dcrat | f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a

Analysis

max time kernel
300s
max time network
299s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
10-01-2023 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a.exe
Size

2.7MB
MD5

03568cc59bb988ddeb9df3481f81882c
SHA1

1d366a8f9a7cd51b18a69643a1d93dc3af82da65
SHA256

f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a
SHA512

7f9b9fd8e5af7a4660cd1d9ec19489eb7daf759d2065fdb5386c07cb363a0ec0c08a333da994762fadcf523a49896f234ca6e6465727b8a6886baf59f7436b2d
SSDEEP

49152:jbA30Dluyq908xIgQSZjQEoKG7iBNFqPGgeTVvXB8t15KQA+zv+3FGOGp:jbcL5jAiNA+pBvB8v5TAhVGrp

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	200	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3884	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2072	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	2072	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

polaw.exedllhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	polaw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	polaw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	polaw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/3268-320-0x0000000000DA0000-0x0000000001334000-memory.dmp	dcrat
behavioral2/memory/3268-379-0x0000000000DA0000-0x0000000001334000-memory.dmp	dcrat
behavioral2/memory/2720-429-0x0000000000AB0000-0x0000000001044000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

Processes:

work.exepolaw.exedllhost.exe

pid process

4336 work.exe
3268 polaw.exe
2720 dllhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4336	work.exe
3268	polaw.exe
2720	dllhost.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

dllhost.exepolaw.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	polaw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	polaw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dllhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 30 IoCs

Processes:

polaw.exedllhost.exe

pid	process
3268	polaw.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe

Drops file in Program Files directory 6 IoCs

Processes:

polaw.exe

description	ioc	process
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\886983d96e3d3e	polaw.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe	polaw.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\e6c9b481da804f	polaw.exe
File created	C:\Program Files\Common Files\Services\Idle.exe	polaw.exe
File created	C:\Program Files\Common Files\Services\6ccacd8608530f	polaw.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\csrss.exe	polaw.exe

Drops file in Windows directory 6 IoCs

Processes:

polaw.exe

description	ioc	process
File created	C:\Windows\ModemLogs\42783c70be598f	polaw.exe
File created	C:\Windows\Speech_OneCore\spoolsv.exe	polaw.exe
File created	C:\Windows\Speech_OneCore\f3b6ecef712a24	polaw.exe
File created	C:\Windows\Resources\Maps\font\dllhost.exe	polaw.exe
File created	C:\Windows\Resources\Maps\font\5940a34987c991	polaw.exe
File created	C:\Windows\ModemLogs\polaw.exe	polaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
2292	schtasks.exe
224	schtasks.exe
1172	schtasks.exe
4708	schtasks.exe
2256	schtasks.exe
1492	schtasks.exe
2580	schtasks.exe
4004	schtasks.exe
4668	schtasks.exe
1484	schtasks.exe
1128	schtasks.exe
1604	schtasks.exe
1728	schtasks.exe
4300	schtasks.exe
2328	schtasks.exe
2616	schtasks.exe
2120	schtasks.exe
3884	schtasks.exe
2144	schtasks.exe
3880	schtasks.exe
2040	schtasks.exe
1532	schtasks.exe
1524	schtasks.exe
4896	schtasks.exe
4052	schtasks.exe
216	schtasks.exe
4180	schtasks.exe
3564	schtasks.exe
3828	schtasks.exe
4676	schtasks.exe
200	schtasks.exe
1828	schtasks.exe
2600	schtasks.exe
3964	schtasks.exe
5040	schtasks.exe
4988	schtasks.exe
3860	schtasks.exe
2176	schtasks.exe
612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

polaw.exedllhost.exe

pid	process
3268	polaw.exe
3268	polaw.exe
3268	polaw.exe
3268	polaw.exe
3268	polaw.exe
3268	polaw.exe
3268	polaw.exe
3268	polaw.exe
3268	polaw.exe
3268	polaw.exe
3268	polaw.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe
2720	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dllhost.exe

pid process

2720 dllhost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

polaw.exedllhost.exe

description pid process

Token: SeDebugPrivilege 3268 polaw.exe
Token: SeDebugPrivilege 2720 dllhost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

polaw.exedllhost.exe

pid process

3268 polaw.exe
2720 dllhost.exe

pid	process
2720	dllhost.exe

description	pid	process
Token: SeDebugPrivilege	3268	polaw.exe
Token: SeDebugPrivilege	2720	dllhost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a.execmd.exework.exepolaw.exe

description	pid	process	target process
PID 4364 wrote to memory of 4868	4364	f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a.exe	cmd.exe
PID 4364 wrote to memory of 4868	4364	f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a.exe	cmd.exe
PID 4364 wrote to memory of 4868	4364	f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a.exe	cmd.exe
PID 4868 wrote to memory of 4336	4868	cmd.exe	work.exe
PID 4868 wrote to memory of 4336	4868	cmd.exe	work.exe
PID 4868 wrote to memory of 4336	4868	cmd.exe	work.exe
PID 4336 wrote to memory of 3268	4336	work.exe	polaw.exe
PID 4336 wrote to memory of 3268	4336	work.exe	polaw.exe
PID 4336 wrote to memory of 3268	4336	work.exe	polaw.exe
PID 3268 wrote to memory of 2720	3268	polaw.exe	dllhost.exe
PID 3268 wrote to memory of 2720	3268	polaw.exe	dllhost.exe
PID 3268 wrote to memory of 2720	3268	polaw.exe	dllhost.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

polaw.exedllhost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	polaw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	dllhost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	polaw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	polaw.exe

C:\Users\Admin\AppData\Local\Temp\f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a.exe
"C:\Users\Admin\AppData\Local\Temp\f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4868

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4336

C:\Users\Admin\AppData\Local\Temp\RarSFX1\polaw.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\polaw.exe"
4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3268

C:\Windows\Resources\Maps\font\dllhost.exe
"C:\Windows\Resources\Maps\font\dllhost.exe"
5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Maps\font\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Resources\Maps\font\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Maps\font\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\NetFramework\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\NetFramework\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\NetFramework\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "polawp" /sc MINUTE /mo 8 /tr "'C:\Windows\ModemLogs\polaw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "polaw" /sc ONLOGON /tr "'C:\Windows\ModemLogs\polaw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "polawp" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\polaw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Services\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Services\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech_OneCore\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
Filesize
2.6MB

MD5
3a2500e0bafbdafa76666fc6d9e77b35

SHA1
4f38bec9102d11cb714994cde77b88c95744aeb4

SHA256
b1e91ef2f0be9acf51446d80c65c2385030a300498c9f22552f9e01998160b66

SHA512
db0d4b74769f936b1785a46093be47feac1d4ab8372adea7793eddab7af544742ed367f8030f0eb00f903af1c3faefe69bf02a0371dc00638043ff6f38757df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
Filesize
2.6MB

MD5
3a2500e0bafbdafa76666fc6d9e77b35

SHA1
4f38bec9102d11cb714994cde77b88c95744aeb4

SHA256
b1e91ef2f0be9acf51446d80c65c2385030a300498c9f22552f9e01998160b66

SHA512
db0d4b74769f936b1785a46093be47feac1d4ab8372adea7793eddab7af544742ed367f8030f0eb00f903af1c3faefe69bf02a0371dc00638043ff6f38757df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\polaw.exe
Filesize
2.3MB

MD5
40dfa5d6ea29340db151e24859b6d84e

SHA1
1fac98312ed935a9a0ba9b512c21927ebd8b15c2

SHA256
3090c4184f28e71de8af49ac011b9cf257d3dab9c7a062dbfc3711ff9d3d1fe3

SHA512
d504059721f0264668c49b0be8aa2a73c29520d6a2c5d10446cfba3b4a1e9475abd360385f74fac7b884e7c441335259743eb9a08ebf98541bd4681dcd40435a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\polaw.exe
Filesize
2.3MB

MD5
40dfa5d6ea29340db151e24859b6d84e

SHA1
1fac98312ed935a9a0ba9b512c21927ebd8b15c2

SHA256
3090c4184f28e71de8af49ac011b9cf257d3dab9c7a062dbfc3711ff9d3d1fe3

SHA512
d504059721f0264668c49b0be8aa2a73c29520d6a2c5d10446cfba3b4a1e9475abd360385f74fac7b884e7c441335259743eb9a08ebf98541bd4681dcd40435a

Download Submit
C:\Windows\Resources\Maps\font\dllhost.exe
Filesize
2.3MB

MD5
40dfa5d6ea29340db151e24859b6d84e

SHA1
1fac98312ed935a9a0ba9b512c21927ebd8b15c2

SHA256
3090c4184f28e71de8af49ac011b9cf257d3dab9c7a062dbfc3711ff9d3d1fe3

SHA512
d504059721f0264668c49b0be8aa2a73c29520d6a2c5d10446cfba3b4a1e9475abd360385f74fac7b884e7c441335259743eb9a08ebf98541bd4681dcd40435a

Download Submit
C:\Windows\Resources\Maps\font\dllhost.exe
Filesize
2.3MB

MD5
40dfa5d6ea29340db151e24859b6d84e

SHA1
1fac98312ed935a9a0ba9b512c21927ebd8b15c2

SHA256
3090c4184f28e71de8af49ac011b9cf257d3dab9c7a062dbfc3711ff9d3d1fe3

SHA512
d504059721f0264668c49b0be8aa2a73c29520d6a2c5d10446cfba3b4a1e9475abd360385f74fac7b884e7c441335259743eb9a08ebf98541bd4681dcd40435a

Download Submit
memory/2720-465-0x0000000000AB0000-0x0000000001044000-memory.dmp

Filesize
5.6MB

Download
memory/2720-429-0x0000000000AB0000-0x0000000001044000-memory.dmp

Filesize
5.6MB

Download
memory/2720-391-0x0000000000AB0000-0x0000000001044000-memory.dmp

Filesize
5.6MB

Download
memory/2720-369-0x0000000000000000-mapping.dmp

Download
memory/3268-344-0x00000000060C0000-0x00000000060D0000-memory.dmp

Filesize
64KB

Download
memory/3268-338-0x0000000003380000-0x000000000339C000-memory.dmp

Filesize
112KB

Download
memory/3268-347-0x0000000006740000-0x00000000067D2000-memory.dmp

Filesize
584KB

Download
memory/3268-346-0x0000000006650000-0x00000000066A6000-memory.dmp

Filesize
344KB

Download
memory/3268-345-0x0000000005AD0000-0x0000000005ADA000-memory.dmp

Filesize
40KB

Download
memory/3268-349-0x0000000006D10000-0x000000000723C000-memory.dmp

Filesize
5.2MB

Download
memory/3268-343-0x0000000005AC0000-0x0000000005AC8000-memory.dmp

Filesize
32KB

Download
memory/3268-342-0x0000000005A90000-0x0000000005AA6000-memory.dmp

Filesize
88KB

Download
memory/3268-341-0x00000000033D0000-0x00000000033E0000-memory.dmp

Filesize
64KB

Download
memory/3268-340-0x00000000033C0000-0x00000000033C8000-memory.dmp

Filesize
32KB

Download
memory/3268-339-0x0000000006100000-0x0000000006150000-memory.dmp

Filesize
320KB

Download
memory/3268-348-0x00000000060D0000-0x00000000060E2000-memory.dmp

Filesize
72KB

Download
memory/3268-337-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/3268-336-0x0000000003350000-0x000000000335E000-memory.dmp

Filesize
56KB

Download
memory/3268-323-0x0000000006150000-0x000000000664E000-memory.dmp

Filesize
5.0MB

Download
memory/3268-320-0x0000000000DA0000-0x0000000001334000-memory.dmp

Filesize
5.6MB

Download
memory/3268-350-0x0000000006710000-0x000000000671C000-memory.dmp

Filesize
48KB

Download
memory/3268-280-0x0000000000DA0000-0x0000000001334000-memory.dmp

Filesize
5.6MB

Download
memory/3268-351-0x0000000006720000-0x000000000672E000-memory.dmp

Filesize
56KB

Download
memory/3268-271-0x0000000000000000-mapping.dmp

Download
memory/3268-352-0x0000000006B70000-0x0000000006B7C000-memory.dmp

Filesize
48KB

Download
memory/3268-379-0x0000000000DA0000-0x0000000001334000-memory.dmp

Filesize
5.6MB

Download
memory/4336-198-0x0000000000000000-mapping.dmp

Download
memory/4364-142-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-150-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-154-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-155-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-156-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-157-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-158-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-159-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-160-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-161-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-162-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-163-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-164-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-165-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-166-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-168-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-167-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-169-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-170-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-171-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-172-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-173-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-174-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-175-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-176-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-177-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-178-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-179-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-180-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-181-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-117-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-152-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-151-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-153-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-149-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-148-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-147-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-146-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-145-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-144-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-143-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-116-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-141-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-140-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-139-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-138-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-137-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-136-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-135-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-134-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-133-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-132-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-131-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-130-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-129-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-128-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-127-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-126-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-125-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-124-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-122-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-121-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-119-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4364-118-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

Filesize
1.6MB

Download
memory/4868-183-0x0000000000000000-mapping.dmp

Download