dcrat | 0102ee1516fd47fc9cb7ffb31c922e747cc5ce638e2fb0d5e133275e271cd492

Analysis

max time kernel
293s
max time network
296s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2023 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fortnite.exe
Size

1.1MB
MD5

f795b0bb519a53aa55f3a1f8b421708d
SHA1

18b0c53280f120d18e224ef389e21a09902da4f4
SHA256

0102ee1516fd47fc9cb7ffb31c922e747cc5ce638e2fb0d5e133275e271cd492
SHA512

d3a1908461508c6bf322e1aa809b6b04ed27e0722957fcdf5d4f828060f4d4ba76d415ba56b8dad1d9d07129603590fc75699d98014fd79f3bfb8ea051e70180
SSDEEP

24576:U2G/nvxW3Ww0tEiau4VjR/qCUzDG6bNUa1BMJWl:UbA30klYS6b26

Score

10^/10

dcrat evasion infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Modifies WinLogon for persistence 2 TTPs 1 IoCs
persistence

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

WmiPrvSE.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" WmiPrvSE.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	WmiPrvSE.exe

Process spawned unexpected child process 40 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	4404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	4404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	4404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	4404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	4404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	4404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	4404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	4404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	4404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	4404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	4404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	4404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	4404	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	4404	schtasks.exe

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Windows\syscom32.exe	dcrat
C:\Windows\syscom32.exe	dcrat
behavioral2/memory/3644-145-0x00000000003A0000-0x0000000000476000-memory.dmp	dcrat
C:\Windows\Help\Idle.exe	dcrat
C:\Windows\syscom32.exe	dcrat
C:\odt\WmiPrvSE.exe	dcrat
C:\odt\WmiPrvSE.exe	dcrat
C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe	dcrat
C:\Recovery\WindowsRE\explorer.exe	dcrat
C:\Windows\debug\dwm.exe	dcrat
C:\Windows\Setup\sysmon.exe	dcrat
C:\odt\RuntimeBroker.exe	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

syscom32.exeWmiPrvSE.exeFortnite.exeWScript.exesyscom32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	syscom32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Fortnite.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	syscom32.exe

Executes dropped EXE 3 IoCs

Processes:

syscom32.exesyscom32.exeWmiPrvSE.exe

pid process

3644 syscom32.exe
3336 syscom32.exe
100 WmiPrvSE.exe

Drops file in Program Files directory 6 IoCs

Processes:

syscom32.exesyscom32.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Registry.exe	syscom32.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Registry.exe	syscom32.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ee2ad38f3d4382	syscom32.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe	syscom32.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe	syscom32.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\eddb19405b7ce1	syscom32.exe

Drops file in Windows directory 13 IoCs

Processes:

syscom32.exeFortnite.exesyscom32.exe

description	ioc	process
File created	C:\Windows\Setup\sysmon.exe	syscom32.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240547015	Fortnite.exe
File created	C:\Windows\syscom32.exe	Fortnite.exe
File opened for modification	C:\Windows\syscom32.exe	Fortnite.exe
File created	C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe	Fortnite.exe
File opened for modification	C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe	Fortnite.exe
File created	C:\Windows\debug\dwm.exe	syscom32.exe
File created	C:\Windows\debug\6cb0b6c459d5d3	syscom32.exe
File created	C:\Windows\Setup\121e5b5079f7c0	syscom32.exe
File created	C:\Windows\kkLuA.bat	Fortnite.exe
File opened for modification	C:\Windows\kkLuA.bat	Fortnite.exe
File created	C:\Windows\Help\Idle.exe	syscom32.exe
File created	C:\Windows\Help\6ccacd8608530f	syscom32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1204	schtasks.exe
1188	schtasks.exe
4144	schtasks.exe
3748	schtasks.exe
2276	schtasks.exe
4468	schtasks.exe
4472	schtasks.exe
1180	schtasks.exe
4692	schtasks.exe
4324	schtasks.exe
624	schtasks.exe
1028	schtasks.exe
3912	schtasks.exe
1824	schtasks.exe
2480	schtasks.exe
1276	schtasks.exe
368	schtasks.exe
3536	schtasks.exe
1084	schtasks.exe
3100	schtasks.exe
4732	schtasks.exe
3136	schtasks.exe
2036	schtasks.exe
2160	schtasks.exe

Modifies registry class 3 IoCs

Processes:

syscom32.exeFortnite.exesyscom32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	syscom32.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	Fortnite.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	syscom32.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

4920 reg.exe
2668 reg.exe
2072 reg.exe

pid	process
4920	reg.exe
2668	reg.exe
2072	reg.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

syscom32.exesyscom32.exeWmiPrvSE.exe

pid	process
3644	syscom32.exe
3336	syscom32.exe
3336	syscom32.exe
3336	syscom32.exe
3336	syscom32.exe
3336	syscom32.exe
3336	syscom32.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe
100	WmiPrvSE.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WmiPrvSE.exe

pid process

100 WmiPrvSE.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

syscom32.exesyscom32.exeWmiPrvSE.exe

description pid process

Token: SeDebugPrivilege 3644 syscom32.exe
Token: SeDebugPrivilege 3336 syscom32.exe
Token: SeDebugPrivilege 100 WmiPrvSE.exe

pid	process
100	WmiPrvSE.exe

description	pid	process
Token: SeDebugPrivilege	3644	syscom32.exe
Token: SeDebugPrivilege	3336	syscom32.exe
Token: SeDebugPrivilege	100	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

Fortnite.exeWScript.execmd.exesyscom32.execmd.exesyscom32.execmd.exeWmiPrvSE.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3232 wrote to memory of 3672	3232	Fortnite.exe	WScript.exe
PID 3232 wrote to memory of 3672	3232	Fortnite.exe	WScript.exe
PID 3232 wrote to memory of 3672	3232	Fortnite.exe	WScript.exe
PID 3672 wrote to memory of 3080	3672	WScript.exe	cmd.exe
PID 3672 wrote to memory of 3080	3672	WScript.exe	cmd.exe
PID 3672 wrote to memory of 3080	3672	WScript.exe	cmd.exe
PID 3080 wrote to memory of 3644	3080	cmd.exe	syscom32.exe
PID 3080 wrote to memory of 3644	3080	cmd.exe	syscom32.exe
PID 3644 wrote to memory of 3768	3644	syscom32.exe	cmd.exe
PID 3644 wrote to memory of 3768	3644	syscom32.exe	cmd.exe
PID 3080 wrote to memory of 4920	3080	cmd.exe	reg.exe
PID 3080 wrote to memory of 4920	3080	cmd.exe	reg.exe
PID 3080 wrote to memory of 4920	3080	cmd.exe	reg.exe
PID 3768 wrote to memory of 3640	3768	cmd.exe	w32tm.exe
PID 3768 wrote to memory of 3640	3768	cmd.exe	w32tm.exe
PID 3768 wrote to memory of 3336	3768	cmd.exe	syscom32.exe
PID 3768 wrote to memory of 3336	3768	cmd.exe	syscom32.exe
PID 3336 wrote to memory of 544	3336	syscom32.exe	cmd.exe
PID 3336 wrote to memory of 544	3336	syscom32.exe	cmd.exe
PID 544 wrote to memory of 2616	544	cmd.exe	w32tm.exe
PID 544 wrote to memory of 2616	544	cmd.exe	w32tm.exe
PID 544 wrote to memory of 100	544	cmd.exe	WmiPrvSE.exe
PID 544 wrote to memory of 100	544	cmd.exe	WmiPrvSE.exe
PID 100 wrote to memory of 720	100	WmiPrvSE.exe	cmd.exe
PID 100 wrote to memory of 720	100	WmiPrvSE.exe	cmd.exe
PID 720 wrote to memory of 2668	720	cmd.exe	reg.exe
PID 720 wrote to memory of 2668	720	cmd.exe	reg.exe
PID 100 wrote to memory of 4244	100	WmiPrvSE.exe	Taskmgr.exe
PID 100 wrote to memory of 4244	100	WmiPrvSE.exe	Taskmgr.exe
PID 100 wrote to memory of 2488	100	WmiPrvSE.exe	cmd.exe
PID 100 wrote to memory of 2488	100	WmiPrvSE.exe	cmd.exe
PID 2488 wrote to memory of 2072	2488	cmd.exe	reg.exe
PID 2488 wrote to memory of 2072	2488	cmd.exe	reg.exe
PID 100 wrote to memory of 5024	100	WmiPrvSE.exe	Taskmgr.exe
PID 100 wrote to memory of 5024	100	WmiPrvSE.exe	Taskmgr.exe
PID 100 wrote to memory of 1504	100	WmiPrvSE.exe	cmd.exe
PID 100 wrote to memory of 1504	100	WmiPrvSE.exe	cmd.exe
PID 1504 wrote to memory of 4884	1504	cmd.exe	w32tm.exe
PID 1504 wrote to memory of 4884	1504	cmd.exe	w32tm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Fortnite.exe
"C:\Users\Admin\AppData\Local\Temp\Fortnite.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\kkLuA.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\syscom32.exe
"C:\Windows\syscom32.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UvH15lHOqc.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:3640

C:\Windows\syscom32.exe
"C:\Windows\syscom32.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TARYHY2Kf5.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:2616

C:\odt\WmiPrvSE.exe
"C:\odt\WmiPrvSE.exe"
8⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 0 /f
9⤵
- Suspicious use of WriteProcessMemory
PID:720

C:\Windows\system32\reg.exe
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 0 /f
10⤵
- Modifies registry key
PID:2668

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
9⤵
PID:4244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 0 /f
9⤵
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\system32\reg.exe
reg add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableTaskMgr /t REG_DWORD /d 0 /f
10⤵
- Modifies registry key
PID:2072

C:\Windows\System32\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
9⤵
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auWhjrprfd.bat" "
9⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Help\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\debug\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Setup\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Windows\Setup\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "syscom32" /f
1⤵
- Process spawned unexpected child process
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "syscom32s" /f
1⤵
- Process spawned unexpected child process
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "backgroundTaskHost" /f
1⤵
- Process spawned unexpected child process
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "backgroundTaskHostb" /f
1⤵
- Process spawned unexpected child process
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "WmiPrvSE" /f
1⤵
- Process spawned unexpected child process
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "WmiPrvSEW" /f
1⤵
- Process spawned unexpected child process
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "explorer" /f
1⤵
- Process spawned unexpected child process
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "explorere" /f
1⤵
- Process spawned unexpected child process
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dwm" /f
1⤵
- Process spawned unexpected child process
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dwmd" /f
1⤵
- Process spawned unexpected child process
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sysmon" /f
1⤵
- Process spawned unexpected child process
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sysmons" /f
1⤵
- Process spawned unexpected child process
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBroker" /f
1⤵
- Process spawned unexpected child process
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBrokerR" /f
1⤵
- Process spawned unexpected child process
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "WmiPrvSE" /f
1⤵
- Process spawned unexpected child process
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "WmiPrvSEW" /f
1⤵
- Process spawned unexpected child process
PID:1344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Security\BrowserCore\en-US\backgroundTaskHost.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Program Files\Windows Security\BrowserCore\en-US\eddb19405b7ce1
Filesize
300B

MD5
d98ef8a58f09a6b2a1156e2b5714e917

SHA1
e84b6d99fd7e98fb36e68e25b64b78ab9e819817

SHA256
1612b84f68e95744e909042cd2907830e8ed4542cefd2c001463e4f7e8c2ed38

SHA512
db8e9c7526352eacbe65ff22e5d39a4d7cf66fdfe8735661d19968731293bc7193d8140fd14a43ac91881fd06b0f24a5ace35b209e1f170895aaf7cd1a325ba1

Download Submit
C:\Recovery\WindowsRE\7a0fd90576e088
Filesize
938B

MD5
d054d8c24b229bdf8e1aa492f6194bbe

SHA1
b9f012947df1bc732ce81e438c831678e62d77c3

SHA256
07cb0cec0a3c707b7a5f2e59f66b698dc9af29ce7117a1cc6882d129caebcf3e

SHA512
47de91934f38ffde8de7bdb6ebbd3c64a73264249f55c1132a3f1e8d5fbf532608bd6952b09ef7c84bf038b0660b22ba1f71860c7946bb32b3d33612c3ae1e0e

Download Submit
C:\Recovery\WindowsRE\explorer.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\syscom32.exe.log
Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Temp\TARYHY2Kf5.bat
Filesize
184B

MD5
4bd98d2c434218273d1491e194928912

SHA1
d6c7e4dfcbf9a883fbe71df9cd52b13e71216c2f

SHA256
145cb5511f1c72f1c3d5e23d027ad303d383e2bfac0d4a0e36bd7d9ef44654e2

SHA512
bae009df5fcd08813010c99c38c3aca01c1e313e605c94e17cd86d00cde331f0027e649fd187dba9178a22df6d5f1b85a68c3afc521183f44147afade8486b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\UvH15lHOqc.bat
Filesize
188B

MD5
37ccdddf02261e1189a708698bd6315e

SHA1
04339d74bec783e44eab9487e0f05ff0214f3f9c

SHA256
8d78bf0b970342340af96ad679b152be26bc8186b64a39947f1225972eb4841e

SHA512
81c8539836eec477f045e0c0e3eccef1a379d50b414a5bdd480d327e16bbd0282252da6bb1fd8516c6895748096fbf3e664cc80115ef80f9eaf9f66894538964

Download Submit
C:\Users\Admin\AppData\Local\Temp\auWhjrprfd.bat
Filesize
226B

MD5
1dfb761cbf9daa95884d8a8dcc1fed27

SHA1
6cb5704004959aa18d7c20d373a655e147309562

SHA256
df58a34bbb09021a29081f8bb68c0d92c0f340c9defaefe06759dd9e8358f8d6

SHA512
d4d7aa132c0be2d31dfd8b736239554ec01e960b3b94ca87408498e737443b433fe87df19475b707b48168c3af256cd4400d58405774e6cd1547172c8636e37f

Download Submit
C:\Windows\Help\Idle.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Windows\Setup\121e5b5079f7c0
Filesize
877B

MD5
420743e0d8836542ec5daf59dc00e60f

SHA1
012ce11fd5dbd62874357dd303e4cb6db632c91c

SHA256
3a36b6ea52244784d8bac0947511d91f1e74d36223989f5247001383d986c1a1

SHA512
e1c0b578a423493c13be936c0cb780bedc613cdb0fb6f9b05fd4896d2bc37b39356647b475cc5c584a916adfc663cea498a7fd59e02d3cbc3467c3b46aeab51c

Download Submit
C:\Windows\Setup\sysmon.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Windows\debug\6cb0b6c459d5d3
Filesize
989B

MD5
1c0301d4ab86737ecca7d4b6ea543efa

SHA1
2fbcdb3f53023288ff6683e31ed675c3897a9f48

SHA256
fe5ef341ec9ff90757a5d49eb4de32a54f6443be210287e8513a2c6986326d20

SHA512
19872b702e24cd8e37d575b9e2e9b495b4b94fce237c4d947ca673331e76067eb1abc8fc049356f8f6bace742e43892ab4e505bbdcd0fc6493d0daa6b72b3185

Download Submit
C:\Windows\debug\dwm.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Windows\kkLuA.bat
Filesize
137B

MD5
eddbf02b8f63229a6f4670d77d49f965

SHA1
84dc5aa13c3a7144742df74e28da6a7ad9177a69

SHA256
12646d50947198b1c27be43e89905ce71902c186c21f1abbe0dc16919d4ce7ae

SHA512
be87f2ec9e7371a7999b8c552af765374d8c5c186df18dea61caa5ca57b1ac9e95b194a31d459e090a5cb32c7908af3e90cb4b2576ccfc191a6043879436681d

Download Submit
C:\Windows\syscom32.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Windows\syscom32.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Windows\syscom32.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\Windows\wJSrXid0UUwHHOMygNV3xLBKK.vbe
Filesize
189B

MD5
c7c7ffa475aef8dff75df4c55df974af

SHA1
ef0427f4f4091c69d488443079477b1d4416e9b2

SHA256
19a4bf5506db87cf645f4a6e9af79b85e0d04ac4e7bc948585510dfe99d5ef16

SHA512
72fa6c18a83eb5edb303a85de4fb5f759a570aa5281525da6021cc1f0613257fbb5305f7a1bf6f6e3337d9ef707776a372b938f6ae6be777b7e6fe18a9dcba66

Download Submit
C:\odt\24dbde2999530e
Filesize
917B

MD5
fdd1f60c50292796a128e0ec3f5dc458

SHA1
9386b13a9d03cd25ab14469520478c10897e6362

SHA256
956e2a9bef12301eb21b0a8855213b392bba6972f5b9fb13e19c6d0863387887

SHA512
3ac9275dfe224bb7e5620d9201d407af40e7557bb883a6931560a41816b9e161c6892c120407c87b23dd36be17670bf3bf2f760d8ea40f4677d0457f5d071d39

Download Submit
C:\odt\9e8d7a4ca61bd9
Filesize
699B

MD5
4a4454a7dfcedf216703487edf746ae4

SHA1
ed2e7dcc6acbc60db3ebbe8242e6ce0aae90e119

SHA256
607042941c8c17d067c14cccb97ada2d3a248ddf8ac5a34be651a583244f4a69

SHA512
fee32faf970b00c0dfb5f9d4b91149b4d8fbaf79adf2e62e7d4ff42440b851d04b26a82f51fbc28fa6d6a97d438472d6f9170e3b50144f716e44f296e0a13940

Download Submit
C:\odt\RuntimeBroker.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\odt\WmiPrvSE.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
C:\odt\WmiPrvSE.exe
Filesize
829KB

MD5
a0ae20389c09fb809b4d4a842cb890d4

SHA1
f30474f81d60a8c27a722dc822c15639eec30f28

SHA256
dd1deb85892dfd059f6989123cd1d742c252006d09e5d94f57dbe9f0c3cb0fb7

SHA512
2af2aa987e8afc62d2d7a16168e688879bc0b2f3c717dff2a00d96079c3bc6ba6346adecd23334a9409bb7ca885b9eb7ad0be2eb6cd0592fd0fd3348aef559ce

Download Submit
memory/100-187-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download
memory/100-180-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download
memory/100-181-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download
memory/100-182-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download
memory/100-183-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download
memory/100-186-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download
memory/100-185-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download
memory/100-184-0x000000001B820000-0x000000001B830000-memory.dmp

Filesize
64KB

Download
memory/3336-174-0x000000001B410000-0x000000001B420000-memory.dmp

Filesize
64KB

Download
memory/3644-150-0x000000001AFA0000-0x000000001AFB0000-memory.dmp

Filesize
64KB

Download
memory/3644-145-0x00000000003A0000-0x0000000000476000-memory.dmp

Filesize
856KB

Download