Analysis
-
max time kernel
600s -
max time network
606s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 16:50
Static task
static1
Behavioral task
behavioral1
Sample
Desktop.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Desktop.exe
Resource
win10v2004-20240226-en
General
-
Target
Desktop.exe
-
Size
2.9MB
-
MD5
870bc89aac12414fb0b2283d58a57ce9
-
SHA1
2e3a4127668b6ae2db7566853a089f885911fd3c
-
SHA256
1a6f1c3694f5e3a128245228344423d3e5cfea709f72f5e18afcdab1caed7be2
-
SHA512
88d064936ae963939c1767663dd5a0807eee1c5e3c0cea48dec48be743b20fd1cdad298e708134683d3a3b2785146637d5206eb014a10be0724eeb0404e8a7c7
-
SSDEEP
49152:xvY3ShUkwbb96kTTEGjFZ01vkfDpf5YVNFbHKpRvv1BRHoMJKxRFwLfe:xw3MUkinXfjFZKvkf95YtjOVo2wRFZ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Modifies WinLogon for persistence 2 TTPs 17 IoCs
Processes:
Sessioncrt.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\", \"C:\\Windows\\bcastdvr\\SppExtComObj.exe\", \"C:\\odt\\services.exe\", \"C:\\Users\\Default User\\WaaSMedicAgent.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\dwm.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\", \"C:\\Windows\\bcastdvr\\SppExtComObj.exe\", \"C:\\odt\\services.exe\", \"C:\\Users\\Default User\\WaaSMedicAgent.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\", \"C:\\Windows\\bcastdvr\\SppExtComObj.exe\", \"C:\\odt\\services.exe\", \"C:\\Users\\Default User\\WaaSMedicAgent.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\odt\\spoolsv.exe\", \"C:\\Users\\Default\\Application Data\\conhost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\", \"C:\\Windows\\bcastdvr\\SppExtComObj.exe\", \"C:\\odt\\services.exe\", \"C:\\Users\\Default User\\WaaSMedicAgent.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\", \"C:\\Windows\\bcastdvr\\SppExtComObj.exe\", \"C:\\odt\\services.exe\", \"C:\\Users\\Default User\\WaaSMedicAgent.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\odt\\spoolsv.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\", \"C:\\Windows\\bcastdvr\\SppExtComObj.exe\", \"C:\\odt\\services.exe\", \"C:\\Users\\Default User\\WaaSMedicAgent.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\odt\\spoolsv.exe\", \"C:\\Users\\Default\\Application Data\\conhost.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\RuntimeBroker.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\", \"C:\\Windows\\bcastdvr\\SppExtComObj.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\", \"C:\\Windows\\bcastdvr\\SppExtComObj.exe\", \"C:\\odt\\services.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\", \"C:\\Windows\\bcastdvr\\SppExtComObj.exe\", \"C:\\odt\\services.exe\", \"C:\\Users\\Default User\\WaaSMedicAgent.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\odt\\spoolsv.exe\", \"C:\\Users\\Default\\Application Data\\conhost.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\StartMenuExperienceHost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\"" Sessioncrt.exe -
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 456 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3640 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2592 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1876 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1556 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4248 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4080 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3152 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3468 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4640 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4556 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5044 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4804 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4780 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4360 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 928 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3348 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3852 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3288 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3896 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 456 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1332 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4976 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3808 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4532 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3972 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4080 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3096 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4640 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5044 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4436 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3508 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2108 3780 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1472 3780 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe dcrat C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe dcrat behavioral2/memory/1828-47-0x0000000000720000-0x000000000084C000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Desktop.exeDCRatBuild_protected.sfx.exeDCRatBuild_protected.exeWScript.exeSessioncrt.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Desktop.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DCRatBuild_protected.sfx.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DCRatBuild_protected.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Sessioncrt.exe -
Executes dropped EXE 13 IoCs
Processes:
DCRatBuild_protected.sfx.exeRTC_Launcher11.exeDCRatBuild_protected.exeSessioncrt.exespoolsv.exeservices.execonhost.execsrss.exemsedge.exedllhost.exespoolsv.exeRuntimeBroker.exeSessioncrt.exepid process 4648 DCRatBuild_protected.sfx.exe 4812 RTC_Launcher11.exe 5004 DCRatBuild_protected.exe 1828 Sessioncrt.exe 672 spoolsv.exe 2084 services.exe 3120 conhost.exe 3400 csrss.exe 4024 msedge.exe 1956 dllhost.exe 2336 spoolsv.exe 3104 RuntimeBroker.exe 544 Sessioncrt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 34 IoCs
Processes:
Sessioncrt.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Documents\\My Pictures\\RuntimeBroker.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\bcastdvr\\SppExtComObj.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\dwm.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\dllhost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\odt\\services.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\odt\\services.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sessioncrt = "\"C:\\odt\\Sessioncrt.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sessioncrt = "\"C:\\odt\\Sessioncrt.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\StartMenuExperienceHost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\ShellComponents\\csrss.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Documents\\My Pictures\\RuntimeBroker.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\StartMenuExperienceHost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default\\Application Data\\conhost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\bcastdvr\\SppExtComObj.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\odt\\spoolsv.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default\\Application Data\\conhost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\odt\\spoolsv.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\dllhost.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Users\\Default User\\WaaSMedicAgent.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Users\\Default User\\WaaSMedicAgent.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\dwm.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\ShellComponents\\csrss.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\"" Sessioncrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\"" Sessioncrt.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
DCRatBuild_protected.exepid process 5004 DCRatBuild_protected.exe -
Drops file in Program Files directory 8 IoCs
Processes:
Sessioncrt.exedescription ioc process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe Sessioncrt.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\55b276f4edf653 Sessioncrt.exe File created C:\Program Files (x86)\Windows Mail\WaaSMedicAgent.exe Sessioncrt.exe File created C:\Program Files (x86)\Windows Mail\c82b8037eab33d Sessioncrt.exe File created C:\Program Files\Microsoft Office\WmiPrvSE.exe Sessioncrt.exe File created C:\Program Files\Microsoft Office\24dbde2999530e Sessioncrt.exe File created C:\Program Files\Windows Photo Viewer\msedge.exe Sessioncrt.exe File created C:\Program Files\Windows Photo Viewer\61a52ddc9dd915 Sessioncrt.exe -
Drops file in Windows directory 4 IoCs
Processes:
Sessioncrt.exedescription ioc process File created C:\Windows\ShellComponents\886983d96e3d3e Sessioncrt.exe File created C:\Windows\bcastdvr\SppExtComObj.exe Sessioncrt.exe File created C:\Windows\bcastdvr\e1ef82546f0b02 Sessioncrt.exe File created C:\Windows\ShellComponents\csrss.exe Sessioncrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 39 IoCs
Processes:
explorer.exeDCRatBuild_protected.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 1e00718000000000000000000000e4c006bb93d2754f8a90cb05b6477eee0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f706806ee260aa0d7449371beb064c986830000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings DCRatBuild_protected.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 0c0001008421de39050000000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\NodeSlot = "8" explorer.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3852 schtasks.exe 1332 schtasks.exe 4640 schtasks.exe 1728 schtasks.exe 1572 schtasks.exe 4248 schtasks.exe 4780 schtasks.exe 3896 schtasks.exe 3096 schtasks.exe 3468 schtasks.exe 4556 schtasks.exe 3808 schtasks.exe 4804 schtasks.exe 456 schtasks.exe 3712 schtasks.exe 3288 schtasks.exe 3044 schtasks.exe 464 schtasks.exe 3508 schtasks.exe 3640 schtasks.exe 3972 schtasks.exe 1472 schtasks.exe 2592 schtasks.exe 1556 schtasks.exe 544 schtasks.exe 5044 schtasks.exe 3048 schtasks.exe 3712 schtasks.exe 928 schtasks.exe 4976 schtasks.exe 2108 schtasks.exe 4640 schtasks.exe 1212 schtasks.exe 4328 schtasks.exe 4360 schtasks.exe 4080 schtasks.exe 2164 schtasks.exe 2728 schtasks.exe 5044 schtasks.exe 2780 schtasks.exe 1972 schtasks.exe 1876 schtasks.exe 3152 schtasks.exe 2720 schtasks.exe 4532 schtasks.exe 456 schtasks.exe 4080 schtasks.exe 3056 schtasks.exe 3348 schtasks.exe 4328 schtasks.exe 4436 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 724 explorer.exe -
Suspicious behavior: EnumeratesProcesses 57 IoCs
Processes:
Sessioncrt.exespoolsv.exepid process 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 1828 Sessioncrt.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe 672 spoolsv.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
spoolsv.exepid process 672 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
RTC_Launcher11.exeSessioncrt.exespoolsv.exeservices.execonhost.exemsedge.execsrss.exedllhost.exespoolsv.exeexplorer.exeRuntimeBroker.exeSessioncrt.exedescription pid process Token: SeDebugPrivilege 4812 RTC_Launcher11.exe Token: SeDebugPrivilege 1828 Sessioncrt.exe Token: SeDebugPrivilege 672 spoolsv.exe Token: SeDebugPrivilege 2084 services.exe Token: SeDebugPrivilege 3120 conhost.exe Token: SeDebugPrivilege 4024 msedge.exe Token: SeDebugPrivilege 3400 csrss.exe Token: SeDebugPrivilege 1956 dllhost.exe Token: SeDebugPrivilege 2336 spoolsv.exe Token: SeShutdownPrivilege 724 explorer.exe Token: SeCreatePagefilePrivilege 724 explorer.exe Token: SeDebugPrivilege 3104 RuntimeBroker.exe Token: SeDebugPrivilege 544 Sessioncrt.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
RTC_Launcher11.exeexplorer.exepid process 4812 RTC_Launcher11.exe 724 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
DCRatBuild_protected.exepid process 5004 DCRatBuild_protected.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Desktop.exeDCRatBuild_protected.sfx.exeDCRatBuild_protected.exeWScript.execmd.exeSessioncrt.exedescription pid process target process PID 4768 wrote to memory of 4648 4768 Desktop.exe DCRatBuild_protected.sfx.exe PID 4768 wrote to memory of 4648 4768 Desktop.exe DCRatBuild_protected.sfx.exe PID 4768 wrote to memory of 4648 4768 Desktop.exe DCRatBuild_protected.sfx.exe PID 4768 wrote to memory of 4812 4768 Desktop.exe RTC_Launcher11.exe PID 4768 wrote to memory of 4812 4768 Desktop.exe RTC_Launcher11.exe PID 4648 wrote to memory of 5004 4648 DCRatBuild_protected.sfx.exe DCRatBuild_protected.exe PID 4648 wrote to memory of 5004 4648 DCRatBuild_protected.sfx.exe DCRatBuild_protected.exe PID 4648 wrote to memory of 5004 4648 DCRatBuild_protected.sfx.exe DCRatBuild_protected.exe PID 5004 wrote to memory of 3384 5004 DCRatBuild_protected.exe WScript.exe PID 5004 wrote to memory of 3384 5004 DCRatBuild_protected.exe WScript.exe PID 5004 wrote to memory of 3384 5004 DCRatBuild_protected.exe WScript.exe PID 3384 wrote to memory of 3660 3384 WScript.exe cmd.exe PID 3384 wrote to memory of 3660 3384 WScript.exe cmd.exe PID 3384 wrote to memory of 3660 3384 WScript.exe cmd.exe PID 3660 wrote to memory of 1828 3660 cmd.exe Sessioncrt.exe PID 3660 wrote to memory of 1828 3660 cmd.exe Sessioncrt.exe PID 1828 wrote to memory of 672 1828 Sessioncrt.exe spoolsv.exe PID 1828 wrote to memory of 672 1828 Sessioncrt.exe spoolsv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Desktop.exe"C:\Users\Admin\AppData\Local\Temp\Desktop.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe"C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe"C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\MNBkvV.vbe"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\GRg9f5iKbJVOs6KIXB4m8M.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe"C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\odt\spoolsv.exe"C:\odt\spoolsv.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:672 -
C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe"C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellComponents\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ShellComponents\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellComponents\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SessioncrtS" /sc MINUTE /mo 14 /tr "'C:\odt\Sessioncrt.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Sessioncrt" /sc ONLOGON /tr "'C:\odt\Sessioncrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SessioncrtS" /sc MINUTE /mo 9 /tr "'C:\odt\Sessioncrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Videos\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Videos\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Videos\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\msedge.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\msedge.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Windows\bcastdvr\SppExtComObj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\bcastdvr\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\bcastdvr\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\odt\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\odt\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Default User\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\odt\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Application Data\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Application Data\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:4436
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3056
-
C:\odt\services.exeC:\odt\services.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
C:\Users\Default\Application Data\conhost.exe"C:\Users\Default\Application Data\conhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3400
-
C:\Program Files\Windows Photo Viewer\msedge.exe"C:\Program Files\Windows Photo Viewer\msedge.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4024
-
C:\Users\Default\dllhost.exeC:\Users\Default\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
C:\odt\spoolsv.exeC:\odt\spoolsv.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2336
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:1316
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3944 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:2000
-
C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe"C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3104
-
C:\odt\Sessioncrt.exeC:\odt\Sessioncrt.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:544
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Sessioncrt.exe.logFilesize
1KB
MD57800fca2323a4130444c572374a030f4
SHA140c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa
SHA25629f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e
SHA512c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.logFilesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exeFilesize
2.5MB
MD583618e903d98ec133601e89c1a0e1702
SHA10eb9e4eb3a1e14db6de7daa2f2adf427ea69b72b
SHA2563e691c4c223f7f73ec372a89395cb52de8857117e0a89f6add5b047cebb0954a
SHA51215de670de060e06e3fd292b5b273a587ece2dc1e7d6052501a01ced508f65d2840c485745fb4852fc3edb2b8bbab471f3abaa524d24ef0b3a64b3131ec7977fb
-
C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exeFilesize
2.2MB
MD548e1d67ef1b8e21942e80ef139c49ab5
SHA1f6afc9a69a1f87e4eee7292d24baef715fee9edd
SHA256e9eefea3acb118651c066d0f2a3aa0af471678d601198025f4a30b8fef810b08
SHA51234498df32a3d9ee468bc94b046da999d56af25c850f77f817ac1117a60ded8e19ca1194e5d421fddbac2c9a54da71a4e435b88a10a8f04f67ba002b9275793b2
-
C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exeFilesize
758KB
MD5cb1929328dea316fcb34f3486697d16e
SHA18c2db8d4b4644cb356a9283b2fa7bb6a988a5d7b
SHA2567a3deffc327b1e49cbc95dc4c41f1f4c0fd55825cc7c18fd06b96a900e0bf5f9
SHA51290ef1cc19c01c1c0b2b4b802e88d622ff07ffc91273350200cd0589e6acabb63634af2883f6cae554dacab0f401b4294d13291707507c6fa035c282214fc6a28
-
C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\GRg9f5iKbJVOs6KIXB4m8M.batFilesize
48B
MD5f96a95d4ab98914fa1240be122d6f93f
SHA11cda6eceb85d4b3e5c97bf686a2fbbf506ddbcd5
SHA2563cc300d7cc5eef9130a8a0fe3b748a2e00b1b57946c5d43df261a211375a5a67
SHA512a210bc272db00f3f7da096a5a46c1aabf7f045b69eabd8e9d443d1c329005592f2efdaff8132c931d468ce434d099bb3da7d67c51f69b6ef8759b00deb52a179
-
C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\MNBkvV.vbeFilesize
227B
MD56412c9c4ee86bb8143388e5616d1b7c2
SHA19a5ac602a0e3087439260b045c7c590586a6dac1
SHA256ae456de3284409c2b67cc2d99cde11e00d9947b23ccae05916f3b64ce5759835
SHA512b4b0d3eb2b3eecef0342013fe19632ac5b9a75cb312a1430a536a8b87b9da1a1ca00a216de450c80ac10ed07b546f1920c36e49c7dddf5b9baf8f0147e305cf1
-
C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exeFilesize
1.1MB
MD5251de4b1e1bd67479d61328ad352fd95
SHA1c089659cc5f2a8ccb354cc5f2244910fceabcba8
SHA256507e76a1783eff3690bdf15de7dea88d18087b6713f9db5787d61c1e7fe26890
SHA5121f9d43bc2d3acbda7e3b9bb63cbae41cbac790a363f0fa5bde2da07c3df913556d377f5dffd57865983df8de0255556b0b093ebb5a4ebb6b48ff04c2696a5cf7
-
memory/1828-51-0x000000001B990000-0x000000001B99A000-memory.dmpFilesize
40KB
-
memory/1828-47-0x0000000000720000-0x000000000084C000-memory.dmpFilesize
1.2MB
-
memory/1828-48-0x00000000027E0000-0x00000000027FC000-memory.dmpFilesize
112KB
-
memory/1828-49-0x000000001BB10000-0x000000001BB60000-memory.dmpFilesize
320KB
-
memory/1828-50-0x00000000027C0000-0x00000000027D0000-memory.dmpFilesize
64KB
-
memory/1828-52-0x000000001B9A0000-0x000000001B9AC000-memory.dmpFilesize
48KB
-
memory/4812-33-0x00007FFA05C70000-0x00007FFA06731000-memory.dmpFilesize
10.8MB
-
memory/4812-98-0x00007FFA05C73000-0x00007FFA05C75000-memory.dmpFilesize
8KB
-
memory/4812-99-0x00007FFA05C70000-0x00007FFA06731000-memory.dmpFilesize
10.8MB
-
memory/4812-24-0x000002210DE00000-0x000002210DEC4000-memory.dmpFilesize
784KB
-
memory/4812-21-0x00007FFA05C73000-0x00007FFA05C75000-memory.dmpFilesize
8KB
-
memory/5004-41-0x0000000000950000-0x0000000000D53000-memory.dmpFilesize
4.0MB
-
memory/5004-32-0x0000000000950000-0x0000000000D53000-memory.dmpFilesize
4.0MB