Analysis

  • max time kernel
    93s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 08:11

General

  • Target

    460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe

  • Size

    1.5MB

  • MD5

    0aa11032569ed0cb4b5dc419ff4a9546

  • SHA1

    231c007ce085606499eea34174fd92911852848c

  • SHA256

    460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249

  • SHA512

    27ceefa9ff530a84e5375aa45ad00b76039d28a35bed79f5f504952401bdde41834ae668790d4c83a9d2f4d61b20d78e425b9badddf27273c35779a088137079

  • SSDEEP

    24576:U2G/nvxW3Ww0trsehgyBX9ONFTyvQa3bGl//rqtI1kg+QwZ0aHaCgPu8RYaJ:UbA30rscgjApSZWtI1t+QihaCUhYu

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 3 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe
    "C:\Users\Admin\AppData\Local\Temp\460e609ebc7f26ef8866df3f66170ab610df31bc34589f2b702f14a4f0e37249.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\portfontruntimedhcpcommon\2AtjMgNakJRkKYjukYN.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\portfontruntimedhcpcommon\ZlA6L6tE0pGuNWSWZqbtTT.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3760
        • C:\portfontruntimedhcpcommon\winIntocrt.exe
          "C:\portfontruntimedhcpcommon\winIntocrt.exe"
          4⤵
          • DcRat
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4988
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ItcKxYHdV0.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3740
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1076
              • C:\portfontruntimedhcpcommon\winIntocrt.exe
                "C:\portfontruntimedhcpcommon\winIntocrt.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:464
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OFxjZIxk2T.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1712
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1864
                    • C:\Program Files\Microsoft Office 15\ClientX64\StartMenuExperienceHost.exe
                      "C:\Program Files\Microsoft Office 15\ClientX64\StartMenuExperienceHost.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4596
            • C:\Windows\SysWOW64\reg.exe
              reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
              4⤵
              • Modifies registry key
              PID:4592
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\portfontruntimedhcpcommon\conhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5092
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\portfontruntimedhcpcommon\conhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1952
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\portfontruntimedhcpcommon\conhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:3688
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:620
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:220
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4712
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sysmon.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4832
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3300
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4384
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:216
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4708
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:388
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1720
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4624
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1384
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1036
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\unsecapp.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4660
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
        1⤵
        • Process spawned unexpected child process
        PID:4640
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:944
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:392
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4932
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3964
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3496
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Sun\Java\Deployment\csrss.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4188
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Sun\Java\Deployment\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4336
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:712
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4308
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1260
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:376
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4876
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4088
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4604
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3184
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5008
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\dllhost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3428
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\en-US\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:4368
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4480
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3832
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5072
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:3140
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1792
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1064
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4540
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\SearchApp.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5048
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4984
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4344
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\System.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4908
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Setup\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:952
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\System.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4488
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3088
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        PID:212
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Downloads\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1020
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4584
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:3160
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3924
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\ModemLogs\sihost.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:5092
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\ModemLogs\sihost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4176
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\sihost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        PID:4284
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3164
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4544
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\My Documents\spoolsv.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4712
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
        1⤵
        • DcRat
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4628
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        PID:3300
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Creates scheduled task(s)
        PID:4384
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\uninstall\RuntimeBroker.exe'" /f
        1⤵
        • DcRat
        • Creates scheduled task(s)
        PID:804
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Creates scheduled task(s)
        PID:2328
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\uninstall\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Creates scheduled task(s)
        PID:388
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\StartMenuExperienceHost.exe'" /f
        1⤵
        • DcRat
        • Creates scheduled task(s)
        PID:524
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Creates scheduled task(s)
        PID:396
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Creates scheduled task(s)
        PID:1416
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\pris\wininit.exe'" /f
        1⤵
        • Creates scheduled task(s)
        PID:2028
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\pris\wininit.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Creates scheduled task(s)
        PID:4112
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\pris\wininit.exe'" /rl HIGHEST /f
        1⤵
          PID:4660
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\fontdrvhost.exe'" /f
          1⤵
          • DcRat
          • Creates scheduled task(s)
          PID:4948
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Downloads\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Creates scheduled task(s)
          PID:944
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Downloads\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:2852

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winIntocrt.exe.log
          Filesize

          1KB

          MD5

          7800fca2323a4130444c572374a030f4

          SHA1

          40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

          SHA256

          29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

          SHA512

          c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

        • C:\Users\Admin\AppData\Local\Temp\ItcKxYHdV0.bat
          Filesize

          208B

          MD5

          d357e0778d70f6e2da53d5093242ceb0

          SHA1

          fc18f026a3733548240be135ebbbf8e9abf33125

          SHA256

          42b15ff7efbd24f0a3fbec1f1a2ebe25201b22d182c21f4d3c291ba5c8be7513

          SHA512

          2d2c80c02165c15dffc1b7b75b2ad3663f1ae60fa2a7feb02bfd3bdd49facdf6041ead6ebb27b9a23ec99d45b718c7f8aa92c70e61692c6ea630970d33b8f047

        • C:\Users\Admin\AppData\Local\Temp\OFxjZIxk2T.bat
          Filesize

          239B

          MD5

          440dcad8d5b168c95dc1815cb2b75a24

          SHA1

          b5186030dafd76a2590826ed2e22145807b7246f

          SHA256

          d5387208a9b3cf9a46c2f1634a6fb98121259177aa0a250829b89fc8061648b0

          SHA512

          902f08da839e41125145f38b1d768f27c921b28dbc3ab0e0544b1348223e063bedefdad94693df3bce558317df861863515043443f27184d334f3344ea3aa7d7

        • C:\portfontruntimedhcpcommon\2AtjMgNakJRkKYjukYN.vbe
          Filesize

          224B

          MD5

          2d592334ab65a88655a2f86417777486

          SHA1

          43316e128f8cd05f2e783c8a90192aa6f423f9a5

          SHA256

          e6b379acb737d1fff313a9090bd4d8d582c4e98209d63691718b1fda2115d1cf

          SHA512

          364ef08f42a2ba6b7290929f62a8f9bd6d5084054aca3f886d8ca7de472ef37b0e4ec57c666fbfa70ef52f47f0ed31c56452b840ae5e9dcfb85231930394c65a

        • C:\portfontruntimedhcpcommon\ZlA6L6tE0pGuNWSWZqbtTT.bat
          Filesize

          157B

          MD5

          37a07b949b9630d9845c522bbf15f97c

          SHA1

          b60e22be8a2b81f733cd0b7d00f28ad3da79124b

          SHA256

          fd589c262fef893181690d62411fa304e79cf9d8470c3db7ebec775774ca28fb

          SHA512

          c4c519a2b57d44ee4a3871c1a08ca666016ace84648c180b1f9caa6efd67d3b0d1cd23b9bcd7f467a57504feed9ae203ec862ec65e1bd2077a7cb874557a3640

        • C:\portfontruntimedhcpcommon\winIntocrt.exe
          Filesize

          1.2MB

          MD5

          5da27eb690e92471d9d9669287011a75

          SHA1

          6e7f72f61d868c27c3e487586d959f35a96aeefc

          SHA256

          32346c2a4a55dc3c85e9712f8994480a826b209a00a9aedc7f181f6dd69e60d6

          SHA512

          0e47bbb8e2d72d1468308308d6e1444f824048d17f714d06135ca4ed63a4e2887aa8b327d36e4ef6243b5d0d734a1be3aff8b2c9f45efa97b739d2131392a291

        • memory/4988-12-0x00007FFCDB323000-0x00007FFCDB325000-memory.dmp
          Filesize

          8KB

        • memory/4988-13-0x0000000000960000-0x0000000000A96000-memory.dmp
          Filesize

          1.2MB

        • memory/4988-14-0x000000001B6A0000-0x000000001B6BC000-memory.dmp
          Filesize

          112KB

        • memory/4988-15-0x000000001BD50000-0x000000001BDA0000-memory.dmp
          Filesize

          320KB

        • memory/4988-16-0x000000001B6C0000-0x000000001B6D6000-memory.dmp
          Filesize

          88KB

        • memory/4988-17-0x000000001B6E0000-0x000000001B6EE000-memory.dmp
          Filesize

          56KB