dcrat | e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550

Analysis

max time kernel
147s
max time network
158s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29/10/2024, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XBinderOutput(1).exe
Size

607KB
MD5

19d31479381cfda2c9878b427f51a0c2
SHA1

5b8774c60b71dd32e7325d0fbceb3434975ca7cc
SHA256

e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550
SHA512

14ce10c974af40f5ab3e93f3bb3ff5ada22a8c2245bf45f40be0a59a75bcd9bfb2bf2288416744a2cebb93b3eb487ba070670d553ea87ca8c0e566c727bf28a2
SSDEEP

12288:DikJ/Wmo/J594F3o472LiJgSifSdq/UByol53uFb/V4YUWpcZm83:TJ/+z4F3osuiKoqsyol54bWYUK

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	csrss.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4652	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	424	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2192	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	2192	schtasks.exe	87

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral4/files/0x001b00000002aa73-7.dat	dcrat
behavioral4/files/0x001900000002ab24-23.dat	dcrat
behavioral4/memory/2368-25-0x0000000000E60000-0x0000000000F36000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

pid	Process
2604	kendalcp.exe
2368	reviewDll.exe
2468	csrss.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\Idle.exe	reviewDll.exe
File created	C:\Program Files (x86)\Windows Mail\6ccacd8608530f	reviewDll.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe	reviewDll.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\c5b4cb5e9653cc	reviewDll.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe	reviewDll.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e	reviewDll.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\05124c6dd8237f	reviewDll.exe
File created	C:\Windows\uk-UA\unsecapp.exe	reviewDll.exe
File created	C:\Windows\uk-UA\29c1c3cc0f7685	reviewDll.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\e367ec4c841d7b47849f61295dbc0785\dllhost.exe	reviewDll.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\e367ec4c841d7b47849f61295dbc0785\5940a34987c991	reviewDll.exe
File created	C:\Windows\SchCache\reviewDll.exe	reviewDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kendalcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	kendalcp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2036	schtasks.exe
4532	schtasks.exe
3536	schtasks.exe
1456	schtasks.exe
2364	schtasks.exe
3620	schtasks.exe
4768	schtasks.exe
3236	schtasks.exe
2140	schtasks.exe
4276	schtasks.exe
2776	schtasks.exe
1280	schtasks.exe
4848	schtasks.exe
1340	schtasks.exe
3696	schtasks.exe
1988	schtasks.exe
1944	schtasks.exe
1692	schtasks.exe
1600	schtasks.exe
404	schtasks.exe
1460	schtasks.exe
4556	schtasks.exe
2648	schtasks.exe
4296	schtasks.exe
2164	schtasks.exe
4980	schtasks.exe
4004	schtasks.exe
1232	schtasks.exe
2300	schtasks.exe
1508	schtasks.exe
3912	schtasks.exe
1688	schtasks.exe
2796	schtasks.exe
1992	schtasks.exe
3352	schtasks.exe
4156	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2368	reviewDll.exe
2368	reviewDll.exe
2368	reviewDll.exe
2368	reviewDll.exe
2368	reviewDll.exe
2368	reviewDll.exe
2368	reviewDll.exe
2368	reviewDll.exe
2368	reviewDll.exe
2468	csrss.exe
2468	csrss.exe
2468	csrss.exe
2468	csrss.exe
2468	csrss.exe
2468	csrss.exe
2468	csrss.exe
2468	csrss.exe
2468	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2368	reviewDll.exe
Token: SeDebugPrivilege	2468	csrss.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 2604	4044	XBinderOutput(1).exe	82
PID 4044 wrote to memory of 2604	4044	XBinderOutput(1).exe	82
PID 4044 wrote to memory of 2604	4044	XBinderOutput(1).exe	82
PID 2604 wrote to memory of 2916	2604	kendalcp.exe	83
PID 2604 wrote to memory of 2916	2604	kendalcp.exe	83
PID 2604 wrote to memory of 2916	2604	kendalcp.exe	83
PID 2916 wrote to memory of 1136	2916	WScript.exe	84
PID 2916 wrote to memory of 1136	2916	WScript.exe	84
PID 2916 wrote to memory of 1136	2916	WScript.exe	84
PID 1136 wrote to memory of 2368	1136	cmd.exe	86
PID 1136 wrote to memory of 2368	1136	cmd.exe	86
PID 2368 wrote to memory of 2468	2368	reviewDll.exe	124
PID 2368 wrote to memory of 2468	2368	reviewDll.exe	124
PID 2468 wrote to memory of 2108	2468	csrss.exe	153
PID 2468 wrote to memory of 2108	2468	csrss.exe	153
PID 2108 wrote to memory of 3940	2108	cmd.exe	155
PID 2108 wrote to memory of 3940	2108	cmd.exe	155

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\kendalcp.exe
  "C:\Users\Admin\AppData\Local\Temp\kendalcp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1136
    - - C:\blocksavesperfMonitorDll\reviewDll.exe
        
        "C:\blocksavesperfMonitorDll\reviewDll.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\uk-UA\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\uk-UA\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\uk-UA\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\blocksavesperfMonitorDll\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\blocksavesperfMonitorDll\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\blocksavesperfMonitorDll\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\blocksavesperfMonitorDll\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\e367ec4c841d7b47849f61295dbc0785\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\e367ec4c841d7b47849f61295dbc0785\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\e367ec4c841d7b47849f61295dbc0785\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewDllr" /sc MINUTE /mo 6 /tr "'C:\Windows\SchCache\reviewDll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewDll" /sc ONLOGON /tr "'C:\Windows\SchCache\reviewDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewDllr" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\reviewDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "reviewDll" /f
1⤵
- Process spawned unexpected child process
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "reviewDllr" /f
1⤵
- Process spawned unexpected child process
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhost" /f
1⤵
- Process spawned unexpected child process
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhostf" /f
1⤵
- Process spawned unexpected child process
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrss" /f
1⤵
- Process spawned unexpected child process
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrssc" /f
1⤵
- Process spawned unexpected child process
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhost" /f
1⤵
- Process spawned unexpected child process
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhostf" /f
1⤵
- Process spawned unexpected child process
PID:4652

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "Idle" /f
1⤵
- Process spawned unexpected child process
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "IdleI" /f
1⤵
- Process spawned unexpected child process
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "unsecapp" /f
1⤵
- Process spawned unexpected child process
PID:424

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "unsecappu" /f
1⤵
- Process spawned unexpected child process
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhost" /f
1⤵
- Process spawned unexpected child process
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhostf" /f
1⤵
- Process spawned unexpected child process
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "wininit" /f
1⤵
- Process spawned unexpected child process
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "wininitw" /f
1⤵
- Process spawned unexpected child process
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "services" /f
1⤵
- Process spawned unexpected child process
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "servicess" /f
1⤵
- Process spawned unexpected child process
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhost" /f
1⤵
- Process spawned unexpected child process
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhostd" /f
1⤵
- Process spawned unexpected child process
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhost" /f
1⤵
- Process spawned unexpected child process
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhostd" /f
1⤵
- Process spawned unexpected child process
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "services" /f
1⤵
- Process spawned unexpected child process
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "servicess" /f
1⤵
- Process spawned unexpected child process
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "reviewDll" /f
1⤵
- Process spawned unexpected child process
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "reviewDllr" /f
1⤵
- Process spawned unexpected child process
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrss" /f
1⤵
- Process spawned unexpected child process
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrssc" /f
1⤵
- Process spawned unexpected child process
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e

Filesize
888B

MD5
23938d0f43bceaf10c1adfda8b50cc9b

SHA1
aa43661164f3734f2304f5a265bd1871a05182e8

SHA256
665c9e5bd9dc8de85bc290d22b4a9ee5285129827829b1fbe4a3520a85c0bd3e

SHA512
b67d0da406a3a78d11aaef3e34d3e9fabac412b6a386104cdd0b69c36cf88cc3b752ed8cf132a434877590228033a48adf83b8a518897e669de78b48e827bb5d

Download Submit
C:\Program Files (x86)\Windows Mail\6ccacd8608530f

Filesize
832B

MD5
757c692f0eef26057a54bb612346ae84

SHA1
898c6af2ba71177b532efafa01de71527252b7ea

SHA256
19c4831c222a6b0ba6f9e57bca33048fafe1d58c864a611862ce27f219f1a2e9

SHA512
0d188f2190e5879363a2c0320ba745760aa061fbc36e88cbdb6f88e3da9158f848f9b6d8d3cf16e6754682db8fddd842c74d1ba98b8a737a12bf71a3b4d71d52

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\en-US\c5b4cb5e9653cc

Filesize
415B

MD5
f79449596e28e56829b36b11cd4254d1

SHA1
677780a2fb7f3698872f8093a4e94d1a7e321958

SHA256
087182e1ea6e272662f56ceb83e5d8fadaf99459e37c744239b8274d105972e7

SHA512
2734990dd5f4cbdb083c100660f385c337b6123e1a6e20d9395714d810fdb42e9f3272129a591734fefc55c5d76a3c30b4a7ad72d9710e3de01a96b808239c30

Download Submit
C:\Recovery\WindowsRE\5940a34987c991

Filesize
574B

MD5
0b43489c2b008239caf6dcca0fc86a11

SHA1
bb6d3ecc383fe2acb6fd997e9dbb3d1f60b65fd8

SHA256
b7544a4dafb49b855c3f9b7a5a1255da48d94e20189c9ca6a19db22242d75d11

SHA512
a2cb5a2a5809d954d1b0a64c6079f4ecd6ecc48590f4fa7e1de3cf356f2465d966d2cd4eb94063a9785e197bb29a43739e4b412055c54a14944b56e5de065ffe

Download Submit
C:\Recovery\WindowsRE\5b884080fd4f94

Filesize
319B

MD5
05e1990389f8d8bc754b39d8d3ced1df

SHA1
6a6c4003cc01d4e360db7eedc97850214bff4204

SHA256
34e6be303d6ebf5325d6dff15a3acc853b07f394725dbcf4a51fd8da80a38709

SHA512
2888d501e18b5db56f902ff65ae0d9139e83a5ae759792cba8a6e0d3f6a56b9cf0d83ff560bb269f4a36bcb15a960d1d4269e3aab0d53cb043738b93fdb61461

Download Submit
C:\Recovery\WindowsRE\c5b4cb5e9653cc

Filesize
875B

MD5
cb546eeb9b8d3ba8084a1f17bbc22f23

SHA1
292b1209db06b61be2a33b8aa64175742d9ac224

SHA256
e4973ccb1127c6c560a14ee80a31421166f45572c6de56cd040a1d51331fa4f5

SHA512
ec13ec55d81b550565d465e515cacfed748863b3c8f08a61928c515cecaefafc3e2a37fa314bae88a066f254f179fb75ba3bd50f613484672dc6c3ebe8bf1b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat

Filesize
357B

MD5
fe2eba287a6067aa00a6b15cda381b14

SHA1
38ef0c92ca55e1e30f5dd031a92375b0bbe853b1

SHA256
5d9a56367f26c7d6ff9c79a25bb822ca9eeb8bc3ead5e8a3fc1d6fab26be7fe3

SHA512
e2013f51d81fc1c629195b67352dbaf8b1b20d80b151062947839d4170fe78ade4a243ac35f1b4c65807396231ccea02926db1dc07f5baf427313e6dfd7d4c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\kendalcp.exe

Filesize
1.1MB

MD5
0d015cc111d53a019e680b0bed11fcad

SHA1
3b3fb6eeba0c2ba286a4db5e850697399ccb5e36

SHA256
2b7365d9634016b0483009225b959692c290a6b17fad133e42434dc89fdf4150

SHA512
c3a7ea551d0151033dde83a3dda1042e8fe26702c84da2b630ecffb739aecb654730bb5f7ec8914189f72ca7d0ecf1352f0ca7effa938bc1d6f0ae56c3358eab

Download Submit
C:\Users\All Users\Microsoft OneDrive\setup\5b884080fd4f94

Filesize
417B

MD5
b838c05ca71dc4003ec71280e47c5c1a

SHA1
7c5e2e893620d5d49579fdf36a45ad141c1e6c1b

SHA256
8c80d3b6acecc6daa5aeb3c4ae64f7e0b533f96f58d371279595fda01cb55344

SHA512
75e53fb573b77485ae3ba2d2641c64a3195785403e3c4ce6744948d1afd696948562dafb9817c6910f451f78a8dde00e3a3be816f0a115c1a1732a4cffa0ca85

Download Submit
C:\Windows\SchCache\05124c6dd8237f

Filesize
235B

MD5
652bbc8789f7bcf9b01022f8be76fa2d

SHA1
a293494584cbcdafc11ab2aa0a584bb243660f58

SHA256
80f656ada7d918cf3876910a211c789eeaac3221fe7fb811128effed552b5998

SHA512
270046ceb826c3adbc4f67c87e29a715c26cd00c1c76cba845121707d2efd5030f4c39aede5486b5afa93cdae8ab45a3e9c146cd47cd149ad67f3f124fdda8ab

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Management.A#\e367ec4c841d7b47849f61295dbc0785\5940a34987c991

Filesize
167B

MD5
4b8f02da8bb42297555d4552e6d4b9e3

SHA1
1fa70bb29fbac6200cc51f1e293aa4b8ba6d0d88

SHA256
b452c28fe9f52253a2f6a623dfa001387f602a763ed6e1f4e2d0236d98b9a040

SHA512
0ab85e949b65bead36e5e58a45855939233f34bd6f772abcf27155f5430201785ce51d2bd4ec88435d3d78a77fce6c8c5dada4c3881140da3fb29f9c92d652d4

Download Submit
C:\Windows\uk-UA\29c1c3cc0f7685

Filesize
917B

MD5
7dfa45fc2445cce7a0757016cdfddc10

SHA1
37e4a59b923bcc33bf4a706521ada0b555ade4de

SHA256
ca28ba4d92a7d6d3890dd7d87a2c7d1184d6be45c1dbcec776a6038aa1a9c1d4

SHA512
8af606c9e34aba4172f30d9e2bdf6fc37bb6b2bb0b7b3fd60879dd30a62d014f1d1972509fffa9d853a067245a5c4e4f35a00dded167c8cd7e2079a6be6ee9b1

Download Submit
C:\blocksavesperfMonitorDll\56085415360792

Filesize
886B

MD5
6595dfe736c1ce07478d4fe56af36910

SHA1
f8c694a845f36991800d8be66ec0a53019120425

SHA256
15a0a9150af8f4950eb9aa7efcecf05d88549eee5930e9a13a09733bd37c016e

SHA512
2b3d7a6d463f575360eaea742178c601fcf7344ded569a5fbe34edda8699ca4f073f616ea2467eb8eba90a97cf2361431b4a37244515151fd5eff8b34d0fffb6

Download Submit
C:\blocksavesperfMonitorDll\5b884080fd4f94

Filesize
532B

MD5
5098d97bf232e5e930afeeba43fdd37a

SHA1
3f494701a7a12388e290430b96b84276dd925692

SHA256
81ab284ca8aa620b985ff6b7c1f8d564f65caf8a3f77349a695b9094ee8c1a92

SHA512
1570f92857e69d297d1537f51c8a3a33ca8c812d7dae941f2d13c5dafe6906d6485c765b403fb74dab31a31c5da13dd62c3502f55e2938cc834f54c904bfab8e

Download Submit
C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe

Filesize
222B

MD5
a6f295a2e58c722b5935cc905e81fd8b

SHA1
a2a30408197320a639e3e2f18a57fc8578c97b58

SHA256
8bcebca170fc0768cb1afb63f1350d63c3a295b26ca04602e07ec43498b9691c

SHA512
839605d7eadcdc470dd4edd117cedd976cb9f36bf0a636d08afecc6378adadf0fccb80beb44de849b6dfec814845cef8ca83ca171b39c1f6d90d55485bd06635

Download Submit
C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat

Filesize
43B

MD5
7c582abd8874b9cc60df72d62bd86440

SHA1
564e7b01338d08f657f2c02fa8fc5b8dadb92331

SHA256
c5e95b783c6ec1b98a40edf8663370c678de43e9b657e09ca1f054618277b329

SHA512
444cf67666329ea359e221560a229990013af07d1ed074b2406e903c7ee04cf279953ad0726a96c2ca875216da68369dfdde00f905adf1de9ed93b8582bf8828

Download Submit
C:\blocksavesperfMonitorDll\reviewDll.exe

Filesize
828KB

MD5
d9dac9e1d95e84e6aec084cf2ddb3f3a

SHA1
a231a41c7ad994879b15116dcea41fdc09bb5879

SHA256
0fbeb71fb1dfe793eace5ed167f035a8f4bcc6b56d0930b6b97481f2b222b1d5

SHA512
c4aa115de6f61c7311e8654d40537cd1ce08f0fb7efd0a225a42e06ad000ed420ba905e5cc26a19cb56af951ee1441aa257c073c47911a72fff733c0db1c2f9a

Download Submit
memory/2368-25-0x0000000000E60000-0x0000000000F36000-memory.dmp

Filesize
856KB

Download
memory/2468-129-0x000000001DD30000-0x000000001DD3B000-memory.dmp

Filesize
44KB

Download
memory/2468-125-0x000000001DC90000-0x000000001DCD6000-memory.dmp

Filesize
280KB

Download
memory/2468-62-0x000000001BFF0000-0x000000001BFF9000-memory.dmp

Filesize
36KB

Download
memory/2468-61-0x000000001DC90000-0x000000001DCD6000-memory.dmp

Filesize
280KB

Download
memory/2468-63-0x000000001DD00000-0x000000001DD0D000-memory.dmp

Filesize
52KB

Download
memory/2468-127-0x000000001DD00000-0x000000001DD0D000-memory.dmp

Filesize
52KB

Download
memory/2468-126-0x000000001BFF0000-0x000000001BFF9000-memory.dmp

Filesize
36KB

Download
memory/2468-128-0x000000001DD10000-0x000000001DD2E000-memory.dmp

Filesize
120KB

Download
memory/2468-65-0x000000001DD30000-0x000000001DD3B000-memory.dmp

Filesize
44KB

Download
memory/2468-64-0x000000001DD10000-0x000000001DD2E000-memory.dmp

Filesize
120KB

Download
memory/4044-0-0x00007FFA2A063000-0x00007FFA2A065000-memory.dmp

Filesize
8KB

Download
memory/4044-11-0x00007FFA2A060000-0x00007FFA2AB22000-memory.dmp

Filesize
10.8MB

Download
memory/4044-3-0x00007FFA2A060000-0x00007FFA2AB22000-memory.dmp

Filesize
10.8MB

Download
memory/4044-1-0x0000000000CE0000-0x0000000000D7E000-memory.dmp

Filesize
632KB

Download