dcrat | 8fdf276499e757074ab09e455ed6827cf8d981212a5fb9aafdf586c264ee3fac

General

Target

82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
Size

1.1MB
MD5

1a9c19cd373f9ce0642f18f6965521b3
SHA1

64bc66f217964ab7310084cc9b2e4ef72ea7156b
SHA256

82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb
SHA512

3b68254d3425e45f2d28dbdf0507fe723ea4ef493c33707fb94ea23d30e59ad63c8ba30d7efc3102d88bda70d60ab3895f2e8dcdd9383260ef3807afd6cf2349
SSDEEP

24576:10ybzboC40b/IwQSETTrn/BBhA/nJTbEHzsS/:10ykC40nEIdSzs

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3852	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	4900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	4900	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4588-1-0x00000000000E0000-0x0000000000206000-memory.dmp	dcrat
C:\Program Files\Java\csrss.exe	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe

Executes dropped EXE 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid process

4332 StartMenuExperienceHost.exe

pid	process
4332	StartMenuExperienceHost.exe

Drops file in Program Files directory 16 IoCs

Processes:

82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\886983d96e3d3e	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
File created	C:\Program Files\Java\886983d96e3d3e	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
File created	C:\Program Files\dotnet\swidtag\38384e6a620884	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
File created	C:\Program Files\Internet Explorer\es-ES\5940a34987c991	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
File created	C:\Program Files (x86)\Windows Portable Devices\wininit.exe	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\wininit.exe	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\56085415360792	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
File created	C:\Program Files\Windows Defender\es-ES\explorer.exe	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
File created	C:\Program Files\Internet Explorer\es-ES\dllhost.exe	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
File created	C:\Program Files (x86)\Google\Temp\backgroundTaskHost.exe	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
File created	C:\Program Files (x86)\Google\Temp\eddb19405b7ce1	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
File created	C:\Program Files\dotnet\swidtag\SearchApp.exe	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
File created	C:\Program Files (x86)\Windows Portable Devices\56085415360792	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
File created	C:\Program Files\Windows Defender\es-ES\7a0fd90576e088	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
File created	C:\Program Files\Java\csrss.exe	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe

Drops file in Windows directory 4 IoCs

Processes:

82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe

description	ioc	process
File created	C:\Windows\fr-FR\55b276f4edf653	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
File created	C:\Windows\L2Schemas\csrss.exe	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
File created	C:\Windows\L2Schemas\886983d96e3d3e	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
File created	C:\Windows\fr-FR\StartMenuExperienceHost.exe	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2524	schtasks.exe
116	schtasks.exe
3964	schtasks.exe
1340	schtasks.exe
1476	schtasks.exe
3044	schtasks.exe
2352	schtasks.exe
1396	schtasks.exe
3852	schtasks.exe
4424	schtasks.exe
3084	schtasks.exe
1548	schtasks.exe
4964	schtasks.exe
4212	schtasks.exe
4364	schtasks.exe
4032	schtasks.exe
2628	schtasks.exe
1556	schtasks.exe
4344	schtasks.exe
4128	schtasks.exe
4428	schtasks.exe
712	schtasks.exe
4356	schtasks.exe
2192	schtasks.exe
792	schtasks.exe
1052	schtasks.exe
2820	schtasks.exe
4844	schtasks.exe
2300	schtasks.exe
5108	schtasks.exe
2452	schtasks.exe
4828	schtasks.exe
4120	schtasks.exe
3248	schtasks.exe
2204	schtasks.exe
4628	schtasks.exe
4512	schtasks.exe
1232	schtasks.exe
1652	schtasks.exe
2152	schtasks.exe
3652	schtasks.exe
4296	schtasks.exe
4160	schtasks.exe
5056	schtasks.exe
1164	schtasks.exe
5060	schtasks.exe
668	schtasks.exe
960	schtasks.exe
456	schtasks.exe
2420	schtasks.exe
2868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exeStartMenuExperienceHost.exe

pid	process
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
4332	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exeStartMenuExperienceHost.exe

description	pid	process
Token: SeDebugPrivilege	4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
Token: SeDebugPrivilege	4332	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.execmd.exe

description	pid	process	target process
PID 4588 wrote to memory of 3452	4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe	cmd.exe
PID 4588 wrote to memory of 3452	4588	82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe	cmd.exe
PID 3452 wrote to memory of 2560	3452	cmd.exe	w32tm.exe
PID 3452 wrote to memory of 2560	3452	cmd.exe	w32tm.exe
PID 3452 wrote to memory of 4332	3452	cmd.exe	StartMenuExperienceHost.exe
PID 3452 wrote to memory of 4332	3452	cmd.exe	StartMenuExperienceHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe
"C:\Users\Admin\AppData\Local\Temp\82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Lmcd3RNoC.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:2560

C:\Windows\fr-FR\StartMenuExperienceHost.exe
"C:\Windows\fr-FR\StartMenuExperienceHost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\swidtag\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\swidtag\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\fr-FR\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\csrss.exe

Filesize
1.1MB

MD5
1a9c19cd373f9ce0642f18f6965521b3

SHA1
64bc66f217964ab7310084cc9b2e4ef72ea7156b

SHA256
82bea7c0254a8a0b675f8702eb3dafbbcc608bdb672738d159b33ae699a4d5bb

SHA512
3b68254d3425e45f2d28dbdf0507fe723ea4ef493c33707fb94ea23d30e59ad63c8ba30d7efc3102d88bda70d60ab3895f2e8dcdd9383260ef3807afd6cf2349

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Lmcd3RNoC.bat

Filesize
209B

MD5
b2ccfb1ae44c91763012c9d3e0865a78

SHA1
2accc0cac981c243d2c0412f7a07a549be46e221

SHA256
567ae86bc548a3c219bd0a941097769d4659d8bf387efccb4242e2782af2491d

SHA512
6d291ab33633bfbe952d88ea4903ccf3b3ce91b60dc4f464f99868ba772e58188bb39e0bc6e9925e475ac1abfb64f7f4bb1e8448b515cf070d3e16fc5a6436d2

Download Submit
memory/4588-0-0x00007FF9BF273000-0x00007FF9BF275000-memory.dmp

Filesize
8KB

Download
memory/4588-1-0x00000000000E0000-0x0000000000206000-memory.dmp

Filesize
1.1MB

Download
memory/4588-2-0x0000000002330000-0x000000000234C000-memory.dmp

Filesize
112KB

Download
memory/4588-3-0x000000001AEE0000-0x000000001AF30000-memory.dmp

Filesize
320KB

Download
memory/4588-4-0x0000000002350000-0x0000000002366000-memory.dmp

Filesize
88KB

Download
memory/4588-7-0x00007FF9BF270000-0x00007FF9BFD31000-memory.dmp

Filesize
10.8MB

Download
memory/4588-45-0x00007FF9BF270000-0x00007FF9BFD31000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads