dcrat | 5c9ffd0729ab591fcdb1d14462c4ae42f3740e5a432fa0e7d8fd71055bdfc459

Analysis

max time kernel
138s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2023 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c9ffd0729ab591fcdb1d14462c4ae42f3740e5a432fa0e7d8fd71055bdfc459.exe
Size

1.5MB
MD5

2c289507bcd526b692b833e345b0a3b9
SHA1

648c51af0d0e85f9fd4fa30f2266c2b1dedf37b2
SHA256

5c9ffd0729ab591fcdb1d14462c4ae42f3740e5a432fa0e7d8fd71055bdfc459
SHA512

46433a563526e7213b6d1cb0d8c8e441bc762c3acaff22a976a8c9463ee3f2ffa5a387b200fa9cfc2fbab234cc6f934508754e5f4cc5ba3a0c3dee2ab1d925ad
SSDEEP

24576:U2G/nvxW3Ww0tHUq2m+Uko0DQXHxbZfGYiUMfwtApTjN:UbA300qpt1xiFKqB

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	260	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3880	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	1324	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	1324	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\msMonitor\blockSurrogatePerf.exe	dcrat
C:\Users\Admin\AppData\Roaming\msMonitor\blockSurrogatePerf.exe	dcrat
behavioral1/memory/1104-139-0x00000000005C0000-0x00000000006F4000-memory.dmp	dcrat
C:\Users\Admin\AppData\Roaming\msMonitor\blockSurrogatePerf.exe	dcrat
C:\Recovery\WindowsRE\upfc.exe	dcrat
C:\Recovery\WindowsRE\upfc.exe	dcrat

Executes dropped EXE 3 IoCs

Processes:

blockSurrogatePerf.exeblockSurrogatePerf.exeupfc.exe

pid process

1104 blockSurrogatePerf.exe
3832 blockSurrogatePerf.exe
4004 upfc.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

blockSurrogatePerf.exeblockSurrogatePerf.exe5c9ffd0729ab591fcdb1d14462c4ae42f3740e5a432fa0e7d8fd71055bdfc459.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	blockSurrogatePerf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	blockSurrogatePerf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5c9ffd0729ab591fcdb1d14462c4ae42f3740e5a432fa0e7d8fd71055bdfc459.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 5 IoCs

Processes:

blockSurrogatePerf.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Security\dllhost.exe	blockSurrogatePerf.exe
File created	C:\Program Files\Windows Security\5940a34987c991	blockSurrogatePerf.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\StartMenuExperienceHost.exe	blockSurrogatePerf.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\55b276f4edf653	blockSurrogatePerf.exe
File created	C:\Program Files\Windows Security\dllhost.exe	blockSurrogatePerf.exe

Drops file in Windows directory 11 IoCs

Processes:

blockSurrogatePerf.exeblockSurrogatePerf.exe

description	ioc	process
File created	C:\Windows\tracing\SearchApp.exe	blockSurrogatePerf.exe
File opened for modification	C:\Windows\tracing\SearchApp.exe	blockSurrogatePerf.exe
File created	C:\Windows\Microsoft.NET\fontdrvhost.exe	blockSurrogatePerf.exe
File created	C:\Windows\ShellExperiences\System.exe	blockSurrogatePerf.exe
File created	C:\Windows\DiagTrack\Settings\spoolsv.exe	blockSurrogatePerf.exe
File created	C:\Windows\CSC\taskhostw.exe	blockSurrogatePerf.exe
File created	C:\Windows\tracing\38384e6a620884	blockSurrogatePerf.exe
File created	C:\Windows\Microsoft.NET\5b884080fd4f94	blockSurrogatePerf.exe
File created	C:\Windows\LanguageOverlayCache\dwm.exe	blockSurrogatePerf.exe
File created	C:\Windows\ShellExperiences\27d1bcfc3c54e0	blockSurrogatePerf.exe
File created	C:\Windows\DiagTrack\Settings\f3b6ecef712a24	blockSurrogatePerf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
5108	schtasks.exe
4796	schtasks.exe
3488	schtasks.exe
1312	schtasks.exe
1620	schtasks.exe
4688	schtasks.exe
4488	schtasks.exe
1040	schtasks.exe
4296	schtasks.exe
3820	schtasks.exe
3288	schtasks.exe
3892	schtasks.exe
2896	schtasks.exe
3692	schtasks.exe
3296	schtasks.exe
2852	schtasks.exe
1720	schtasks.exe
4212	schtasks.exe
3880	schtasks.exe
260	schtasks.exe
4084	schtasks.exe
3784	schtasks.exe
4544	schtasks.exe
1068	schtasks.exe
3312	schtasks.exe
792	schtasks.exe
4304	schtasks.exe
3920	schtasks.exe
1280	schtasks.exe
1836	schtasks.exe
3648	schtasks.exe
224	schtasks.exe
2012	schtasks.exe
3752	schtasks.exe
4760	schtasks.exe
5028	schtasks.exe
3828	schtasks.exe
4240	schtasks.exe
4444	schtasks.exe
3672	schtasks.exe
2396	schtasks.exe
3688	schtasks.exe
1616	schtasks.exe
1520	schtasks.exe
1888	schtasks.exe
3992	schtasks.exe
2072	schtasks.exe
3020	schtasks.exe

Modifies registry class 3 IoCs

Processes:

5c9ffd0729ab591fcdb1d14462c4ae42f3740e5a432fa0e7d8fd71055bdfc459.exeblockSurrogatePerf.exeblockSurrogatePerf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	5c9ffd0729ab591fcdb1d14462c4ae42f3740e5a432fa0e7d8fd71055bdfc459.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	blockSurrogatePerf.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	blockSurrogatePerf.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

blockSurrogatePerf.exeblockSurrogatePerf.exeupfc.exe

pid	process
1104	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
3832	blockSurrogatePerf.exe
4004	upfc.exe
4004	upfc.exe
4004	upfc.exe
4004	upfc.exe
4004	upfc.exe
4004	upfc.exe
4004	upfc.exe
4004	upfc.exe
4004	upfc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

upfc.exe

pid process

4004 upfc.exe

pid	process
4004	upfc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

blockSurrogatePerf.exeblockSurrogatePerf.exeupfc.exe

description	pid	process
Token: SeDebugPrivilege	1104	blockSurrogatePerf.exe
Token: SeDebugPrivilege	3832	blockSurrogatePerf.exe
Token: SeDebugPrivilege	4004	upfc.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5c9ffd0729ab591fcdb1d14462c4ae42f3740e5a432fa0e7d8fd71055bdfc459.exeWScript.execmd.exeblockSurrogatePerf.execmd.exeblockSurrogatePerf.execmd.exe

description	pid	process	target process
PID 2824 wrote to memory of 2960	2824	5c9ffd0729ab591fcdb1d14462c4ae42f3740e5a432fa0e7d8fd71055bdfc459.exe	WScript.exe
PID 2824 wrote to memory of 2960	2824	5c9ffd0729ab591fcdb1d14462c4ae42f3740e5a432fa0e7d8fd71055bdfc459.exe	WScript.exe
PID 2824 wrote to memory of 2960	2824	5c9ffd0729ab591fcdb1d14462c4ae42f3740e5a432fa0e7d8fd71055bdfc459.exe	WScript.exe
PID 2960 wrote to memory of 628	2960	WScript.exe	cmd.exe
PID 2960 wrote to memory of 628	2960	WScript.exe	cmd.exe
PID 2960 wrote to memory of 628	2960	WScript.exe	cmd.exe
PID 628 wrote to memory of 1104	628	cmd.exe	blockSurrogatePerf.exe
PID 628 wrote to memory of 1104	628	cmd.exe	blockSurrogatePerf.exe
PID 1104 wrote to memory of 3524	1104	blockSurrogatePerf.exe	cmd.exe
PID 1104 wrote to memory of 3524	1104	blockSurrogatePerf.exe	cmd.exe
PID 3524 wrote to memory of 476	3524	cmd.exe	w32tm.exe
PID 3524 wrote to memory of 476	3524	cmd.exe	w32tm.exe
PID 3524 wrote to memory of 3832	3524	cmd.exe	blockSurrogatePerf.exe
PID 3524 wrote to memory of 3832	3524	cmd.exe	blockSurrogatePerf.exe
PID 3832 wrote to memory of 3372	3832	blockSurrogatePerf.exe	cmd.exe
PID 3832 wrote to memory of 3372	3832	blockSurrogatePerf.exe	cmd.exe
PID 3372 wrote to memory of 4704	3372	cmd.exe	w32tm.exe
PID 3372 wrote to memory of 4704	3372	cmd.exe	w32tm.exe
PID 3372 wrote to memory of 4004	3372	cmd.exe	upfc.exe
PID 3372 wrote to memory of 4004	3372	cmd.exe	upfc.exe

C:\Users\Admin\AppData\Local\Temp\5c9ffd0729ab591fcdb1d14462c4ae42f3740e5a432fa0e7d8fd71055bdfc459.exe
"C:\Users\Admin\AppData\Local\Temp\5c9ffd0729ab591fcdb1d14462c4ae42f3740e5a432fa0e7d8fd71055bdfc459.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msMonitor\TiNJwSbj9xFjx5ES90J8DtcZF8KT.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\msMonitor\u8AnLJCEqxCthiwBtq7.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Users\Admin\AppData\Roaming\msMonitor\blockSurrogatePerf.exe
"C:\Users\Admin\AppData\Roaming\msMonitor\blockSurrogatePerf.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1PlbJmoj5H.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:3524

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:476

C:\Users\Admin\AppData\Roaming\msMonitor\blockSurrogatePerf.exe
"C:\Users\Admin\AppData\Roaming\msMonitor\blockSurrogatePerf.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4pmN62PbX.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:4704

C:\Recovery\WindowsRE\upfc.exe
"C:\Recovery\WindowsRE\upfc.exe"
8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\tracing\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Music\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-929662420-1054238289-2961194603-1000\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-929662420-1054238289-2961194603-1000\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\S-1-5-21-929662420-1054238289-2961194603-1000\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Security\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Recent\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\Recent\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Recent\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellExperiences\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellExperiences\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\DiagTrack\Settings\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\DiagTrack\Settings\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\upfc.exe

Filesize
1.2MB

MD5
4d24e0b64f19d79260fe43bbc7726069

SHA1
42e113fd0e001b7231a92a43f4af6f9de02c0696

SHA256
54580b519b82e21da0010ce80fb64223bb6e467a4414219f029d5d7f2152014c

SHA512
31485cbe88be88f9297fe08c85c77d6c59c2a8ed5396edd5f7feb20673d5fd15218b15778c8ee60cbcab473b8e3889254c4baf9b62cff0b05ebdb79b17757592

Download Submit
C:\Recovery\WindowsRE\upfc.exe

Filesize
1.2MB

MD5
4d24e0b64f19d79260fe43bbc7726069

SHA1
42e113fd0e001b7231a92a43f4af6f9de02c0696

SHA256
54580b519b82e21da0010ce80fb64223bb6e467a4414219f029d5d7f2152014c

SHA512
31485cbe88be88f9297fe08c85c77d6c59c2a8ed5396edd5f7feb20673d5fd15218b15778c8ee60cbcab473b8e3889254c4baf9b62cff0b05ebdb79b17757592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\blockSurrogatePerf.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Temp\1PlbJmoj5H.bat

Filesize
228B

MD5
e76cdc8164ba6e33d919ce3ab1d77561

SHA1
f9b9fa5a1e47643a19680ea054afd5f9bc73446f

SHA256
66d24eb01629f6e91b3036b631684e9cec5b1943e9e48bd1c4c4d20bde75c901

SHA512
36db7cd06287c49ce1d5d10726005cf7d2ebad4a095b19cec1058fc0cb82e14f6de7910d67ecf3a640244b683d5571c9f97e29d6fa4b8f531886eddb8ba3fb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\95cbcfc18e42d1ff7e83e27db052dc69fde2b3934.5.33675ceb3f2cf0aa08864a4c4c4f68da0d35072b53

Filesize
736B

MD5
999be844f6de08f227ef90ff99913bf9

SHA1
8e877e8c1debea7ccec24ea2c804ac88b123f7a3

SHA256
52bb93438bfe0f5abfb55fbd80c884956120d2a74518b63480f13dd31605e66c

SHA512
c94efbeb58e94d1a83dd2fb0727ca609175f19f93fd9c6d0ebd0a6f66fad83db6bf69bebe3021a84188f87432a69c8b14e604a9e241140ef7e937d5d562174d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\N4pmN62PbX.bat

Filesize
195B

MD5
c2e23068541029b15ec6a63cb79d7aaa

SHA1
ba52eb06108d8d8adeeca12227892afe42304fc9

SHA256
0990f112e56058636954741db6ad3ea16e107af58b2800c4c40a18f293ad52dd

SHA512
d8c2d8f82cb4a34b684f85796e3b7ad6cf0402bfa5fb9fb7f5e537022cc7d5e664a43551ac3a14e28bd0a9501fc26d469d3cb63bdee3ad54877fe7209879ff13

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitor\TiNJwSbj9xFjx5ES90J8DtcZF8KT.vbe

Filesize
212B

MD5
d357375a914faa460a20062143ad0f94

SHA1
6693d198b165b8229cdf540d8f9dc13ea51e7da2

SHA256
8bb53e94a27426cf4be6cbbdaf8e31e4d50f9f652f8d6d44be0a272d40e47ecb

SHA512
c0835de7030400d54932273ceb04aca0d993b719b47696e4cab9db05b72e396a46cb9113aa6f36057fc11f5816fe5ab01674b15200dc292dde49884fb0fdb191

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitor\blockSurrogatePerf.exe

Filesize
1.2MB

MD5
4d24e0b64f19d79260fe43bbc7726069

SHA1
42e113fd0e001b7231a92a43f4af6f9de02c0696

SHA256
54580b519b82e21da0010ce80fb64223bb6e467a4414219f029d5d7f2152014c

SHA512
31485cbe88be88f9297fe08c85c77d6c59c2a8ed5396edd5f7feb20673d5fd15218b15778c8ee60cbcab473b8e3889254c4baf9b62cff0b05ebdb79b17757592

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitor\blockSurrogatePerf.exe

Filesize
1.2MB

MD5
4d24e0b64f19d79260fe43bbc7726069

SHA1
42e113fd0e001b7231a92a43f4af6f9de02c0696

SHA256
54580b519b82e21da0010ce80fb64223bb6e467a4414219f029d5d7f2152014c

SHA512
31485cbe88be88f9297fe08c85c77d6c59c2a8ed5396edd5f7feb20673d5fd15218b15778c8ee60cbcab473b8e3889254c4baf9b62cff0b05ebdb79b17757592

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitor\blockSurrogatePerf.exe

Filesize
1.2MB

MD5
4d24e0b64f19d79260fe43bbc7726069

SHA1
42e113fd0e001b7231a92a43f4af6f9de02c0696

SHA256
54580b519b82e21da0010ce80fb64223bb6e467a4414219f029d5d7f2152014c

SHA512
31485cbe88be88f9297fe08c85c77d6c59c2a8ed5396edd5f7feb20673d5fd15218b15778c8ee60cbcab473b8e3889254c4baf9b62cff0b05ebdb79b17757592

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitor\u8AnLJCEqxCthiwBtq7.bat

Filesize
44B

MD5
246308a337932eb9ec6667a0550af40d

SHA1
39f0c6c527ba808983284b892a60ec56eff06dc3

SHA256
9d4f20be2fa692acc95bad7ec641ec73f71e61ccc92496acf82daa464eee2442

SHA512
44d55057db867db7bb5cf3e5616d339835f95d995bd40caffd17454bd9855a27801eda487569da02c8542a6b263d3f8be57b841c3bbf31ed908fb822f7135d95

Download Submit
memory/476-144-0x0000000000000000-mapping.dmp

Download
memory/628-135-0x0000000000000000-mapping.dmp

Download
memory/1104-139-0x00000000005C0000-0x00000000006F4000-memory.dmp

Filesize
1.2MB

Download
memory/1104-140-0x0000000002A70000-0x0000000002AC0000-memory.dmp

Filesize
320KB

Download
memory/1104-145-0x00007FF948800000-0x00007FF9492C1000-memory.dmp

Filesize
10.8MB

Download
memory/1104-136-0x0000000000000000-mapping.dmp

Download
memory/1104-141-0x00007FF948800000-0x00007FF9492C1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-132-0x0000000000000000-mapping.dmp

Download
memory/3372-151-0x0000000000000000-mapping.dmp

Download
memory/3524-142-0x0000000000000000-mapping.dmp

Download
memory/3832-152-0x00007FF9484B0000-0x00007FF948F71000-memory.dmp

Filesize
10.8MB

Download
memory/3832-146-0x0000000000000000-mapping.dmp

Download
memory/3832-149-0x00007FF9484B0000-0x00007FF948F71000-memory.dmp

Filesize
10.8MB

Download
memory/4004-155-0x0000000000000000-mapping.dmp

Download
memory/4004-158-0x00007FF9484B0000-0x00007FF948F71000-memory.dmp

Filesize
10.8MB

Download
memory/4004-159-0x00007FF9484B0000-0x00007FF948F71000-memory.dmp

Filesize
10.8MB

Download
memory/4704-154-0x0000000000000000-mapping.dmp

Download