dcrat | fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 22:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Size

2.0MB
MD5

96373b1a9080aa751b5a98fc96cfb66c
SHA1

17436af89fdf67d4c60416b7bccda9f6cb3cd490
SHA256

fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056
SHA512

4cacede2b67488e46c978cbd1956ed4c0b0c1657bdd3e9b9a80203bb1175fb0b2aceadd8dbedef331332d578191620435e9561b56db420b28b767ba2dfdc9f79
SSDEEP

24576:0n2XTCHM4xT9V3XzsHhVmatCELYIXVelAtgbHHd:iaTUv0jmtEttc

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 41 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1128	schtasks.exe
		2520	schtasks.exe
		2572	schtasks.exe
		1520	schtasks.exe
		760	schtasks.exe
File created	C:\Program Files (x86)\Google\Update\e1ef82546f0b02		fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
		1432	schtasks.exe
		2072	schtasks.exe
		1640	schtasks.exe
		4664	schtasks.exe
		1560	schtasks.exe
		2428	schtasks.exe
		5064	schtasks.exe
		1540	schtasks.exe
		212	schtasks.exe
		464	schtasks.exe
		3892	schtasks.exe
		4568	schtasks.exe
		5020	schtasks.exe
		4696	schtasks.exe
		4304	schtasks.exe
		3388	schtasks.exe
		4020	schtasks.exe
		4468	schtasks.exe
		1708	schtasks.exe
		3640	schtasks.exe
		4480	schtasks.exe
		4700	schtasks.exe
		224	schtasks.exe
		1644	schtasks.exe
		4872	schtasks.exe
		2216	schtasks.exe
		884	schtasks.exe
		2132	schtasks.exe
		2544	schtasks.exe
File created	C:\Program Files (x86)\Google\Update\SppExtComObj.exe		fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
		3088	schtasks.exe
		4464	schtasks.exe
		832	schtasks.exe
		4712	schtasks.exe
		2016	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 13 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\SppExtComObj.exe\", \"C:\\Users\\Default\\Videos\\msedge.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\dllhost.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Users\\Admin\\Videos\\upfc.exe\", \"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\", \"C:\\Users\\Admin\\OneDrive\\WmiPrvSE.exe\", \"C:\\odt\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\upfc.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\SppExtComObj.exe\", \"C:\\Users\\Default\\Videos\\msedge.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\dllhost.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Users\\Admin\\Videos\\upfc.exe\", \"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\", \"C:\\Users\\Admin\\OneDrive\\WmiPrvSE.exe\", \"C:\\odt\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\upfc.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\dllhost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\services.exe\", \"C:\\odt\\RuntimeBroker.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\SppExtComObj.exe\", \"C:\\Users\\Default\\Videos\\msedge.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\SppExtComObj.exe\", \"C:\\Users\\Default\\Videos\\msedge.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\dllhost.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\SppExtComObj.exe\", \"C:\\Users\\Default\\Videos\\msedge.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\dllhost.exe\", \"C:\\odt\\SearchApp.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\SppExtComObj.exe\", \"C:\\Users\\Default\\Videos\\msedge.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\dllhost.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Users\\Admin\\Videos\\upfc.exe\", \"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\", \"C:\\Users\\Admin\\OneDrive\\WmiPrvSE.exe\", \"C:\\odt\\SppExtComObj.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\SppExtComObj.exe\", \"C:\\Users\\Default\\Videos\\msedge.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\dllhost.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Users\\Admin\\Videos\\upfc.exe\", \"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\", \"C:\\Users\\Admin\\OneDrive\\WmiPrvSE.exe\", \"C:\\odt\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\upfc.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\dllhost.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\SppExtComObj.exe\", \"C:\\Users\\Default\\Videos\\msedge.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\dllhost.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Users\\Admin\\Videos\\upfc.exe\", \"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\", \"C:\\Users\\Admin\\OneDrive\\WmiPrvSE.exe\", \"C:\\odt\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\upfc.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\dllhost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\services.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\SppExtComObj.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\SppExtComObj.exe\", \"C:\\Users\\Default\\Videos\\msedge.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\dllhost.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Users\\Admin\\Videos\\upfc.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\SppExtComObj.exe\", \"C:\\Users\\Default\\Videos\\msedge.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\dllhost.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Users\\Admin\\Videos\\upfc.exe\", \"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\SppExtComObj.exe\", \"C:\\Users\\Default\\Videos\\msedge.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\dllhost.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Users\\Admin\\Videos\\upfc.exe\", \"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\", \"C:\\Users\\Admin\\OneDrive\\WmiPrvSE.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Google\\Update\\SppExtComObj.exe\", \"C:\\Users\\Default\\Videos\\msedge.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\dllhost.exe\", \"C:\\odt\\SearchApp.exe\", \"C:\\Users\\Admin\\Videos\\upfc.exe\", \"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\", \"C:\\Users\\Admin\\OneDrive\\WmiPrvSE.exe\", \"C:\\odt\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\upfc.exe\", \"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\dllhost.exe\", \"C:\\Program Files\\dotnet\\swidtag\\services.exe\", \"C:\\odt\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	4984	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	4984	schtasks.exe	92

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3992-0-0x0000000000800000-0x0000000000A0C000-memory.dmp	dcrat
behavioral2/files/0x0007000000023260-23.dat	dcrat
behavioral2/files/0x0009000000023285-56.dat	dcrat
behavioral2/files/0x000c00000002325b-126.dat	dcrat
behavioral2/files/0x000800000002328a-149.dat	dcrat
behavioral2/files/0x0009000000023273-155.dat	dcrat
behavioral2/files/0x000a000000023273-172.dat	dcrat
behavioral2/memory/4636-260-0x00000000006A0000-0x00000000008AC000-memory.dmp	dcrat

Detects executables containing bas64 encoded gzip files 8 IoCs

resource	yara_rule
behavioral2/memory/3992-0-0x0000000000800000-0x0000000000A0C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral2/files/0x0007000000023260-23.dat	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral2/files/0x0009000000023285-56.dat	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral2/files/0x000c00000002325b-126.dat	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral2/files/0x000800000002328a-149.dat	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral2/files/0x0009000000023273-155.dat	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral2/files/0x000a000000023273-172.dat	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral2/memory/4636-260-0x00000000006A0000-0x00000000008AC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File

Detects executables packed with SmartAssembly 3 IoCs

resource	yara_rule
behavioral2/memory/3992-6-0x0000000002B90000-0x0000000002BA0000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3992-11-0x000000001B690000-0x000000001B69C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral2/memory/3992-14-0x000000001B630000-0x000000001B63A000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe

Executes dropped EXE 1 IoCs

pid	Process
4636	upfc.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Google\\Update\\SppExtComObj.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Admin\\OneDrive\\WmiPrvSE.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\odt\\RuntimeBroker.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\upfc.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\dllhost.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\odt\\RuntimeBroker.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Google\\Update\\SppExtComObj.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\odt\\SearchApp.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\odt\\SppExtComObj.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\VideoLAN\\VLC\\dllhost.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\odt\\SearchApp.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\odt\\SppExtComObj.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Speech_OneCore\\Engines\\SR\\en-US-N\\dllhost.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\dotnet\\swidtag\\services.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Admin\\Videos\\upfc.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\dotnet\\swidtag\\services.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\Default\\Videos\\msedge.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Admin\\Videos\\upfc.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\Default\\Videos\\msedge.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\VideoLAN\\VLC\\dllhost.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows NT\\fontdrvhost.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Admin\\OneDrive\\WmiPrvSE.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\upfc.exe\""	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX8E15.tmp	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files\dotnet\swidtag\RCX929D.tmp	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files (x86)\Google\Update\SppExtComObj.exe	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\ea1d8f6d871115	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\dllhost.exe	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File created	C:\Program Files\VideoLAN\VLC\dllhost.exe	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File created	C:\Program Files\dotnet\swidtag\services.exe	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX79A2.tmp	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files (x86)\Windows NT\fontdrvhost.exe	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File created	C:\Program Files (x86)\Google\Update\SppExtComObj.exe	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File created	C:\Program Files (x86)\Windows NT\5b884080fd4f94	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCX7EF6.tmp	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX863F.tmp	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File created	C:\Program Files (x86)\Windows NT\fontdrvhost.exe	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCX7ED6.tmp	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX8D88.tmp	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX7A2F.tmp	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files\dotnet\swidtag\RCX932A.tmp	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File created	C:\Program Files\dotnet\swidtag\c5b4cb5e9653cc	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File created	C:\Program Files (x86)\Google\Update\e1ef82546f0b02	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File created	C:\Program Files\VideoLAN\VLC\5940a34987c991	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX861F.tmp	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Program Files\dotnet\swidtag\services.exe	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Speech_OneCore\Engines\SR\en-US-N\dllhost.exe	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File created	C:\Windows\Speech_OneCore\Engines\SR\en-US-N\5940a34987c991	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\SR\en-US-N\RCX902A.tmp	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\SR\en-US-N\RCX9079.tmp	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\SR\en-US-N\dllhost.exe	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-e..e-library.resources_31bf3856ad364e35_10.0.19041.1_it-it_550592fb7d180201\lsass.exe	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1708	schtasks.exe
4480	schtasks.exe
1560	schtasks.exe
2544	schtasks.exe
760	schtasks.exe
4872	schtasks.exe
1644	schtasks.exe
2520	schtasks.exe
212	schtasks.exe
1128	schtasks.exe
1520	schtasks.exe
4568	schtasks.exe
832	schtasks.exe
2216	schtasks.exe
3388	schtasks.exe
4464	schtasks.exe
2572	schtasks.exe
3640	schtasks.exe
224	schtasks.exe
5064	schtasks.exe
4468	schtasks.exe
4304	schtasks.exe
2016	schtasks.exe
884	schtasks.exe
464	schtasks.exe
4020	schtasks.exe
2072	schtasks.exe
1640	schtasks.exe
2428	schtasks.exe
4712	schtasks.exe
5020	schtasks.exe
3892	schtasks.exe
3088	schtasks.exe
4664	schtasks.exe
2132	schtasks.exe
1540	schtasks.exe
4696	schtasks.exe
4700	schtasks.exe
1432	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3992	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
3992	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
3992	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
3992	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
3992	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
3992	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
3992	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
3992	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
3992	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
3992	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
3992	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
3992	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
3992	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
3992	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
3992	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
4636	upfc.exe
4636	upfc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3992	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
Token: SeDebugPrivilege	4636	upfc.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 4636	3992	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe	139
PID 3992 wrote to memory of 4636	3992	fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe
"C:\Users\Admin\AppData\Local\Temp\fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe
  "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Videos\msedge.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\Default\Videos\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Videos\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\odt\SearchApp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Admin\Videos\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Videos\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\OneDrive\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\OneDrive\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\odt\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech_OneCore\Engines\SR\en-US-N\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\dotnet\swidtag\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\swidtag\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3696 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\SppExtComObj.exe

Filesize
2.0MB

MD5
53aff29b35f5c9fda63b0875966f975a

SHA1
489761c18ed49db54d44db5da886314a69b39c0e

SHA256
56a7baf8d3ff0e6e54da4cca672796176a68863b4d6bcb757858a596e122f22f

SHA512
6fad0391705f862ab61a87320815e3e62e588fff14b40fc37ec21831f780ba6364c22985f491f2085ad3732c86e714eb834e5d78a02364144c1a063705cece3d

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\upfc.exe

Filesize
2.0MB

MD5
4b00fe17dde0e0a3f5c2556f88efa4b4

SHA1
1e24007432506502110d155835fa74fd3336d3e8

SHA256
156519cd4bc76e7aa17c4491911955cebf58bff72e31c9e4ec1d840920551447

SHA512
3d96feea0fdc980fb62c4cd46302b26db382b9468f2a2b64d830350f1239b91ffbced5ca43dba48dbf0edb195b6d8b4d30b8b11d0f55decb2ae920013a688e19

Download Submit
C:\Program Files\dotnet\swidtag\services.exe

Filesize
2.0MB

MD5
23ea755c0fe334c2fa66161dfbf964bc

SHA1
7992d295e52cc32d774fa73b5398a645cda92ca3

SHA256
53cc513bffeb3e513fb75960616a58c49c534b9675c2a2ee3bc5b914ff2def19

SHA512
ae07e515cc97449522f3c4e1df4b48666ed1fd28ee6df42da1062abf6cd7d7720bf45d839c0e711a6bf6a3ac0c689a565949a0ca1263415295a81607097693d6

Download Submit
C:\Users\Admin\OneDrive\WmiPrvSE.exe

Filesize
2.0MB

MD5
0949d1c4fa6e525eeead7254d2b91707

SHA1
f420f76a1fc5cb14d7b51c14d5ba76dcb200a8d4

SHA256
f8b9003f57b349b7655b34afc098f1a348205bc445c2260151ee1c45d5363f37

SHA512
bcf4146b7f65318831f5e41b25359225c4545c3fe9229f86d68fa3aa84e42ccc3fceeee24c81c7ca9cbe9f5f36e791b1278ebbcaf281a340f830e2f2e6b1b7f6

Download Submit
C:\Users\Admin\Videos\upfc.exe

Filesize
2.0MB

MD5
96373b1a9080aa751b5a98fc96cfb66c

SHA1
17436af89fdf67d4c60416b7bccda9f6cb3cd490

SHA256
fab1001a7271caa76ddcb934ff2668bdc1f5e044a7065b7c143c429c98aba056

SHA512
4cacede2b67488e46c978cbd1956ed4c0b0c1657bdd3e9b9a80203bb1175fb0b2aceadd8dbedef331332d578191620435e9561b56db420b28b767ba2dfdc9f79

Download Submit
C:\Windows\Speech_OneCore\Engines\SR\en-US-N\RCX902A.tmp

Filesize
2.0MB

MD5
cd8b0192facaad5f42babdbfff8571a3

SHA1
ddea0f609718b96dc136ee7289ec45b4d8c81336

SHA256
b388f3b1ac5d60e80f95895133dcf7e29a32afa4ee6d124dc162ba733379e481

SHA512
2e6a947db924ddba0154d4b51b488951c987f2924a808b681bd9bd32f1fb2bfe1aac611c76370df5ad69256ab1305c023fc744bad7a09b9b1d48ef0834d271f0

Download Submit
memory/3992-5-0x00000000012C0000-0x00000000012C8000-memory.dmp

Filesize
32KB

Download
memory/3992-6-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/3992-8-0x000000001BC20000-0x000000001BC76000-memory.dmp

Filesize
344KB

Download
memory/3992-9-0x0000000002CC0000-0x0000000002CCC000-memory.dmp

Filesize
48KB

Download
memory/3992-10-0x000000001B510000-0x000000001B51C000-memory.dmp

Filesize
48KB

Download
memory/3992-13-0x000000001B6B0000-0x000000001B6BE000-memory.dmp

Filesize
56KB

Download
memory/3992-12-0x000000001B6A0000-0x000000001B6AE000-memory.dmp

Filesize
56KB

Download
memory/3992-11-0x000000001B690000-0x000000001B69C000-memory.dmp

Filesize
48KB

Download
memory/3992-14-0x000000001B630000-0x000000001B63A000-memory.dmp

Filesize
40KB

Download
memory/3992-0-0x0000000000800000-0x0000000000A0C000-memory.dmp

Filesize
2.0MB

Download
memory/3992-31-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

Filesize
10.8MB

Download
memory/3992-7-0x000000001B670000-0x000000001B686000-memory.dmp

Filesize
88KB

Download
memory/3992-4-0x000000001B6C0000-0x000000001B710000-memory.dmp

Filesize
320KB

Download
memory/3992-3-0x000000001B4F0000-0x000000001B50C000-memory.dmp

Filesize
112KB

Download
memory/3992-2-0x000000001B710000-0x000000001B720000-memory.dmp

Filesize
64KB

Download
memory/3992-1-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

Filesize
10.8MB

Download
memory/3992-261-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

Filesize
10.8MB

Download
memory/4636-260-0x00000000006A0000-0x00000000008AC000-memory.dmp

Filesize
2.0MB

Download
memory/4636-259-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

Filesize
10.8MB

Download
memory/4636-262-0x000000001B4A0000-0x000000001B4B0000-memory.dmp

Filesize
64KB

Download
memory/4636-264-0x00007FFED7BA0000-0x00007FFED8661000-memory.dmp

Filesize
10.8MB

Download