dcrat | 82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb

General

Target

1a9c19cd373f9ce0642f18f6965521b3.exe
Size

1.1MB
MD5

1a9c19cd373f9ce0642f18f6965521b3
SHA1

64bc66f217964ab7310084cc9b2e4ef72ea7156b
SHA256

82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb
SHA512

3b68254d3425e45f2d28dbdf0507fe723ea4ef493c33707fb94ea23d30e59ad63c8ba30d7efc3102d88bda70d60ab3895f2e8dcdd9383260ef3807afd6cf2349
SSDEEP

24576:10ybzboC40b/IwQSETTrn/BBhA/nJTbEHzsS/:10ykC40nEIdSzs

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2932	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2932	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/3048-1-0x0000000000BD0000-0x0000000000CF6000-memory.dmp	dcrat
C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\winlogon.exe	dcrat
behavioral1/memory/2156-47-0x0000000000BC0000-0x0000000000CE6000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

OSPPSVC.exe

pid process

2156 OSPPSVC.exe

pid	process
2156	OSPPSVC.exe

Drops file in System32 directory 2 IoCs

Processes:

1a9c19cd373f9ce0642f18f6965521b3.exe

description	ioc	process
File created	C:\Windows\System32\nl-NL\Idle.exe	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Windows\System32\nl-NL\6ccacd8608530f	1a9c19cd373f9ce0642f18f6965521b3.exe

Drops file in Program Files directory 18 IoCs

Processes:

1a9c19cd373f9ce0642f18f6965521b3.exe

description	ioc	process
File created	C:\Program Files\Windows Portable Devices\42af1c969fbb7b	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files\Windows Sidebar\en-US\1610b97d3ab4a7	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files\Uninstall Information\explorer.exe	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\7a0fd90576e088	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files\Uninstall Information\7a0fd90576e088	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files\Uninstall Information\c5b4cb5e9653cc	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\explorer.exe	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files (x86)\Google\Temp\System.exe	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files\Windows Portable Devices\audiodg.exe	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\1a9c19cd373f9ce0642f18f6965521b3.exe	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\0a1490c3759d76	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\1a9c19cd373f9ce0642f18f6965521b3.exe	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\0a1490c3759d76	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files\Uninstall Information\services.exe	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files\Windows Journal\it-IT\csrss.exe	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files\Windows Journal\it-IT\886983d96e3d3e	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files (x86)\Google\Temp\27d1bcfc3c54e0	1a9c19cd373f9ce0642f18f6965521b3.exe

Drops file in Windows directory 3 IoCs

Processes:

1a9c19cd373f9ce0642f18f6965521b3.exe

description	ioc	process
File created	C:\Windows\Fonts\explorer.exe	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Windows\Fonts\7a0fd90576e088	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Windows\servicing\csrss.exe	1a9c19cd373f9ce0642f18f6965521b3.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1948	schtasks.exe
2432	schtasks.exe
2256	schtasks.exe
1488	schtasks.exe
992	schtasks.exe
1856	schtasks.exe
2364	schtasks.exe
2944	schtasks.exe
2768	schtasks.exe
2660	schtasks.exe
1288	schtasks.exe
1784	schtasks.exe
2916	schtasks.exe
2588	schtasks.exe
3032	schtasks.exe
2484	schtasks.exe
792	schtasks.exe
2280	schtasks.exe
2032	schtasks.exe
2900	schtasks.exe
1052	schtasks.exe
1344	schtasks.exe
1508	schtasks.exe
2232	schtasks.exe
2716	schtasks.exe
2712	schtasks.exe
2724	schtasks.exe
2148	schtasks.exe
1280	schtasks.exe
1292	schtasks.exe
1144	schtasks.exe
2128	schtasks.exe
2244	schtasks.exe
2228	schtasks.exe
892	schtasks.exe
2200	schtasks.exe
1364	schtasks.exe
1772	schtasks.exe
328	schtasks.exe
2428	schtasks.exe
1804	schtasks.exe
2832	schtasks.exe
2064	schtasks.exe
1036	schtasks.exe
840	schtasks.exe
2108	schtasks.exe
2872	schtasks.exe
2608	schtasks.exe
1788	schtasks.exe
3060	schtasks.exe
2024	schtasks.exe
2480	schtasks.exe
1712	schtasks.exe
2192	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1a9c19cd373f9ce0642f18f6965521b3.exeOSPPSVC.exe

pid process

3048 1a9c19cd373f9ce0642f18f6965521b3.exe
3048 1a9c19cd373f9ce0642f18f6965521b3.exe
3048 1a9c19cd373f9ce0642f18f6965521b3.exe
2156 OSPPSVC.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1a9c19cd373f9ce0642f18f6965521b3.exeOSPPSVC.exe

description pid process

Token: SeDebugPrivilege 3048 1a9c19cd373f9ce0642f18f6965521b3.exe
Token: SeDebugPrivilege 2156 OSPPSVC.exe

pid	process
3048	1a9c19cd373f9ce0642f18f6965521b3.exe
3048	1a9c19cd373f9ce0642f18f6965521b3.exe
3048	1a9c19cd373f9ce0642f18f6965521b3.exe
2156	OSPPSVC.exe

description	pid	process
Token: SeDebugPrivilege	3048	1a9c19cd373f9ce0642f18f6965521b3.exe
Token: SeDebugPrivilege	2156	OSPPSVC.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1a9c19cd373f9ce0642f18f6965521b3.exe

description	pid	process	target process
PID 3048 wrote to memory of 2156	3048	1a9c19cd373f9ce0642f18f6965521b3.exe	OSPPSVC.exe
PID 3048 wrote to memory of 2156	3048	1a9c19cd373f9ce0642f18f6965521b3.exe	OSPPSVC.exe
PID 3048 wrote to memory of 2156	3048	1a9c19cd373f9ce0642f18f6965521b3.exe	OSPPSVC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1a9c19cd373f9ce0642f18f6965521b3.exe
"C:\Users\Admin\AppData\Local\Temp\1a9c19cd373f9ce0642f18f6965521b3.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048

C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe
"C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Desktop\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Fonts\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1a9c19cd373f9ce0642f18f6965521b31" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\en-US\1a9c19cd373f9ce0642f18f6965521b3.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1a9c19cd373f9ce0642f18f6965521b3" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\1a9c19cd373f9ce0642f18f6965521b3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1a9c19cd373f9ce0642f18f6965521b31" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\en-US\1a9c19cd373f9ce0642f18f6965521b3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\nl-NL\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\System32\nl-NL\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\nl-NL\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1a9c19cd373f9ce0642f18f6965521b31" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\1a9c19cd373f9ce0642f18f6965521b3.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1a9c19cd373f9ce0642f18f6965521b3" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\1a9c19cd373f9ce0642f18f6965521b3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1a9c19cd373f9ce0642f18f6965521b31" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\1a9c19cd373f9ce0642f18f6965521b3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\b2a802a2-3b12-11ef-8991-d2f1755c8afd\winlogon.exe
Filesize
1.1MB

MD5
1a9c19cd373f9ce0642f18f6965521b3

SHA1
64bc66f217964ab7310084cc9b2e4ef72ea7156b

SHA256
82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb

SHA512
3b68254d3425e45f2d28dbdf0507fe723ea4ef493c33707fb94ea23d30e59ad63c8ba30d7efc3102d88bda70d60ab3895f2e8dcdd9383260ef3807afd6cf2349

Download Submit
memory/2156-47-0x0000000000BC0000-0x0000000000CE6000-memory.dmp

Filesize
1.1MB

Download
memory/3048-0-0x000007FEF5C03000-0x000007FEF5C04000-memory.dmp

Filesize
4KB

Download
memory/3048-1-0x0000000000BD0000-0x0000000000CF6000-memory.dmp

Filesize
1.1MB

Download
memory/3048-2-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/3048-3-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/3048-4-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/3048-48-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads