dcrat | 5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18

General

Target

5d05c7d74af3f812e23c91cb9cf1e346af9e8e0745158.exe
Size

1.3MB
MD5

b9a0002e9a104374dea2f4ba571f1764
SHA1

627488abb7aeeb5f8f411a9694cebd6b4748a86f
SHA256

5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18
SHA512

439d0ad76753bf88adc6d92e80fda5bbc64c5724180d8689f79fbf48a80754eb5f127284f123a71129a110ccfeeccb1c3c4cb0879f7859a0648aa0e09ba805b5
SSDEEP

24576:U2G/nvxW3Ww0t4952ytIS/Zgi5N5vC8bg7Mj9W4eHdELPh:UbA30QAytISht5q8bQMB4o

Score

10^/10

dcrat evasion infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 17 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

hyperReviewwin.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\dllhost.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\SearchApp.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Mozilla\\updates\\308046B0AF4A39CB\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SppExtComObj.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\SearchApp.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Mozilla\\updates\\308046B0AF4A39CB\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\odt\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\RuntimeBroker.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\SearchApp.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Mozilla\\updates\\308046B0AF4A39CB\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\odt\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\SearchApp.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Mozilla\\updates\\308046B0AF4A39CB\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\odt\\lsass.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\SearchApp.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Mozilla\\updates\\308046B0AF4A39CB\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\odt\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\SearchApp.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Mozilla\\updates\\308046B0AF4A39CB\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\odt\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\cmd.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\SearchApp.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Mozilla\\updates\\308046B0AF4A39CB\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\odt\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\fontdrvhost.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\SearchApp.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\SearchApp.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\StartMenuExperienceHost.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\SearchApp.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Mozilla\\updates\\308046B0AF4A39CB\\SearchApp.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\SearchApp.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Mozilla\\updates\\308046B0AF4A39CB\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\odt\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\fontdrvhost.exe\", \"C:\\odt\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\SearchApp.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\SearchApp.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Mozilla\\updates\\308046B0AF4A39CB\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\odt\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\", \"C:\\Windows\\SchCache\\sppsvc.exe\", \"C:\\Program Files\\Common Files\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\SearchApp.exe\", \"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\StartMenuExperienceHost.exe\", \"C:\\Users\\All Users\\Mozilla\\updates\\308046B0AF4A39CB\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SppExtComObj.exe\", \"C:\\odt\\lsass.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\explorer.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\fontdrvhost.exe\", \"C:\\odt\\sppsvc.exe\""	hyperReviewwin.exe

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4372	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	4376	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	4376	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe	dcrat
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe	dcrat
behavioral2/memory/2596-139-0x0000000000A30000-0x0000000000B3A000-memory.dmp	dcrat
C:\odt\lsass.exe	dcrat
C:\odt\lsass.exe	dcrat

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

hyperReviewwin.exelsass.exe

pid process

2596 hyperReviewwin.exe
4248 lsass.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5d05c7d74af3f812e23c91cb9cf1e346af9e8e0745158.exeWScript.exehyperReviewwin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	5d05c7d74af3f812e23c91cb9cf1e346af9e8e0745158.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	hyperReviewwin.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hyperReviewwin.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\cmd.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\SppExtComObj.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Media Player\\RuntimeBroker.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\fontdrvhost.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\StartMenuExperienceHost.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\All Users\\Mozilla\\updates\\308046B0AF4A39CB\\SearchApp.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\odt\\lsass.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Common Files\\SearchApp.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Windows Media Player\\RuntimeBroker.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\All Users\\Mozilla\\updates\\308046B0AF4A39CB\\SearchApp.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\cmd.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\es\\fontdrvhost.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\SchCache\\sppsvc.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Common Files\\SearchApp.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\odt\\lsass.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Mail\\wininit.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Recovery\\WindowsRE\\explorer.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\odt\\sppsvc.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\RemotePackages\\RemoteApps\\RuntimeBroker.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\StartMenuExperienceHost.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\SppExtComObj.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Common Files\\dllhost.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\odt\\sppsvc.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files (x86)\\WindowsPowerShell\\WaaSMedicAgent.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\SchCache\\sppsvc.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Common Files\\dllhost.exe\""	hyperReviewwin.exe

Drops file in Program Files directory 17 IoCs

Processes:

hyperReviewwin.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\it-IT\ebf1f9fa8afd6d	hyperReviewwin.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\fontdrvhost.exe	hyperReviewwin.exe
File created	C:\Program Files (x86)\WindowsPowerShell\WaaSMedicAgent.exe	hyperReviewwin.exe
File created	C:\Program Files\Common Files\5940a34987c991	hyperReviewwin.exe
File created	C:\Program Files (x86)\Common Files\SearchApp.exe	hyperReviewwin.exe
File created	C:\Program Files (x86)\Windows Mail\wininit.exe	hyperReviewwin.exe
File created	C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe	hyperReviewwin.exe
File created	C:\Program Files (x86)\Common Files\38384e6a620884	hyperReviewwin.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe	hyperReviewwin.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\WaaSMedicAgent.exe	hyperReviewwin.exe
File created	C:\Program Files (x86)\WindowsPowerShell\c82b8037eab33d	hyperReviewwin.exe
File created	C:\Program Files (x86)\Windows Media Player\9e8d7a4ca61bd9	hyperReviewwin.exe
File created	C:\Program Files\Common Files\dllhost.exe	hyperReviewwin.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\e1ef82546f0b02	hyperReviewwin.exe
File created	C:\Program Files (x86)\Windows Mail\56085415360792	hyperReviewwin.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\cmd.exe	hyperReviewwin.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\5b884080fd4f94	hyperReviewwin.exe

Drops file in Windows directory 6 IoCs

Processes:

hyperReviewwin.exe

description	ioc	process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\StartMenuExperienceHost.exe	hyperReviewwin.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\55b276f4edf653	hyperReviewwin.exe
File created	C:\Windows\SchCache\sppsvc.exe	hyperReviewwin.exe
File created	C:\Windows\SchCache\0a1fd5f707cd16	hyperReviewwin.exe
File created	C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe	hyperReviewwin.exe
File created	C:\Windows\RemotePackages\RemoteApps\9e8d7a4ca61bd9	hyperReviewwin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4220	schtasks.exe
1832	schtasks.exe
1884	schtasks.exe
4896	schtasks.exe
3968	schtasks.exe
3476	schtasks.exe
1848	schtasks.exe
4968	schtasks.exe
2452	schtasks.exe
1244	schtasks.exe
4928	schtasks.exe
3508	schtasks.exe
4440	schtasks.exe
3252	schtasks.exe
1412	schtasks.exe
2988	schtasks.exe
2308	schtasks.exe
2500	schtasks.exe
1276	schtasks.exe
616	schtasks.exe
3020	schtasks.exe
2888	schtasks.exe
2700	schtasks.exe
2968	schtasks.exe
1960	schtasks.exe
4604	schtasks.exe
4748	schtasks.exe
2852	schtasks.exe
4340	schtasks.exe
1900	schtasks.exe
3928	schtasks.exe
2512	schtasks.exe
4960	schtasks.exe
1852	schtasks.exe
2912	schtasks.exe
3004	schtasks.exe
3584	schtasks.exe
4252	schtasks.exe
3908	schtasks.exe
8	schtasks.exe
2112	schtasks.exe
4344	schtasks.exe
4888	schtasks.exe
444	schtasks.exe
3992	schtasks.exe
4372	schtasks.exe
1920	schtasks.exe
4148	schtasks.exe
2612	schtasks.exe
3292	schtasks.exe
4228	schtasks.exe

Modifies registry class 2 IoCs

Processes:

5d05c7d74af3f812e23c91cb9cf1e346af9e8e0745158.exehyperReviewwin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	5d05c7d74af3f812e23c91cb9cf1e346af9e8e0745158.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	hyperReviewwin.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4024 reg.exe

pid	process
4024	reg.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

hyperReviewwin.exelsass.exe

pid	process
2596	hyperReviewwin.exe
2596	hyperReviewwin.exe
2596	hyperReviewwin.exe
2596	hyperReviewwin.exe
2596	hyperReviewwin.exe
2596	hyperReviewwin.exe
2596	hyperReviewwin.exe
2596	hyperReviewwin.exe
2596	hyperReviewwin.exe
4248	lsass.exe
4248	lsass.exe
4248	lsass.exe
4248	lsass.exe
4248	lsass.exe
4248	lsass.exe
4248	lsass.exe
4248	lsass.exe
4248	lsass.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

lsass.exe

pid process

4248 lsass.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hyperReviewwin.exelsass.exe

description pid process

Token: SeDebugPrivilege 2596 hyperReviewwin.exe
Token: SeDebugPrivilege 4248 lsass.exe

pid	process
4248	lsass.exe

description	pid	process
Token: SeDebugPrivilege	2596	hyperReviewwin.exe
Token: SeDebugPrivilege	4248	lsass.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

5d05c7d74af3f812e23c91cb9cf1e346af9e8e0745158.exeWScript.execmd.exehyperReviewwin.execmd.exe

description	pid	process	target process
PID 2000 wrote to memory of 3884	2000	5d05c7d74af3f812e23c91cb9cf1e346af9e8e0745158.exe	WScript.exe
PID 2000 wrote to memory of 3884	2000	5d05c7d74af3f812e23c91cb9cf1e346af9e8e0745158.exe	WScript.exe
PID 2000 wrote to memory of 3884	2000	5d05c7d74af3f812e23c91cb9cf1e346af9e8e0745158.exe	WScript.exe
PID 3884 wrote to memory of 1172	3884	WScript.exe	cmd.exe
PID 3884 wrote to memory of 1172	3884	WScript.exe	cmd.exe
PID 3884 wrote to memory of 1172	3884	WScript.exe	cmd.exe
PID 1172 wrote to memory of 2596	1172	cmd.exe	hyperReviewwin.exe
PID 1172 wrote to memory of 2596	1172	cmd.exe	hyperReviewwin.exe
PID 2596 wrote to memory of 4820	2596	hyperReviewwin.exe	cmd.exe
PID 2596 wrote to memory of 4820	2596	hyperReviewwin.exe	cmd.exe
PID 1172 wrote to memory of 4024	1172	cmd.exe	reg.exe
PID 1172 wrote to memory of 4024	1172	cmd.exe	reg.exe
PID 1172 wrote to memory of 4024	1172	cmd.exe	reg.exe
PID 4820 wrote to memory of 3944	4820	cmd.exe	w32tm.exe
PID 4820 wrote to memory of 3944	4820	cmd.exe	w32tm.exe
PID 4820 wrote to memory of 4248	4820	cmd.exe	lsass.exe
PID 4820 wrote to memory of 4248	4820	cmd.exe	lsass.exe

C:\Users\Admin\AppData\Local\Temp\5d05c7d74af3f812e23c91cb9cf1e346af9e8e0745158.exe
"C:\Users\Admin\AppData\Local\Temp\5d05c7d74af3f812e23c91cb9cf1e346af9e8e0745158.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\GkeJrm3LHsNPCuEbXf7u.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\87AREt1.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
"C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f6XmLhiGTt.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:3944

C:\odt\lsass.exe
"C:\odt\lsass.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\SchCache\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteApps\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Winlogon Helper DLL

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f6XmLhiGTt.bat

Filesize
181B

MD5
084d74022286c405014838c35c2ca53b

SHA1
e6690238d1d795079f9c6dd60db1594c05be7c2e

SHA256
89bae78157b7244909b4c3c8c6e7088c4af4118e90a90f5e4b1ce064a77af892

SHA512
0de115fa7c1cee0511d4c7999c977b92115892aefaeb86fba4cfbd679275482b1e38def8bbb3b8796aee979da0268b3654d23ad489c2f681bf175b334e4ef428

Download Submit
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\87AREt1.bat

Filesize
173B

MD5
2445216481e9c79fe7a7d2dddd5dd047

SHA1
5caaf8f423f587b26c0d98bb57db0e295d7ca6a7

SHA256
0d8405ad4bde2e23144377872f204baf9cdbc1343a55c075dabeec49a64c7c3d

SHA512
7000b171a053a0bb20c435765f2c76272e71eb4f429e2b500282f4765b9141757cdcb93a94480ae8ae0b78624098a02bb71caa111e8ab516f12c863725f86484

Download Submit
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\GkeJrm3LHsNPCuEbXf7u.vbe

Filesize
221B

MD5
fc584ab062886ba5b7b34c8a8e4f1809

SHA1
6be7eeee2021f69be9e4513f0cb28408a56caba9

SHA256
873395e08f2ca43b4698329c5e2b6667dec76f2eeb08b05a1cff0a14e5a9db76

SHA512
a74d1b3567e169ed0ec0d135e31312eeae71f87e43c2311a16539f670116f2ce75bb4b4f33a6b462aa417c3764637b3e6c027b44728b2da7874031ac0cc4a7b8

Download Submit
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe

Filesize
1.0MB

MD5
ce9d81db072369459840b1fe59a54ac9

SHA1
5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

SHA256
62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

SHA512
6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

Download Submit
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe

Filesize
1.0MB

MD5
ce9d81db072369459840b1fe59a54ac9

SHA1
5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

SHA256
62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

SHA512
6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

Download Submit
C:\odt\lsass.exe

Filesize
1.0MB

MD5
ce9d81db072369459840b1fe59a54ac9

SHA1
5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

SHA256
62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

SHA512
6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

Download Submit
C:\odt\lsass.exe

Filesize
1.0MB

MD5
ce9d81db072369459840b1fe59a54ac9

SHA1
5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

SHA256
62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

SHA512
6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

Download Submit
memory/1172-135-0x0000000000000000-mapping.dmp

Download
memory/2596-140-0x00007FFA11FB0000-0x00007FFA12A71000-memory.dmp

Filesize
10.8MB

Download
memory/2596-142-0x00007FFA11FB0000-0x00007FFA12A71000-memory.dmp

Filesize
10.8MB

Download
memory/2596-139-0x0000000000A30000-0x0000000000B3A000-memory.dmp

Filesize
1.0MB

Download
memory/2596-136-0x0000000000000000-mapping.dmp

Download
memory/3884-132-0x0000000000000000-mapping.dmp

Download
memory/3944-145-0x0000000000000000-mapping.dmp

Download
memory/4024-144-0x0000000000000000-mapping.dmp

Download
memory/4248-146-0x0000000000000000-mapping.dmp

Download
memory/4248-149-0x00007FFA11EA0000-0x00007FFA12961000-memory.dmp

Filesize
10.8MB

Download
memory/4248-150-0x00007FFA11EA0000-0x00007FFA12961000-memory.dmp

Filesize
10.8MB

Download
memory/4820-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads