadb7

SHA1
a1ddc7111c710191d364cfba6943d8be87d4f454

SHA256
0f0009550ad8a696b79efaddb21f8ce26236c5c302c5159e0af3d7fe75b57fd3

SHA512
5bd3f7ca3359e0fbe8e6b6d2ff9f007cdc2c19325c2bc24194814fe2d72fef32104d1739a6f37f4ca94a3779ee1715ec25f50e8c4dc8bac8e8397813b73feda8

Download Submit
memory/856-3-0x0000000002BB0000-0x0000000002BCC000-memory.dmp

Filesize
112KB

Download
memory/856-2-0x00007FF842BE0000-0x00007FF8436A1000-memory.dmp

Filesize
10.8MB

Download
memory/856-0-0x00007FF842BE3000-0x00007FF842BE5000-memory.dmp

Filesize
8KB

Download
memory/856-6-0x00000000012F0000-0x0000000001302000-memory.dmp

Filesize
72KB

Download
memory/856-5-0x0000000002BD0000-0x0000000002BE6000-memory.dmp

Filesize
88KB

Download
memory/856-4-0x000000001B520000-0x000000001B570000-memory.dmp

Filesize
320KB

Download
memory/856-7-0x000000001C290000-0x000000001C7B8000-memory.dmp

Filesize
5.2MB

Download
memory/856-8-0x000000001B4F0000-0x000000001B4FE000-memory.dmp

Filesize
56KB

Download
memory/856-1-0x0000000000840000-0x0000000000990000-memory.dmp

Filesize
1.3MB

Download
memory/856-56-0x00007FF842BE0000-0x00007FF8436A1000-memory.dmp

Filesize
10.8MB

Download
memory/2268-57-0x0000000002A40000-0x0000000002A52000-memory.dmp

Filesize
72KB

Download
memory/2268-58-0x000000001BA90000-0x000000001BAAE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads