dcrat | b1304c0e84874b14b78436e3ca39321a10f1b6c67743a74eacd59e435be09292

Analysis

max time kernel
93s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2023 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

P3MKL.exe
Size

1.7MB
MD5

f812dea5ffd8ac4eb11cf366b7baccca
SHA1

f16dd261312b338f6a23b5a8a29ca649d9e36c4e
SHA256

b1304c0e84874b14b78436e3ca39321a10f1b6c67743a74eacd59e435be09292
SHA512

c22750b31fae4389e69d715d5ffbbb7e79c7d8294cc3ac9f40a6bdb1921517cb52eed4e8bad5535bf20d3527ba468a845e50f081ba9360f753969025c80d8237
SSDEEP

24576:t3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:tgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	204	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	2836	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	2836	schtasks.exe

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/4564-132-0x0000000000520000-0x00000000006D6000-memory.dmp	dcrat
C:\Windows\SystemResources\Windows.UI.PCShell\fontdrvhost.exe	dcrat
C:\Windows\SystemResources\Windows.UI.PCShell\fontdrvhost.exe	dcrat
behavioral2/memory/1280-198-0x00000000008E0000-0x0000000000A96000-memory.dmp	dcrat
C:\Windows\SystemResources\Windows.UI.PCShell\fontdrvhost.exe	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

P3MKL.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts P3MKL.exe
Executes dropped EXE 2 IoCs

Processes:

fontdrvhost.exefontdrvhost.exe

pid process

1280 fontdrvhost.exe
4532 fontdrvhost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	P3MKL.exe

pid	process
1280	fontdrvhost.exe
4532	fontdrvhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fontdrvhost.exeP3MKL.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	P3MKL.exe

Drops file in Program Files directory 5 IoCs

Processes:

P3MKL.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Idle.exe	P3MKL.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Idle.exe	P3MKL.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\6ccacd8608530f	P3MKL.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RCXA549.tmp	P3MKL.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RCXA5D7.tmp	P3MKL.exe

Drops file in Windows directory 20 IoCs

Processes:

P3MKL.exe

description	ioc	process
File opened for modification	C:\Windows\ShellComponents\RCXA8F6.tmp	P3MKL.exe
File created	C:\Windows\Web\Idle.exe	P3MKL.exe
File created	C:\Windows\Web\6ccacd8608530f	P3MKL.exe
File created	C:\Windows\SystemResources\Windows.UI.PCShell\5b884080fd4f94	P3MKL.exe
File created	C:\Windows\Media\55b276f4edf653	P3MKL.exe
File created	C:\Windows\ShellComponents\sppsvc.exe	P3MKL.exe
File opened for modification	C:\Windows\Web\Idle.exe	P3MKL.exe
File created	C:\Windows\Media\StartMenuExperienceHost.exe	P3MKL.exe
File created	C:\Windows\ShellComponents\0a1fd5f707cd16	P3MKL.exe
File opened for modification	C:\Windows\Web\RCX997B.tmp	P3MKL.exe
File opened for modification	C:\Windows\Media\StartMenuExperienceHost.exe	P3MKL.exe
File opened for modification	C:\Windows\ShellComponents\sppsvc.exe	P3MKL.exe
File created	C:\Windows\SystemResources\Windows.UI.PCShell\fontdrvhost.exe	P3MKL.exe
File opened for modification	C:\Windows\Web\RCX98ED.tmp	P3MKL.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.PCShell\RCX9BFC.tmp	P3MKL.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.PCShell\RCX9C8A.tmp	P3MKL.exe
File opened for modification	C:\Windows\SystemResources\Windows.UI.PCShell\fontdrvhost.exe	P3MKL.exe
File opened for modification	C:\Windows\Media\RCX9F0C.tmp	P3MKL.exe
File opened for modification	C:\Windows\Media\RCX9F99.tmp	P3MKL.exe
File opened for modification	C:\Windows\ShellComponents\RCXA868.tmp	P3MKL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4876 1280 WerFault.exe fontdrvhost.exe

pid	pid_target	process	target process
4876	1280	WerFault.exe	fontdrvhost.exe

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
2884	schtasks.exe
4040	schtasks.exe
4332	schtasks.exe
2608	schtasks.exe
204	schtasks.exe
3360	schtasks.exe
3200	schtasks.exe
2324	schtasks.exe
3616	schtasks.exe
684	schtasks.exe
4536	schtasks.exe
3292	schtasks.exe
1480	schtasks.exe
3100	schtasks.exe
4552	schtasks.exe
4584	schtasks.exe
4452	schtasks.exe
4832	schtasks.exe
1316	schtasks.exe
3780	schtasks.exe
3632	schtasks.exe

Modifies registry class 2 IoCs

Processes:

P3MKL.exefontdrvhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	P3MKL.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

P3MKL.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
4564	P3MKL.exe
2112	powershell.exe
2144	powershell.exe
2092	powershell.exe
2092	powershell.exe
3280	powershell.exe
3280	powershell.exe
1596	powershell.exe
1596	powershell.exe
1108	powershell.exe
1108	powershell.exe
3448	powershell.exe
3448	powershell.exe
4564	P3MKL.exe
4564	P3MKL.exe
4356	powershell.exe
4356	powershell.exe
4564	P3MKL.exe
2248	powershell.exe
2248	powershell.exe
4556	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

P3MKL.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exefontdrvhost.exe

description	pid	process
Token: SeDebugPrivilege	4564	P3MKL.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	4356	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	1280	fontdrvhost.exe
Token: SeDebugPrivilege	4532	fontdrvhost.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

P3MKL.execmd.exefontdrvhost.exeWScript.exe

description	pid	process	target process
PID 4564 wrote to memory of 2112	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 2112	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 2144	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 2144	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 2092	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 2092	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 3280	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 3280	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 1108	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 1108	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 1596	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 1596	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 3448	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 3448	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 2248	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 2248	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 4356	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 4356	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 4556	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 4556	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 4736	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 4736	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 4004	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 4004	4564	P3MKL.exe	powershell.exe
PID 4564 wrote to memory of 868	4564	P3MKL.exe	cmd.exe
PID 4564 wrote to memory of 868	4564	P3MKL.exe	cmd.exe
PID 868 wrote to memory of 1628	868	cmd.exe	w32tm.exe
PID 868 wrote to memory of 1628	868	cmd.exe	w32tm.exe
PID 868 wrote to memory of 1280	868	cmd.exe	fontdrvhost.exe
PID 868 wrote to memory of 1280	868	cmd.exe	fontdrvhost.exe
PID 1280 wrote to memory of 2848	1280	fontdrvhost.exe	WScript.exe
PID 1280 wrote to memory of 2848	1280	fontdrvhost.exe	WScript.exe
PID 1280 wrote to memory of 1972	1280	fontdrvhost.exe	WScript.exe
PID 1280 wrote to memory of 1972	1280	fontdrvhost.exe	WScript.exe
PID 2848 wrote to memory of 4532	2848	WScript.exe	fontdrvhost.exe
PID 2848 wrote to memory of 4532	2848	WScript.exe	fontdrvhost.exe

C:\Users\Admin\AppData\Local\Temp\P3MKL.exe
"C:\Users\Admin\AppData\Local\Temp\P3MKL.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DU5H2sWrVP.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:1628

C:\Windows\SystemResources\Windows.UI.PCShell\fontdrvhost.exe
"C:\Windows\SystemResources\Windows.UI.PCShell\fontdrvhost.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d4326d8-8a31-47ae-a0f1-ccbdeabc9c0f.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SystemResources\Windows.UI.PCShell\fontdrvhost.exe
C:\Windows\SystemResources\Windows.UI.PCShell\fontdrvhost.exe
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\684620d4-9aa6-4d43-a983-ac1bf87522db.vbs"
4⤵
PID:1972

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1280 -s 2236
4⤵
- Program crash
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemResources\Windows.UI.PCShell\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.PCShell\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemResources\Windows.UI.PCShell\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Media\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellComponents\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ShellComponents\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellComponents\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 1280 -ip 1280
1⤵
PID:3924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d4326d8-8a31-47ae-a0f1-ccbdeabc9c0f.vbs
Filesize
737B

MD5
958751fbe59093088d2cc5a768114e79

SHA1
6a3ba65f1ebabfec1d8cc7168acb62b6e8971302

SHA256
0fed7b07fa1eaaa5dd7aef08ff117acc099b717bd9bc3a923487af5163747814

SHA512
13f284dfbba323d27b7af5897c77db7d06ecb3133ba67938ae347dafa9df26465b3158f9a0bcb104dee82bbfdd201d7514ef4f2d88d8040a2041bce5ba35fbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\684620d4-9aa6-4d43-a983-ac1bf87522db.vbs
Filesize
513B

MD5
13126dbc1215a6d462ec77d4ea466913

SHA1
618bb15b0415f766852a2ef19db3101714e24a95

SHA256
ef6296c6d47916a81fcf8ec086bccfd31e32e47b4ab577cbf6f1f760466b5bd9

SHA512
97f3078baf0ee93161da412cefe01214fcc79d898d67111ddf1a8f3e8f2cf03c3923a3fde5d400fa06533f494710aa4ec258ee2fd107f932b563619b40642352

Download Submit
C:\Users\Admin\AppData\Local\Temp\DU5H2sWrVP.bat
Filesize
226B

MD5
70be1c66bfa1a64d126c09bee26462d9

SHA1
718f3f06f79460500a9e1a0eb9581546369a8e14

SHA256
47fbc5db3f250f993c69d368c69245d82023a46f81bf6eec8ca9585c568c5eda

SHA512
650e6a0427b97f10bc5ace99a7da2c23d7fc5aae510f46057ee00cfcf002a83991801d601149754adbae2514d4c73d5bc324f9a7c5025948a9d4d9117dd847b7

Download Submit
C:\Windows\SystemResources\Windows.UI.PCShell\fontdrvhost.exe
Filesize
1.7MB

MD5
34fb588f1b8d10befa59da86de40acfe

SHA1
4b32ae600d1db61ea411a1bc60fb822c6701c0e1

SHA256
0df7d2d6253531529f9e1f861018b9e6ddc08169f7e0cb27e8ca5256c31d243f

SHA512
44e1a1d0f9975c264c649e971da88973f558c223674fe98c76ac6c6d6111b961ee886516436ef0a084532c794e922271abc3a6871478291a7676ba45ff8a4eb0

Download Submit
C:\Windows\SystemResources\Windows.UI.PCShell\fontdrvhost.exe
Filesize
1.7MB

MD5
34fb588f1b8d10befa59da86de40acfe

SHA1
4b32ae600d1db61ea411a1bc60fb822c6701c0e1

SHA256
0df7d2d6253531529f9e1f861018b9e6ddc08169f7e0cb27e8ca5256c31d243f

SHA512
44e1a1d0f9975c264c649e971da88973f558c223674fe98c76ac6c6d6111b961ee886516436ef0a084532c794e922271abc3a6871478291a7676ba45ff8a4eb0

Download Submit
C:\Windows\SystemResources\Windows.UI.PCShell\fontdrvhost.exe
Filesize
1.7MB

MD5
34fb588f1b8d10befa59da86de40acfe

SHA1
4b32ae600d1db61ea411a1bc60fb822c6701c0e1

SHA256
0df7d2d6253531529f9e1f861018b9e6ddc08169f7e0cb27e8ca5256c31d243f

SHA512
44e1a1d0f9975c264c649e971da88973f558c223674fe98c76ac6c6d6111b961ee886516436ef0a084532c794e922271abc3a6871478291a7676ba45ff8a4eb0

Download Submit
memory/868-152-0x0000000000000000-mapping.dmp

Download
memory/1108-181-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/1108-160-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/1108-143-0x0000000000000000-mapping.dmp

Download
memory/1280-205-0x000000001D680000-0x000000001D684000-memory.dmp

Filesize
16KB

Download
memory/1280-195-0x0000000000000000-mapping.dmp

Download
memory/1280-211-0x000000001CCA9000-0x000000001CCAF000-memory.dmp

Filesize
24KB

Download
memory/1280-213-0x000000001D684000-0x000000001D687000-memory.dmp

Filesize
12KB

Download
memory/1280-212-0x000000001D680000-0x000000001D684000-memory.dmp

Filesize
16KB

Download
memory/1280-210-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/1280-204-0x000000001CCA9000-0x000000001CCAF000-memory.dmp

Filesize
24KB

Download
memory/1280-209-0x000000001D680000-0x000000001D684000-memory.dmp

Filesize
16KB

Download
memory/1280-199-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/1280-208-0x000000001CCA9000-0x000000001CCAF000-memory.dmp

Filesize
24KB

Download
memory/1280-207-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/1280-206-0x000000001D684000-0x000000001D687000-memory.dmp

Filesize
12KB

Download
memory/1280-198-0x00000000008E0000-0x0000000000A96000-memory.dmp

Filesize
1.7MB

Download
memory/1596-144-0x0000000000000000-mapping.dmp

Download
memory/1596-178-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/1596-162-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/1628-169-0x0000000000000000-mapping.dmp

Download
memory/1972-201-0x0000000000000000-mapping.dmp

Download
memory/2092-141-0x0000000000000000-mapping.dmp

Download
memory/2092-156-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/2092-179-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/2112-139-0x0000000000000000-mapping.dmp

Download
memory/2112-151-0x0000027CF9B50000-0x0000027CF9B72000-memory.dmp

Filesize
136KB

Download
memory/2112-171-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/2112-153-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/2144-140-0x0000000000000000-mapping.dmp

Download
memory/2144-154-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/2144-187-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/2248-146-0x0000000000000000-mapping.dmp

Download
memory/2248-194-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/2248-166-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/2848-200-0x0000000000000000-mapping.dmp

Download
memory/3280-161-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/3280-142-0x0000000000000000-mapping.dmp

Download
memory/3280-175-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/3448-145-0x0000000000000000-mapping.dmp

Download
memory/3448-163-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/3448-185-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/4004-150-0x0000000000000000-mapping.dmp

Download
memory/4004-190-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/4004-168-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/4356-164-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/4356-147-0x0000000000000000-mapping.dmp

Download
memory/4356-186-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/4532-217-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/4532-216-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/4532-214-0x0000000000000000-mapping.dmp

Download
memory/4556-167-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-148-0x0000000000000000-mapping.dmp

Download
memory/4556-188-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/4564-159-0x000000001D854000-0x000000001D857000-memory.dmp

Filesize
12KB

Download
memory/4564-133-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/4564-136-0x000000001D850000-0x000000001D854000-memory.dmp

Filesize
16KB

Download
memory/4564-135-0x000000001C949000-0x000000001C94F000-memory.dmp

Filesize
24KB

Download
memory/4564-134-0x000000001C8F0000-0x000000001C940000-memory.dmp

Filesize
320KB

Download
memory/4564-138-0x000000001D854000-0x000000001D857000-memory.dmp

Filesize
12KB

Download
memory/4564-155-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/4564-137-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/4564-158-0x000000001D850000-0x000000001D854000-memory.dmp

Filesize
16KB

Download
memory/4564-157-0x000000001C949000-0x000000001C94F000-memory.dmp

Filesize
24KB

Download
memory/4564-132-0x0000000000520000-0x00000000006D6000-memory.dmp

Filesize
1.7MB

Download
memory/4736-192-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-170-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-149-0x0000000000000000-mapping.dmp

Download