dcrat | 8b68b05256c95c7b8a1257787904bc05d96ff4089e8ea39bef9eff1a6b9d1021

Analysis

max time kernel
48s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 16:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

agentCommon.exe
Size

827KB
MD5

7c2584e24ef03a88d75681d163bbf218
SHA1

9d494ac4122ecab70dc78715e69aa78e0fed638e
SHA256

8b68b05256c95c7b8a1257787904bc05d96ff4089e8ea39bef9eff1a6b9d1021
SHA512

38f581c8b97dcc5a5e0ee955c9b8b4f200c659fce279254ea0adaa483ecb1143bb39add3523a0dfeb0f23f184dc77f095129b18de64a66da2ff23b5839879e44
SSDEEP

12288:9+vPvzIVaXcMw1SRAhHb8JTLlK/yWqt18kRbFsf4/10kRkGV/2Lox5:0bB7w1WTLlybqtyabFO49vZ2LU

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3096	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3140	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	932	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	932	schtasks.exe	83

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/660-1-0x0000000000B60000-0x0000000000C36000-memory.dmp	dcrat
behavioral2/files/0x0007000000023439-11.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	agentCommon.exe

Executes dropped EXE 1 IoCs

pid	Process
1128	Registry.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\icsxml\services.exe	agentCommon.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\en-US\f3b6ecef712a24	agentCommon.exe
File created	C:\Program Files\ModifiableWindowsApps\RuntimeBroker.exe	agentCommon.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe	agentCommon.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\6cb0b6c459d5d3	agentCommon.exe
File created	C:\Program Files\ModifiableWindowsApps\backgroundTaskHost.exe	agentCommon.exe
File created	C:\Program Files\Microsoft Office 15\fontdrvhost.exe	agentCommon.exe
File created	C:\Program Files\Microsoft Office 15\5b884080fd4f94	agentCommon.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\spoolsv.exe	agentCommon.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\IdentityCRL\886983d96e3d3e	agentCommon.exe
File created	C:\Windows\WaaS\tasks\SppExtComObj.exe	agentCommon.exe
File created	C:\Windows\Tasks\fontdrvhost.exe	agentCommon.exe
File opened for modification	C:\Windows\Tasks\fontdrvhost.exe	agentCommon.exe
File created	C:\Windows\Tasks\5b884080fd4f94	agentCommon.exe
File created	C:\Windows\IdentityCRL\csrss.exe	agentCommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3140	schtasks.exe
3084	schtasks.exe
3056	schtasks.exe
1600	schtasks.exe
4496	schtasks.exe
3656	schtasks.exe
1428	schtasks.exe
212	schtasks.exe
2456	schtasks.exe
3588	schtasks.exe
3508	schtasks.exe
5000	schtasks.exe
3340	schtasks.exe
2900	schtasks.exe
2376	schtasks.exe
4852	schtasks.exe
3192	schtasks.exe
2572	schtasks.exe
3096	schtasks.exe
316	schtasks.exe
1080	schtasks.exe
1692	schtasks.exe
4200	schtasks.exe
4720	schtasks.exe
1492	schtasks.exe
1564	schtasks.exe
3204	schtasks.exe
2208	schtasks.exe
4092	schtasks.exe
1356	schtasks.exe
3136	schtasks.exe
2836	schtasks.exe
2984	schtasks.exe
2184	schtasks.exe
3624	schtasks.exe
116	schtasks.exe
2172	schtasks.exe
2136	schtasks.exe
5040	schtasks.exe
2784	schtasks.exe
2212	schtasks.exe
2244	schtasks.exe
4628	schtasks.exe
2748	schtasks.exe
3632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
660	agentCommon.exe
660	agentCommon.exe
660	agentCommon.exe
660	agentCommon.exe
660	agentCommon.exe
660	agentCommon.exe
660	agentCommon.exe
660	agentCommon.exe
660	agentCommon.exe
660	agentCommon.exe
660	agentCommon.exe
660	agentCommon.exe
660	agentCommon.exe
660	agentCommon.exe
660	agentCommon.exe
660	agentCommon.exe
660	agentCommon.exe
660	agentCommon.exe
1128	Registry.exe
1128	Registry.exe
1128	Registry.exe
1128	Registry.exe
1128	Registry.exe
1128	Registry.exe
1128	Registry.exe
1128	Registry.exe
1128	Registry.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	660	agentCommon.exe
Token: SeDebugPrivilege	1128	Registry.exe
Token: SeDebugPrivilege	988	taskmgr.exe
Token: SeSystemProfilePrivilege	988	taskmgr.exe
Token: SeCreateGlobalPrivilege	988	taskmgr.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 1128	660	agentCommon.exe	129
PID 660 wrote to memory of 1128	660	agentCommon.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\agentCommon.exe
"C:\Users\Admin\AppData\Local\Temp\agentCommon.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:660
- C:\Users\Default User\Registry.exe
  "C:\Users\Default User\Registry.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Tasks\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Desktop\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\IdentityCRL\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\IdentityCRL\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Public\Libraries\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\SoftwareDistribution\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\SoftwareDistribution\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Default\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Application Data\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\IdentityCRL\csrss.exe

Filesize
827KB

MD5
7c2584e24ef03a88d75681d163bbf218

SHA1
9d494ac4122ecab70dc78715e69aa78e0fed638e

SHA256
8b68b05256c95c7b8a1257787904bc05d96ff4089e8ea39bef9eff1a6b9d1021

SHA512
38f581c8b97dcc5a5e0ee955c9b8b4f200c659fce279254ea0adaa483ecb1143bb39add3523a0dfeb0f23f184dc77f095129b18de64a66da2ff23b5839879e44

Download Submit
memory/660-0-0x00007FFFA3D03000-0x00007FFFA3D05000-memory.dmp

Filesize
8KB

Download
memory/660-1-0x0000000000B60000-0x0000000000C36000-memory.dmp

Filesize
856KB

Download
memory/660-4-0x00007FFFA3D00000-0x00007FFFA47C1000-memory.dmp

Filesize
10.8MB

Download
memory/660-45-0x00007FFFA3D00000-0x00007FFFA47C1000-memory.dmp

Filesize
10.8MB

Download
memory/988-47-0x00000171C3810000-0x00000171C3811000-memory.dmp

Filesize
4KB

Download
memory/988-46-0x00000171C3810000-0x00000171C3811000-memory.dmp

Filesize
4KB

Download
memory/988-48-0x00000171C3810000-0x00000171C3811000-memory.dmp

Filesize
4KB

Download
memory/988-58-0x00000171C3810000-0x00000171C3811000-memory.dmp

Filesize
4KB

Download
memory/988-57-0x00000171C3810000-0x00000171C3811000-memory.dmp

Filesize
4KB

Download
memory/988-56-0x00000171C3810000-0x00000171C3811000-memory.dmp

Filesize
4KB

Download
memory/988-55-0x00000171C3810000-0x00000171C3811000-memory.dmp

Filesize
4KB

Download
memory/988-54-0x00000171C3810000-0x00000171C3811000-memory.dmp

Filesize
4KB

Download
memory/988-53-0x00000171C3810000-0x00000171C3811000-memory.dmp

Filesize
4KB

Download
memory/988-52-0x00000171C3810000-0x00000171C3811000-memory.dmp

Filesize
4KB

Download