dcrat | 82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb

General

Target

1a9c19cd373f9ce0642f18f6965521b3.exe
Size

1.1MB
MD5

1a9c19cd373f9ce0642f18f6965521b3
SHA1

64bc66f217964ab7310084cc9b2e4ef72ea7156b
SHA256

82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb
SHA512

3b68254d3425e45f2d28dbdf0507fe723ea4ef493c33707fb94ea23d30e59ad63c8ba30d7efc3102d88bda70d60ab3895f2e8dcdd9383260ef3807afd6cf2349
SSDEEP

24576:10ybzboC40b/IwQSETTrn/BBhA/nJTbEHzsS/:10ykC40nEIdSzs

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3484	888	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2368-1-0x0000000000B10000-0x0000000000C36000-memory.dmp	dcrat
C:\Users\Admin\Pictures\Saved Pictures\TextInputHost.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1a9c19cd373f9ce0642f18f6965521b3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	1a9c19cd373f9ce0642f18f6965521b3.exe

Executes dropped EXE 1 IoCs

Processes:

fontdrvhost.exe

pid process

2564 fontdrvhost.exe

pid	process
2564	fontdrvhost.exe

Drops file in Program Files directory 13 IoCs

Processes:

1a9c19cd373f9ce0642f18f6965521b3.exe

description	ioc	process
File created	C:\Program Files\Windows Defender\spoolsv.exe	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\56085415360792	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files\Windows Security\BrowserCore\5b884080fd4f94	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files\Windows Defender\f3b6ecef712a24	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\Registry.exe	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\ee2ad38f3d4382	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files\7-Zip\Lang\Registry.exe	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files\7-Zip\Lang\ee2ad38f3d4382	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\0a1fd5f707cd16	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\wininit.exe	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe	1a9c19cd373f9ce0642f18f6965521b3.exe
File opened for modification	C:\Program Files\Windows Defender\spoolsv.exe	1a9c19cd373f9ce0642f18f6965521b3.exe

Drops file in Windows directory 2 IoCs

Processes:

1a9c19cd373f9ce0642f18f6965521b3.exe

description	ioc	process
File created	C:\Windows\InputMethod\csrss.exe	1a9c19cd373f9ce0642f18f6965521b3.exe
File created	C:\Windows\InputMethod\886983d96e3d3e	1a9c19cd373f9ce0642f18f6965521b3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2976	schtasks.exe
528	schtasks.exe
1500	schtasks.exe
3808	schtasks.exe
3284	schtasks.exe
4996	schtasks.exe
4568	schtasks.exe
100	schtasks.exe
4564	schtasks.exe
216	schtasks.exe
748	schtasks.exe
2488	schtasks.exe
4724	schtasks.exe
4960	schtasks.exe
464	schtasks.exe
1276	schtasks.exe
3400	schtasks.exe
2680	schtasks.exe
5012	schtasks.exe
5044	schtasks.exe
2348	schtasks.exe
3500	schtasks.exe
3484	schtasks.exe
3692	schtasks.exe
3120	schtasks.exe
1788	schtasks.exe
1704	schtasks.exe
4192	schtasks.exe
2628	schtasks.exe
1076	schtasks.exe
2696	schtasks.exe
4920	schtasks.exe
4240	schtasks.exe
396	schtasks.exe
1256	schtasks.exe
1144	schtasks.exe
1460	schtasks.exe
932	schtasks.exe
4576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

1a9c19cd373f9ce0642f18f6965521b3.exefontdrvhost.exe

pid	process
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2368	1a9c19cd373f9ce0642f18f6965521b3.exe
2564	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1a9c19cd373f9ce0642f18f6965521b3.exefontdrvhost.exe

description pid process

Token: SeDebugPrivilege 2368 1a9c19cd373f9ce0642f18f6965521b3.exe
Token: SeDebugPrivilege 2564 fontdrvhost.exe

description	pid	process
Token: SeDebugPrivilege	2368	1a9c19cd373f9ce0642f18f6965521b3.exe
Token: SeDebugPrivilege	2564	fontdrvhost.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

1a9c19cd373f9ce0642f18f6965521b3.exe

description	pid	process	target process
PID 2368 wrote to memory of 2564	2368	1a9c19cd373f9ce0642f18f6965521b3.exe	fontdrvhost.exe
PID 2368 wrote to memory of 2564	2368	1a9c19cd373f9ce0642f18f6965521b3.exe	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1a9c19cd373f9ce0642f18f6965521b3.exe
"C:\Users\Admin\AppData\Local\Temp\1a9c19cd373f9ce0642f18f6965521b3.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368

C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe
"C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Documents\My Music\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Music\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Pictures\Saved Pictures\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Saved Pictures\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Pictures\Saved Pictures\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\InputMethod\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\InputMethod\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\InputMethod\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Application Data\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Pictures\Saved Pictures\TextInputHost.exe

Filesize
1.1MB

MD5
1a9c19cd373f9ce0642f18f6965521b3

SHA1
64bc66f217964ab7310084cc9b2e4ef72ea7156b

SHA256
82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb

SHA512
3b68254d3425e45f2d28dbdf0507fe723ea4ef493c33707fb94ea23d30e59ad63c8ba30d7efc3102d88bda70d60ab3895f2e8dcdd9383260ef3807afd6cf2349

Download Submit
memory/2368-0-0x00007FF9A0413000-0x00007FF9A0415000-memory.dmp

Filesize
8KB

Download
memory/2368-1-0x0000000000B10000-0x0000000000C36000-memory.dmp

Filesize
1.1MB

Download
memory/2368-2-0x00007FF9A0410000-0x00007FF9A0ED1000-memory.dmp

Filesize
10.8MB

Download
memory/2368-3-0x000000001B940000-0x000000001B95C000-memory.dmp

Filesize
112KB

Download
memory/2368-4-0x000000001BEE0000-0x000000001BF30000-memory.dmp

Filesize
320KB

Download
memory/2368-5-0x000000001BE90000-0x000000001BEA6000-memory.dmp

Filesize
88KB

Download
memory/2368-43-0x00007FF9A0410000-0x00007FF9A0ED1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads