dcrat | 8148b7d10cc4d45ac6c2d1454119161a1ee677ac0986e4dd86e2f38a15b7ac19

General

Target

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
Size

2.1MB
MD5

f26bb4f3cc67c00580554bea3dac5e4a
SHA1

14c7857a8edc29dce1a27379f60f0d9443303627
SHA256

8148b7d10cc4d45ac6c2d1454119161a1ee677ac0986e4dd86e2f38a15b7ac19
SHA512

32c1d95bde25e1807ce7312280106259831057df7da893041c43d3c76def49de500ccb7e87b8c08af7657fdbd22117d9320dc4f9e7eebed85f54b3f2e7418010
SSDEEP

49152:tmyDQOI0/F/LopeanZ6QNo1y80nfLSx9ZEQCUn/ty374FM5YLCbtYY2Zy:kyDRZFTopJhTfe3ZtVy3x1btJv

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3260	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	3248	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	3248	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4808-132-0x0000000000470000-0x000000000069A000-memory.dmp	dcrat
C:\Users\Public\AccountPictures\fontdrvhost.exe	dcrat
C:\Users\Public\AccountPictures\fontdrvhost.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

fontdrvhost.exe

pid process

1488 fontdrvhost.exe

pid	process
1488	fontdrvhost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

Drops file in Program Files directory 13 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Adobe\27d1bcfc3c54e0	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Google\Chrome\Application\Registry.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Google\Chrome\Application\ee2ad38f3d4382	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\StartMenuExperienceHost.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\55b276f4edf653	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files (x86)\Common Files\Adobe\System.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\System.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Windows Portable Devices\dwm.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\886983d96e3d3e	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5b884080fd4f94	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Program Files\Windows Portable Devices\6cb0b6c459d5d3	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

Drops file in Windows directory 6 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

description	ioc	process
File created	C:\Windows\Registration\CRMLog\24dbde2999530e	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\IdentityCRL\production\RuntimeBroker.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\IdentityCRL\production\9e8d7a4ca61bd9	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\fr-FR\fontdrvhost.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\fr-FR\5b884080fd4f94	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
File created	C:\Windows\Registration\CRMLog\WmiPrvSE.exe	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4660	schtasks.exe
836	schtasks.exe
1352	schtasks.exe
4896	schtasks.exe
1608	schtasks.exe
4176	schtasks.exe
3592	schtasks.exe
5016	schtasks.exe
2388	schtasks.exe
4188	schtasks.exe
2224	schtasks.exe
896	schtasks.exe
1456	schtasks.exe
4396	schtasks.exe
3480	schtasks.exe
2052	schtasks.exe
4516	schtasks.exe
3576	schtasks.exe
3596	schtasks.exe
4136	schtasks.exe
4520	schtasks.exe
3416	schtasks.exe
3664	schtasks.exe
3188	schtasks.exe
1416	schtasks.exe
2900	schtasks.exe
3260	schtasks.exe
2764	schtasks.exe
4892	schtasks.exe
4684	schtasks.exe
1356	schtasks.exe
4916	schtasks.exe
216	schtasks.exe
1852	schtasks.exe
3456	schtasks.exe
2548	schtasks.exe
3936	schtasks.exe
916	schtasks.exe
1996	schtasks.exe
1412	schtasks.exe
3052	schtasks.exe
3964	schtasks.exe
4356	schtasks.exe
2888	schtasks.exe
1292	schtasks.exe
4200	schtasks.exe
5116	schtasks.exe
2100	schtasks.exe
4140	schtasks.exe
5044	schtasks.exe
484	schtasks.exe
4528	schtasks.exe
316	schtasks.exe
4564	schtasks.exe
3972	schtasks.exe
1148	schtasks.exe
2740	schtasks.exe

Modifies registry class 1 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exefontdrvhost.exe

pid	process
4808	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
4808	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
4808	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
4808	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
4808	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
1488	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exefontdrvhost.exe

description pid process

Token: SeDebugPrivilege 4808 8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
Token: SeDebugPrivilege 1488 fontdrvhost.exe

description	pid	process
Token: SeDebugPrivilege	4808	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
Token: SeDebugPrivilege	1488	fontdrvhost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.execmd.exe

description	pid	process	target process
PID 4808 wrote to memory of 1584	4808	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe	cmd.exe
PID 4808 wrote to memory of 1584	4808	8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe	cmd.exe
PID 1584 wrote to memory of 4320	1584	cmd.exe	w32tm.exe
PID 1584 wrote to memory of 4320	1584	cmd.exe	w32tm.exe
PID 1584 wrote to memory of 1488	1584	cmd.exe	fontdrvhost.exe
PID 1584 wrote to memory of 1488	1584	cmd.exe	fontdrvhost.exe

C:\Users\Admin\AppData\Local\Temp\8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe
"C:\Users\Admin\AppData\Local\Temp\8148B7D10CC4D45AC6C2D1454119161A1EE677AC0986E.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zUvFlzunt0.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:4320

C:\Users\Public\AccountPictures\fontdrvhost.exe
"C:\Users\Public\AccountPictures\fontdrvhost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Adobe\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\odt\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\AppData\Roaming\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default\AppData\Roaming\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Templates\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\CRMLog\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\CRMLog\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\IdentityCRL\production\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\production\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\IdentityCRL\production\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zUvFlzunt0.bat
Filesize
212B

MD5
738b03707009764360b85ef9fb65e2fc

SHA1
6fe9aa3711252e94938b6b8a1ccb5054ce6e4b4f

SHA256
2ea1bf643286e55d8c5bd18633e695dd61a1d092c4775d36de74ddb4cbef6d0c

SHA512
111944109e264e4238e7b63e91d18d721516bb5c583e25ee97932abdb71eed7ff3a9cb4d6498aeda7b5a580ec3a8a52952d7ec4c97937d076c4015c72636be98

Download Submit
C:\Users\Public\AccountPictures\fontdrvhost.exe
Filesize
2.1MB

MD5
f26bb4f3cc67c00580554bea3dac5e4a

SHA1
14c7857a8edc29dce1a27379f60f0d9443303627

SHA256
8148b7d10cc4d45ac6c2d1454119161a1ee677ac0986e4dd86e2f38a15b7ac19

SHA512
32c1d95bde25e1807ce7312280106259831057df7da893041c43d3c76def49de500ccb7e87b8c08af7657fdbd22117d9320dc4f9e7eebed85f54b3f2e7418010

Download Submit
C:\Users\Public\AccountPictures\fontdrvhost.exe
Filesize
2.1MB

MD5
f26bb4f3cc67c00580554bea3dac5e4a

SHA1
14c7857a8edc29dce1a27379f60f0d9443303627

SHA256
8148b7d10cc4d45ac6c2d1454119161a1ee677ac0986e4dd86e2f38a15b7ac19

SHA512
32c1d95bde25e1807ce7312280106259831057df7da893041c43d3c76def49de500ccb7e87b8c08af7657fdbd22117d9320dc4f9e7eebed85f54b3f2e7418010

Download Submit
memory/1488-144-0x00007FF970540000-0x00007FF971001000-memory.dmp

Filesize
10.8MB

Download
memory/1488-143-0x00007FF970540000-0x00007FF971001000-memory.dmp

Filesize
10.8MB

Download
memory/1488-140-0x0000000000000000-mapping.dmp

Download
memory/1584-136-0x0000000000000000-mapping.dmp

Download
memory/4320-138-0x0000000000000000-mapping.dmp

Download
memory/4808-139-0x00007FF970940000-0x00007FF971401000-memory.dmp

Filesize
10.8MB

Download
memory/4808-132-0x0000000000470000-0x000000000069A000-memory.dmp

Filesize
2.2MB

Download
memory/4808-135-0x000000001CB60000-0x000000001D088000-memory.dmp

Filesize
5.2MB

Download
memory/4808-134-0x000000001B1B0000-0x000000001B200000-memory.dmp

Filesize
320KB

Download
memory/4808-133-0x00007FF970940000-0x00007FF971401000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads