dcrat | 1edf9fc7435444f0d98694bde9001f15661b6c68c83814584c4e8af1a0eb40ba

Analysis

max time kernel
1171s
max time network
1007s
platform
windows10-1703_x64
resource
win10-20220812-es
resource tags

arch:x64arch:x86image:win10-20220812-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
29-11-2022 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0119dd5b6e65751544c84abaa9dc17cb.exe
Size

2.7MB
MD5

0119dd5b6e65751544c84abaa9dc17cb
SHA1

93af9df5a87093f92ad4169c86ad7d7da08956dd
SHA256

25952379e5996ee2563716778ad1f597de228c1bd2d918005152a8ba9299c28d
SHA512

6cf855272dd978966b665f8ff91eba7ba3fe1314c3c15533d369df47028d2c3be4fc90635866f5f7d2da41deaa37352a78671c5c9ba30559d81885a3e46b39cb
SSDEEP

49152:3JuW0kmHDQLvRmxonwgvTFWL9lDzUYWOEEmDHmDhftV2:3J/UUvkx5gvTFE9tAYWIm6DFz2

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	4880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	4880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	4880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	4880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	4880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	4880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	4880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	4880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	4880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	4880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	4880	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0119dd5b6e65751544c84abaa9dc17cb.exe0119dd5b6e65751544c84abaa9dc17cb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0119dd5b6e65751544c84abaa9dc17cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0119dd5b6e65751544c84abaa9dc17cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0119dd5b6e65751544c84abaa9dc17cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0119dd5b6e65751544c84abaa9dc17cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0119dd5b6e65751544c84abaa9dc17cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0119dd5b6e65751544c84abaa9dc17cb.exe

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2584-120-0x00000000006F0000-0x00000000009AE000-memory.dmp	dcrat
C:\Recovery\WindowsRE\0119dd5b6e65751544c84abaa9dc17cb.exe	dcrat
C:\Recovery\WindowsRE\0119dd5b6e65751544c84abaa9dc17cb.exe	dcrat
C:\Recovery\WindowsRE\fontdrvhost.exe	dcrat
C:\Recovery\WindowsRE\fontdrvhost.exe	dcrat
C:\Recovery\WindowsRE\fontdrvhost.exe	dcrat
C:\Recovery\WindowsRE\0119dd5b6e65751544c84abaa9dc17cb.exe	dcrat
C:\Program Files (x86)\Mozilla Maintenance Service\SearchUI.exe	dcrat
C:\Program Files (x86)\Mozilla Maintenance Service\SearchUI.exe	dcrat
C:\odt\sppsvc.exe	dcrat
C:\odt\sppsvc.exe	dcrat
C:\Recovery\WindowsRE\fontdrvhost.exe	dcrat
C:\Recovery\WindowsRE\0119dd5b6e65751544c84abaa9dc17cb.exe	dcrat
C:\Recovery\WindowsRE\fontdrvhost.exe	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

0119dd5b6e65751544c84abaa9dc17cb.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts 0119dd5b6e65751544c84abaa9dc17cb.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	0119dd5b6e65751544c84abaa9dc17cb.exe

Executes dropped EXE 9 IoCs

Processes:

0119dd5b6e65751544c84abaa9dc17cb.exefontdrvhost.exefontdrvhost.exe0119dd5b6e65751544c84abaa9dc17cb.exeSearchUI.exesppsvc.exefontdrvhost.exe0119dd5b6e65751544c84abaa9dc17cb.exefontdrvhost.exe

pid	process
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4040	fontdrvhost.exe
4776	fontdrvhost.exe
4764	0119dd5b6e65751544c84abaa9dc17cb.exe
1820	SearchUI.exe
796	sppsvc.exe
1120	fontdrvhost.exe
1572	0119dd5b6e65751544c84abaa9dc17cb.exe
4804	fontdrvhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0119dd5b6e65751544c84abaa9dc17cb.exe0119dd5b6e65751544c84abaa9dc17cb.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0119dd5b6e65751544c84abaa9dc17cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0119dd5b6e65751544c84abaa9dc17cb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0119dd5b6e65751544c84abaa9dc17cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0119dd5b6e65751544c84abaa9dc17cb.exe

Drops file in Program Files directory 2 IoCs

Processes:

0119dd5b6e65751544c84abaa9dc17cb.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\SearchUI.exe	0119dd5b6e65751544c84abaa9dc17cb.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\dab4d89cac03ec	0119dd5b6e65751544c84abaa9dc17cb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4972 4368 WerFault.exe 0119dd5b6e65751544c84abaa9dc17cb.exe

pid	pid_target	process	target process
4972	4368	WerFault.exe	0119dd5b6e65751544c84abaa9dc17cb.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1488	schtasks.exe
4212	schtasks.exe
3188	schtasks.exe
4108	schtasks.exe
4296	schtasks.exe
3648	schtasks.exe
4904	schtasks.exe
3624	schtasks.exe
1152	schtasks.exe
2292	schtasks.exe
2564	schtasks.exe
3380	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0119dd5b6e65751544c84abaa9dc17cb.exe0119dd5b6e65751544c84abaa9dc17cb.exe

pid	process
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
2584	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe
4368	0119dd5b6e65751544c84abaa9dc17cb.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

0119dd5b6e65751544c84abaa9dc17cb.exe

pid process

4368 0119dd5b6e65751544c84abaa9dc17cb.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

0119dd5b6e65751544c84abaa9dc17cb.exe0119dd5b6e65751544c84abaa9dc17cb.exefontdrvhost.exefontdrvhost.exe0119dd5b6e65751544c84abaa9dc17cb.exeSearchUI.exesppsvc.exefontdrvhost.exe0119dd5b6e65751544c84abaa9dc17cb.exefontdrvhost.exe

description	pid	process
Token: SeDebugPrivilege	2584	0119dd5b6e65751544c84abaa9dc17cb.exe
Token: SeDebugPrivilege	4368	0119dd5b6e65751544c84abaa9dc17cb.exe
Token: SeDebugPrivilege	4040	fontdrvhost.exe
Token: SeDebugPrivilege	4776	fontdrvhost.exe
Token: SeDebugPrivilege	4764	0119dd5b6e65751544c84abaa9dc17cb.exe
Token: SeDebugPrivilege	1820	SearchUI.exe
Token: SeDebugPrivilege	796	sppsvc.exe
Token: SeDebugPrivilege	1120	fontdrvhost.exe
Token: SeDebugPrivilege	1572	0119dd5b6e65751544c84abaa9dc17cb.exe
Token: SeDebugPrivilege	4804	fontdrvhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0119dd5b6e65751544c84abaa9dc17cb.exe

pid process

4368 0119dd5b6e65751544c84abaa9dc17cb.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

0119dd5b6e65751544c84abaa9dc17cb.exe

description	pid	process	target process
PID 2584 wrote to memory of 4368	2584	0119dd5b6e65751544c84abaa9dc17cb.exe	0119dd5b6e65751544c84abaa9dc17cb.exe
PID 2584 wrote to memory of 4368	2584	0119dd5b6e65751544c84abaa9dc17cb.exe	0119dd5b6e65751544c84abaa9dc17cb.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

0119dd5b6e65751544c84abaa9dc17cb.exe0119dd5b6e65751544c84abaa9dc17cb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0119dd5b6e65751544c84abaa9dc17cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0119dd5b6e65751544c84abaa9dc17cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0119dd5b6e65751544c84abaa9dc17cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0119dd5b6e65751544c84abaa9dc17cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0119dd5b6e65751544c84abaa9dc17cb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	0119dd5b6e65751544c84abaa9dc17cb.exe

C:\Users\Admin\AppData\Local\Temp\0119dd5b6e65751544c84abaa9dc17cb.exe
"C:\Users\Admin\AppData\Local\Temp\0119dd5b6e65751544c84abaa9dc17cb.exe"
1⤵
- UAC bypass
- Drops file in Drivers directory
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2584

C:\Recovery\WindowsRE\0119dd5b6e65751544c84abaa9dc17cb.exe
"C:\Recovery\WindowsRE\0119dd5b6e65751544c84abaa9dc17cb.exe"
2⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4368

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4368 -s 2512
3⤵
- Program crash
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0119dd5b6e65751544c84abaa9dc17cb0" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\0119dd5b6e65751544c84abaa9dc17cb.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0119dd5b6e65751544c84abaa9dc17cb" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\0119dd5b6e65751544c84abaa9dc17cb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0119dd5b6e65751544c84abaa9dc17cb0" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\0119dd5b6e65751544c84abaa9dc17cb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Recovery\WindowsRE\fontdrvhost.exe
C:\Recovery\WindowsRE\fontdrvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Recovery\WindowsRE\fontdrvhost.exe
C:\Recovery\WindowsRE\fontdrvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Recovery\WindowsRE\0119dd5b6e65751544c84abaa9dc17cb.exe
C:\Recovery\WindowsRE\0119dd5b6e65751544c84abaa9dc17cb.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Program Files (x86)\Mozilla Maintenance Service\SearchUI.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\SearchUI.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\odt\sppsvc.exe
C:\odt\sppsvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Recovery\WindowsRE\fontdrvhost.exe
C:\Recovery\WindowsRE\fontdrvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Recovery\WindowsRE\0119dd5b6e65751544c84abaa9dc17cb.exe
C:\Recovery\WindowsRE\0119dd5b6e65751544c84abaa9dc17cb.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Recovery\WindowsRE\fontdrvhost.exe
C:\Recovery\WindowsRE\fontdrvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\SearchUI.exe
Filesize
2.7MB

MD5
0119dd5b6e65751544c84abaa9dc17cb

SHA1
93af9df5a87093f92ad4169c86ad7d7da08956dd

SHA256
25952379e5996ee2563716778ad1f597de228c1bd2d918005152a8ba9299c28d

SHA512
6cf855272dd978966b665f8ff91eba7ba3fe1314c3c15533d369df47028d2c3be4fc90635866f5f7d2da41deaa37352a78671c5c9ba30559d81885a3e46b39cb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\SearchUI.exe
Filesize
2.7MB

MD5
0119dd5b6e65751544c84abaa9dc17cb

SHA1
93af9df5a87093f92ad4169c86ad7d7da08956dd

SHA256
25952379e5996ee2563716778ad1f597de228c1bd2d918005152a8ba9299c28d

SHA512
6cf855272dd978966b665f8ff91eba7ba3fe1314c3c15533d369df47028d2c3be4fc90635866f5f7d2da41deaa37352a78671c5c9ba30559d81885a3e46b39cb

Download Submit
C:\Recovery\WindowsRE\0119dd5b6e65751544c84abaa9dc17cb.exe
Filesize
2.7MB

MD5
0119dd5b6e65751544c84abaa9dc17cb

SHA1
93af9df5a87093f92ad4169c86ad7d7da08956dd

SHA256
25952379e5996ee2563716778ad1f597de228c1bd2d918005152a8ba9299c28d

SHA512
6cf855272dd978966b665f8ff91eba7ba3fe1314c3c15533d369df47028d2c3be4fc90635866f5f7d2da41deaa37352a78671c5c9ba30559d81885a3e46b39cb

Download Submit
C:\Recovery\WindowsRE\0119dd5b6e65751544c84abaa9dc17cb.exe
Filesize
2.7MB

MD5
0119dd5b6e65751544c84abaa9dc17cb

SHA1
93af9df5a87093f92ad4169c86ad7d7da08956dd

SHA256
25952379e5996ee2563716778ad1f597de228c1bd2d918005152a8ba9299c28d

SHA512
6cf855272dd978966b665f8ff91eba7ba3fe1314c3c15533d369df47028d2c3be4fc90635866f5f7d2da41deaa37352a78671c5c9ba30559d81885a3e46b39cb

Download Submit
C:\Recovery\WindowsRE\0119dd5b6e65751544c84abaa9dc17cb.exe
Filesize
2.7MB

MD5
0119dd5b6e65751544c84abaa9dc17cb

SHA1
93af9df5a87093f92ad4169c86ad7d7da08956dd

SHA256
25952379e5996ee2563716778ad1f597de228c1bd2d918005152a8ba9299c28d

SHA512
6cf855272dd978966b665f8ff91eba7ba3fe1314c3c15533d369df47028d2c3be4fc90635866f5f7d2da41deaa37352a78671c5c9ba30559d81885a3e46b39cb

Download Submit
C:\Recovery\WindowsRE\0119dd5b6e65751544c84abaa9dc17cb.exe
Filesize
2.7MB

MD5
0119dd5b6e65751544c84abaa9dc17cb

SHA1
93af9df5a87093f92ad4169c86ad7d7da08956dd

SHA256
25952379e5996ee2563716778ad1f597de228c1bd2d918005152a8ba9299c28d

SHA512
6cf855272dd978966b665f8ff91eba7ba3fe1314c3c15533d369df47028d2c3be4fc90635866f5f7d2da41deaa37352a78671c5c9ba30559d81885a3e46b39cb

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe
Filesize
2.7MB

MD5
0119dd5b6e65751544c84abaa9dc17cb

SHA1
93af9df5a87093f92ad4169c86ad7d7da08956dd

SHA256
25952379e5996ee2563716778ad1f597de228c1bd2d918005152a8ba9299c28d

SHA512
6cf855272dd978966b665f8ff91eba7ba3fe1314c3c15533d369df47028d2c3be4fc90635866f5f7d2da41deaa37352a78671c5c9ba30559d81885a3e46b39cb

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe
Filesize
2.7MB

MD5
0119dd5b6e65751544c84abaa9dc17cb

SHA1
93af9df5a87093f92ad4169c86ad7d7da08956dd

SHA256
25952379e5996ee2563716778ad1f597de228c1bd2d918005152a8ba9299c28d

SHA512
6cf855272dd978966b665f8ff91eba7ba3fe1314c3c15533d369df47028d2c3be4fc90635866f5f7d2da41deaa37352a78671c5c9ba30559d81885a3e46b39cb

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe
Filesize
2.7MB

MD5
0119dd5b6e65751544c84abaa9dc17cb

SHA1
93af9df5a87093f92ad4169c86ad7d7da08956dd

SHA256
25952379e5996ee2563716778ad1f597de228c1bd2d918005152a8ba9299c28d

SHA512
6cf855272dd978966b665f8ff91eba7ba3fe1314c3c15533d369df47028d2c3be4fc90635866f5f7d2da41deaa37352a78671c5c9ba30559d81885a3e46b39cb

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe
Filesize
2.7MB

MD5
0119dd5b6e65751544c84abaa9dc17cb

SHA1
93af9df5a87093f92ad4169c86ad7d7da08956dd

SHA256
25952379e5996ee2563716778ad1f597de228c1bd2d918005152a8ba9299c28d

SHA512
6cf855272dd978966b665f8ff91eba7ba3fe1314c3c15533d369df47028d2c3be4fc90635866f5f7d2da41deaa37352a78671c5c9ba30559d81885a3e46b39cb

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe
Filesize
2.7MB

MD5
0119dd5b6e65751544c84abaa9dc17cb

SHA1
93af9df5a87093f92ad4169c86ad7d7da08956dd

SHA256
25952379e5996ee2563716778ad1f597de228c1bd2d918005152a8ba9299c28d

SHA512
6cf855272dd978966b665f8ff91eba7ba3fe1314c3c15533d369df47028d2c3be4fc90635866f5f7d2da41deaa37352a78671c5c9ba30559d81885a3e46b39cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0119dd5b6e65751544c84abaa9dc17cb.exe.log
Filesize
1KB

MD5
430a3e587f99c7640a58a042ce63bdd6

SHA1
5d11d6b74e56cf622796971b8f57f57ca37592db

SHA256
a087c10187c77ec487d0dcce45d36d5b1ff44f063aba489a17937f041de70bf7

SHA512
0b2422fceade7f32cabf29cbb658663ec6f05c977435f66d1bd80c99ae0043e0d95f1bfafa4ec4fe84bc77a1a3b45bf38e84ce8737a6cf2b25bad4e37af0797d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log
Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\odt\sppsvc.exe
Filesize
2.7MB

MD5
0119dd5b6e65751544c84abaa9dc17cb

SHA1
93af9df5a87093f92ad4169c86ad7d7da08956dd

SHA256
25952379e5996ee2563716778ad1f597de228c1bd2d918005152a8ba9299c28d

SHA512
6cf855272dd978966b665f8ff91eba7ba3fe1314c3c15533d369df47028d2c3be4fc90635866f5f7d2da41deaa37352a78671c5c9ba30559d81885a3e46b39cb

Download Submit
C:\odt\sppsvc.exe
Filesize
2.7MB

MD5
0119dd5b6e65751544c84abaa9dc17cb

SHA1
93af9df5a87093f92ad4169c86ad7d7da08956dd

SHA256
25952379e5996ee2563716778ad1f597de228c1bd2d918005152a8ba9299c28d

SHA512
6cf855272dd978966b665f8ff91eba7ba3fe1314c3c15533d369df47028d2c3be4fc90635866f5f7d2da41deaa37352a78671c5c9ba30559d81885a3e46b39cb

Download Submit
memory/2584-124-0x0000000002AF0000-0x0000000002B06000-memory.dmp

Filesize
88KB

Download
memory/2584-130-0x0000000002B20000-0x0000000002B2C000-memory.dmp

Filesize
48KB

Download
memory/2584-132-0x000000001B5A0000-0x000000001B5AC000-memory.dmp

Filesize
48KB

Download
memory/2584-133-0x000000001BAC0000-0x000000001BAC8000-memory.dmp

Filesize
32KB

Download
memory/2584-134-0x000000001BD30000-0x000000001BD42000-memory.dmp

Filesize
72KB

Download
memory/2584-135-0x000000001C510000-0x000000001CA36000-memory.dmp

Filesize
5.1MB

Download
memory/2584-136-0x000000001BD60000-0x000000001BD6C000-memory.dmp

Filesize
48KB

Download
memory/2584-137-0x000000001BD70000-0x000000001BD7E000-memory.dmp

Filesize
56KB

Download
memory/2584-138-0x000000001BD80000-0x000000001BD8C000-memory.dmp

Filesize
48KB

Download
memory/2584-139-0x0000000000FC9000-0x0000000000FCF000-memory.dmp

Filesize
24KB

Download
memory/2584-144-0x0000000000FC9000-0x0000000000FCF000-memory.dmp

Filesize
24KB

Download
memory/2584-131-0x0000000002B50000-0x0000000002B58000-memory.dmp

Filesize
32KB

Download
memory/2584-129-0x000000001BCE0000-0x000000001BD36000-memory.dmp

Filesize
344KB

Download
memory/2584-128-0x000000001B590000-0x000000001B59A000-memory.dmp

Filesize
40KB

Download
memory/2584-127-0x0000000002B40000-0x0000000002B50000-memory.dmp

Filesize
64KB

Download
memory/2584-126-0x0000000002B30000-0x0000000002B42000-memory.dmp

Filesize
72KB

Download
memory/2584-125-0x0000000002B10000-0x0000000002B18000-memory.dmp

Filesize
32KB

Download
memory/2584-123-0x000000001B540000-0x000000001B590000-memory.dmp

Filesize
320KB

Download
memory/2584-122-0x0000000000FE0000-0x0000000000FFC000-memory.dmp

Filesize
112KB

Download
memory/2584-121-0x000000001BAD0000-0x000000001BBD2000-memory.dmp

Filesize
1.0MB

Download
memory/2584-120-0x00000000006F0000-0x00000000009AE000-memory.dmp

Filesize
2.7MB

Download
memory/4368-152-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-155-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-156-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-157-0x000000001B9C7000-0x000000001B9CE000-memory.dmp

Filesize
28KB

Download
memory/4368-158-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-159-0x000000001B9C7000-0x000000001B9CE000-memory.dmp

Filesize
28KB

Download
memory/4368-160-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-161-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-162-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-163-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-164-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-165-0x000000001B9C7000-0x000000001B9CE000-memory.dmp

Filesize
28KB

Download
memory/4368-166-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-167-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-168-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-169-0x000000001B9C9000-0x000000001B9CE000-memory.dmp

Filesize
20KB

Download
memory/4368-170-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-171-0x000000001B9C7000-0x000000001B9CE000-memory.dmp

Filesize
28KB

Download
memory/4368-172-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-173-0x000000001B9C7000-0x000000001B9CA000-memory.dmp

Filesize
12KB

Download
memory/4368-174-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-175-0x000000001B9C9000-0x000000001B9CE000-memory.dmp

Filesize
20KB

Download
memory/4368-178-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-179-0x000000001B9C7000-0x000000001B9CA000-memory.dmp

Filesize
12KB

Download
memory/4368-154-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-153-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-151-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-150-0x000000001B9C9000-0x000000001B9CF000-memory.dmp

Filesize
24KB

Download
memory/4368-149-0x000000001BFF0000-0x000000001C540000-memory.dmp

Filesize
5.3MB

Download
memory/4368-148-0x000000001B9C9000-0x000000001B9CF000-memory.dmp

Filesize
24KB

Download
memory/4368-147-0x000000001B750000-0x000000001B762000-memory.dmp

Filesize
72KB

Download
memory/4368-146-0x000000001B680000-0x000000001B6D6000-memory.dmp

Filesize
344KB

Download
memory/4368-145-0x0000000002D70000-0x0000000002D82000-memory.dmp

Filesize
72KB

Download
memory/4368-140-0x0000000000000000-mapping.dmp

Download