dcrat | bceca4720a9dfb62bf4f5130f9443e6fe40f24fb440df17a51b29340575805c0

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2023 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00009e23a8bcbb7323c15448165dc6cc.exe
Size

2.3MB
MD5

00009e23a8bcbb7323c15448165dc6cc
SHA1

2b5050619a50c63d487ed07651be88d1a8ab92d6
SHA256

bceca4720a9dfb62bf4f5130f9443e6fe40f24fb440df17a51b29340575805c0
SHA512

e5f88177c022f80bef16a225679211484f8b12a6f7fdf41c9b94a7a6604578ab413d8a9020231bb55f54a4233c912a7d10837207fce69ce157f4da8717878a41
SSDEEP

49152:oEAW6oV1uWgMzCAKcNqGAonnXvjGt8YxKIh3i2L:LADWgmNqGAKKBli

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	4588	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	4588	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4160-132-0x0000000000BF0000-0x0000000000E44000-memory.dmp	dcrat
C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe	dcrat
behavioral2/memory/4768-152-0x0000000000630000-0x0000000000884000-memory.dmp	dcrat
C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe	dcrat

Executes dropped EXE 1 IoCs

Processes:

fontdrvhost.exe

pid process

4768 fontdrvhost.exe

pid	process
4768	fontdrvhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

00009e23a8bcbb7323c15448165dc6cc.exefontdrvhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	00009e23a8bcbb7323c15448165dc6cc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 15 IoCs

Processes:

00009e23a8bcbb7323c15448165dc6cc.exe

description	ioc	process
File created	C:\Program Files\Reference Assemblies\Microsoft\7a0fd90576e088	00009e23a8bcbb7323c15448165dc6cc.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCX6F91.tmp	00009e23a8bcbb7323c15448165dc6cc.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCX75A0.tmp	00009e23a8bcbb7323c15448165dc6cc.exe
File created	C:\Program Files\Windows Multimedia Platform\csrss.exe	00009e23a8bcbb7323c15448165dc6cc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe	00009e23a8bcbb7323c15448165dc6cc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\5b884080fd4f94	00009e23a8bcbb7323c15448165dc6cc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\explorer.exe	00009e23a8bcbb7323c15448165dc6cc.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\RCX701F.tmp	00009e23a8bcbb7323c15448165dc6cc.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\csrss.exe	00009e23a8bcbb7323c15448165dc6cc.exe
File created	C:\Program Files\Windows Multimedia Platform\886983d96e3d3e	00009e23a8bcbb7323c15448165dc6cc.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\explorer.exe	00009e23a8bcbb7323c15448165dc6cc.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX72A1.tmp	00009e23a8bcbb7323c15448165dc6cc.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCX731F.tmp	00009e23a8bcbb7323c15448165dc6cc.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe	00009e23a8bcbb7323c15448165dc6cc.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCX761E.tmp	00009e23a8bcbb7323c15448165dc6cc.exe

Drops file in Windows directory 5 IoCs

Processes:

00009e23a8bcbb7323c15448165dc6cc.exe

description	ioc	process
File created	C:\Windows\tracing\6cb0b6c459d5d3	00009e23a8bcbb7323c15448165dc6cc.exe
File opened for modification	C:\Windows\tracing\RCX6983.tmp	00009e23a8bcbb7323c15448165dc6cc.exe
File opened for modification	C:\Windows\tracing\RCX6A01.tmp	00009e23a8bcbb7323c15448165dc6cc.exe
File opened for modification	C:\Windows\tracing\dwm.exe	00009e23a8bcbb7323c15448165dc6cc.exe
File created	C:\Windows\tracing\dwm.exe	00009e23a8bcbb7323c15448165dc6cc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4676	schtasks.exe
3056	schtasks.exe
3592	schtasks.exe
1344	schtasks.exe
1072	schtasks.exe
3472	schtasks.exe
4900	schtasks.exe
5104	schtasks.exe
400	schtasks.exe
3688	schtasks.exe
2188	schtasks.exe
808	schtasks.exe
732	schtasks.exe
3448	schtasks.exe
4156	schtasks.exe
3128	schtasks.exe
2160	schtasks.exe
2180	schtasks.exe
1592	schtasks.exe
4012	schtasks.exe
3976	schtasks.exe
380	schtasks.exe
1504	schtasks.exe
1028	schtasks.exe

Modifies registry class 2 IoCs

Processes:

00009e23a8bcbb7323c15448165dc6cc.exefontdrvhost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	00009e23a8bcbb7323c15448165dc6cc.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

00009e23a8bcbb7323c15448165dc6cc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exe

pid	process
4160	00009e23a8bcbb7323c15448165dc6cc.exe
4160	00009e23a8bcbb7323c15448165dc6cc.exe
4160	00009e23a8bcbb7323c15448165dc6cc.exe
4160	00009e23a8bcbb7323c15448165dc6cc.exe
4160	00009e23a8bcbb7323c15448165dc6cc.exe
4160	00009e23a8bcbb7323c15448165dc6cc.exe
4160	00009e23a8bcbb7323c15448165dc6cc.exe
4160	00009e23a8bcbb7323c15448165dc6cc.exe
220	powershell.exe
208	powershell.exe
2204	powershell.exe
3104	powershell.exe
3104	powershell.exe
4800	powershell.exe
4800	powershell.exe
3732	powershell.exe
3732	powershell.exe
4956	powershell.exe
4956	powershell.exe
4772	powershell.exe
4772	powershell.exe
388	powershell.exe
388	powershell.exe
4956	powershell.exe
208	powershell.exe
208	powershell.exe
220	powershell.exe
220	powershell.exe
2204	powershell.exe
2204	powershell.exe
3732	powershell.exe
3104	powershell.exe
4800	powershell.exe
4772	powershell.exe
388	powershell.exe
4768	fontdrvhost.exe
4768	fontdrvhost.exe
4768	fontdrvhost.exe
4768	fontdrvhost.exe
4768	fontdrvhost.exe
4768	fontdrvhost.exe
4768	fontdrvhost.exe
4768	fontdrvhost.exe
4768	fontdrvhost.exe
4768	fontdrvhost.exe
4768	fontdrvhost.exe
4768	fontdrvhost.exe
4768	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

00009e23a8bcbb7323c15448165dc6cc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4160	00009e23a8bcbb7323c15448165dc6cc.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	4956	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	4768	fontdrvhost.exe
Token: SeBackupPrivilege	112	vssvc.exe
Token: SeRestorePrivilege	112	vssvc.exe
Token: SeAuditPrivilege	112	vssvc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

00009e23a8bcbb7323c15448165dc6cc.exefontdrvhost.exe

description	pid	process	target process
PID 4160 wrote to memory of 220	4160	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 4160 wrote to memory of 220	4160	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 4160 wrote to memory of 208	4160	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 4160 wrote to memory of 208	4160	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 4160 wrote to memory of 2204	4160	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 4160 wrote to memory of 2204	4160	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 4160 wrote to memory of 3732	4160	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 4160 wrote to memory of 3732	4160	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 4160 wrote to memory of 3104	4160	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 4160 wrote to memory of 3104	4160	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 4160 wrote to memory of 4800	4160	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 4160 wrote to memory of 4800	4160	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 4160 wrote to memory of 4956	4160	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 4160 wrote to memory of 4956	4160	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 4160 wrote to memory of 388	4160	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 4160 wrote to memory of 388	4160	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 4160 wrote to memory of 4772	4160	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 4160 wrote to memory of 4772	4160	00009e23a8bcbb7323c15448165dc6cc.exe	powershell.exe
PID 4160 wrote to memory of 4768	4160	00009e23a8bcbb7323c15448165dc6cc.exe	fontdrvhost.exe
PID 4160 wrote to memory of 4768	4160	00009e23a8bcbb7323c15448165dc6cc.exe	fontdrvhost.exe
PID 4768 wrote to memory of 4872	4768	fontdrvhost.exe	WScript.exe
PID 4768 wrote to memory of 4872	4768	fontdrvhost.exe	WScript.exe
PID 4768 wrote to memory of 1104	4768	fontdrvhost.exe	WScript.exe
PID 4768 wrote to memory of 1104	4768	fontdrvhost.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\00009e23a8bcbb7323c15448165dc6cc.exe
"C:\Users\Admin\AppData\Local\Temp\00009e23a8bcbb7323c15448165dc6cc.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\00009e23a8bcbb7323c15448165dc6cc.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\backgroundTaskHost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\dwm.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\csrss.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\explorer.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\wininit.exe'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe
"C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\893ffe04-256e-45a8-aedd-67f798454ace.vbs"
3⤵
PID:4872

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86866a18-5930-4370-baac-e33b61ebbcbb.vbs"
3⤵
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Videos\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\Public\Videos\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\tracing\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\tracing\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\reports\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\Crashpad\reports\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe

Filesize
2.3MB

MD5
25890f6df01660b7704a2d45e5abd7b3

SHA1
9365d08d2d0965411409da5c4789a4019ca3ea44

SHA256
8bc34136899ba396ef06040537270eb26bf172d1064130cfd034a0179565a1b9

SHA512
0a67af74fc1519ad8f918451085e19eed8b82b2cac3322dc574f099a98c6984e2690d652fd2e45d8b8d2bf06a5bb8aa1662bed3af8fa54d3525cc4c917b9e93d

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\de-DE\fontdrvhost.exe

Filesize
2.3MB

MD5
25890f6df01660b7704a2d45e5abd7b3

SHA1
9365d08d2d0965411409da5c4789a4019ca3ea44

SHA256
8bc34136899ba396ef06040537270eb26bf172d1064130cfd034a0179565a1b9

SHA512
0a67af74fc1519ad8f918451085e19eed8b82b2cac3322dc574f099a98c6984e2690d652fd2e45d8b8d2bf06a5bb8aa1662bed3af8fa54d3525cc4c917b9e93d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\86866a18-5930-4370-baac-e33b61ebbcbb.vbs

Filesize
517B

MD5
3cad3cf2e3c7dab12e6a8159877fbaac

SHA1
410813c278bb0fee28c9438aa6337d834489e050

SHA256
5f60d9061640b1c9698e5c369ed329d39d19f86f61aaa4de6ccb0059fcf50cdb

SHA512
8180665f0b97425e609eacd7fc3193ccad38b768f7d122dee8f3672ed54c069ff77af712977c05074271c231e45b2a761e783374136e916963822a088af03537

Download Submit
C:\Users\Admin\AppData\Local\Temp\893ffe04-256e-45a8-aedd-67f798454ace.vbs

Filesize
741B

MD5
dffe6b6b80ed8ecb60ba1ea291b6da5b

SHA1
b47ff2f0124d86bf23f9f926f13f27322f474c3d

SHA256
d251a329c36394e90b53fd212de5d37a0f9c870130b7b15a86e51ee37ef5285e

SHA512
47e1a09bea26a1293b1a3d3562e621562ab598a7d1cd1e2449060b2b918ec946700ab674aa17652c55a01a98f3de2001a07a775756716378c89e1181e2fee5b1

Download Submit
memory/208-136-0x0000000000000000-mapping.dmp

Download
memory/208-147-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/208-167-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/220-146-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/220-135-0x0000000000000000-mapping.dmp

Download
memory/220-175-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/388-158-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/388-142-0x0000000000000000-mapping.dmp

Download
memory/388-174-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/1104-181-0x0000000000000000-mapping.dmp

Download
memory/2204-144-0x000001D62ACF0000-0x000001D62AD12000-memory.dmp

Filesize
136KB

Download
memory/2204-177-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/2204-137-0x0000000000000000-mapping.dmp

Download
memory/2204-151-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3104-155-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3104-139-0x0000000000000000-mapping.dmp

Download
memory/3104-168-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3732-138-0x0000000000000000-mapping.dmp

Download
memory/3732-154-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3732-172-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4160-145-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4160-133-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4160-134-0x000000001B940000-0x000000001B990000-memory.dmp

Filesize
320KB

Download
memory/4160-153-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4160-132-0x0000000000BF0000-0x0000000000E44000-memory.dmp

Filesize
2.3MB

Download
memory/4768-178-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4768-148-0x0000000000000000-mapping.dmp

Download
memory/4768-183-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4768-152-0x0000000000630000-0x0000000000884000-memory.dmp

Filesize
2.3MB

Download
memory/4772-143-0x0000000000000000-mapping.dmp

Download
memory/4772-159-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4772-173-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4800-156-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4800-140-0x0000000000000000-mapping.dmp

Download
memory/4800-176-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4872-179-0x0000000000000000-mapping.dmp

Download
memory/4956-157-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4956-141-0x0000000000000000-mapping.dmp

Download
memory/4956-171-0x00007FFAE4030000-0x00007FFAE4AF1000-memory.dmp

Filesize
10.8MB

Download