Overview

overview

10

Static

static

10

MsSavesSes...YY.bat

windows10-2004-x64

8

MsSavesSes...YY.bat

windows10-ltsc 2021-x64

8

MsSavesSes...YY.bat

windows11-21h2-x64

8

MsSavesSes...YY.bat

windows7-x64

8

MsSavesSes...O1.vbe

windows10-2004-x64

3

MsSavesSes...O1.vbe

windows10-ltsc 2021-x64

3

MsSavesSes...O1.vbe

windows11-21h2-x64

3

MsSavesSes...O1.vbe

windows7-x64

3

MsSavesSes...rf.exe

windows10-2004-x64

10

MsSavesSes...rf.exe

windows10-ltsc 2021-x64

10

MsSavesSes...rf.exe

windows11-21h2-x64

10

MsSavesSes...rf.exe

windows7-x64

10

MsSavesSes...le.vbs

windows10-2004-x64

1

MsSavesSes...le.vbs

windows10-ltsc 2021-x64

1

MsSavesSes...le.vbs

windows11-21h2-x64

1

MsSavesSes...le.vbs

windows7-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2024 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MsSavesSessionDll/agentreviewPerf.exe

  • Size

    2.3MB

  • MD5

    4e69fcf73418a08fcb8b3e7e2ecb43c4

  • SHA1

    a3ecd09f65ca4e7821a0b7f8596edcd679573f5b

  • SHA256

    fa78ac8f4c94923c7e53a3bf6936b46aff02f7746ee9518460c2d529ea2982d4

  • SHA512

    a6d1a2b6363ad8a560567e6c11a48f8d1bc4cdfc36474902edf39f676440be82619aae52279121a776486d0edfe7a448f0fe9707b27ae760c1d6dd0201f6adc3

  • SSDEEP

    49152:BwpUwcTZ0rUinysyVZl5LCCcG3RTXM34FIIPWYJxuQfUgtFneJ8BG5U:Bw1ctUyjTLC8puaX/neJ8BgU

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 31 IoCs
    persistence
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 62 IoCs
    persistence
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\MsSavesSessionDll\agentreviewPerf.exe
    "C:\Users\Admin\AppData\Local\Temp\MsSavesSessionDll\agentreviewPerf.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\Users\Admin\AppData\Local\Temp\MsSavesSessionDll\agentreviewPerf.exe
      "C:\Users\Admin\AppData\Local\Temp\MsSavesSessionDll\agentreviewPerf.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FtjbdhksCw.bat"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:60
        • C:\Windows\system32\w32tm.exe
          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
          4⤵
            PID:4564
          • C:\Users\Default User\agentreviewPerf.exe
            "C:\Users\Default User\agentreviewPerf.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4048
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Windows\schemas\SppExtComObj.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:2076
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\schemas\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3228
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\schemas\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2204
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\taskhostw.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3688
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Java\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\taskhostw.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3384
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\TextInputHost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1376
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1556
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\TextInputHost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1716
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\host\SppExtComObj.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1256
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3580
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\host\SppExtComObj.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4688
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:4288
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:3280
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4648
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\attachments\unsecapp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:1912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Crashpad\attachments\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:3532
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\winlogon.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:3172
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4352
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:372
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      PID:4008
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3644
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:3464
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Start Menu\spoolsv.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1700
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:2908
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4156
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\fontdrvhost.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3240
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:1568
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\host\fxr\7.0.16\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4768
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /f
      1⤵
      • Process spawned unexpected child process
      PID:1740
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:220
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:116
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\unsecapp.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2308
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemApps\Microsoft.ECApp_8wekyb3d8bbwe\unsecapp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1672
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\spoolsv.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:4944
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:4012
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4656
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SearchApp.exe'" /f
      1⤵
      • Process spawned unexpected child process
      PID:4696
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:4824
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2372
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4908
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3004
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1424
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4772
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3036
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\spoolsv.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      PID:776
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Recent\explorer.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4704
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Recent\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4896
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Recent\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:5116
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2652
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3812
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2136
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "agentreviewPerfa" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\agentreviewPerf.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4832
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "agentreviewPerf" /sc ONLOGON /tr "'C:\Users\Default User\agentreviewPerf.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3184
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "agentreviewPerfa" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\agentreviewPerf.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "agentreviewPerfa" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\agentreviewPerf.exe'" /f
      1⤵
      • Process spawned unexpected child process
      PID:1560
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "agentreviewPerf" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\agentreviewPerf.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:4300
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "agentreviewPerfa" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\agentreviewPerf.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1548
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\explorer.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:1336
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:3572
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\explorer.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2800
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\winlogon.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      PID:4452
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SchCache\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Scheduled Task/Job: Scheduled Task
      PID:4444
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\winlogon.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Scheduled Task/Job: Scheduled Task
      PID:3504
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\sihost.exe'" /f
      1⤵
      • DcRat
      • Scheduled Task/Job: Scheduled Task
      PID:1084
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\sihost.exe'" /rl HIGHEST /f
      1⤵
        PID:2008
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\DigitalLocker\en-US\sihost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Scheduled Task/Job: Scheduled Task
        PID:2360
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
        1⤵
        • DcRat
        • Scheduled Task/Job: Scheduled Task
        PID:444
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Scheduled Task/Job: Scheduled Task
        PID:2636
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        PID:2076
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\RuntimeBroker.exe'" /f
        1⤵
        • DcRat
        • Scheduled Task/Job: Scheduled Task
        PID:2204
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1900
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Scheduled Task/Job: Scheduled Task
        PID:1704
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\dllhost.exe'" /f
        1⤵
        • DcRat
        PID:1376
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4672
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        PID:1776
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\fontdrvhost.exe'" /f
        1⤵
        • DcRat
        PID:1256
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2624
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\fontdrvhost.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3580
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
        1⤵
        • DcRat
        • Scheduled Task/Job: Scheduled Task
        PID:4240
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2420
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Scheduled Task/Job: Scheduled Task
        PID:2864
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\dllhost.exe'" /f
        1⤵
        • DcRat
        PID:2556
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\addins\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Scheduled Task/Job: Scheduled Task
        PID:5052
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        PID:3680
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
        1⤵
        • DcRat
        • Scheduled Task/Job: Scheduled Task
        PID:1176
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • DcRat
        • Scheduled Task/Job: Scheduled Task
        PID:3172
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
          PID:372
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\System.exe'" /f
          1⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4008
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\System.exe'" /rl HIGHEST /f
          1⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4568
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\System.exe'" /rl HIGHEST /f
          1⤵
            PID:3464

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Recovery\WindowsRE\9e8d7a4ca61bd9
            Filesize

            371B

            MD5

            d5493077ab5d988325c408450d113c74

            SHA1

            df4d78a02ab2b2497f8cac3146c1bc0f77eab1b3

            SHA256

            3bade1bdae867204e40c9cc79ff0a66c8e0a4b703151dcc132044cfd526a556e

            SHA512

            69ae0fb6ecf9276e6345a498eeecf2cad74ae695e86566684fccc8fbdd5f1abb5c0efe09b58d74e5fa897bb24e0fa00f03a0103b7bc36eb92991f48b6f577abf

            Download Submit

          • C:\Recovery\WindowsRE\RuntimeBroker.exe
            Filesize

            2.3MB

            MD5

            4e69fcf73418a08fcb8b3e7e2ecb43c4

            SHA1

            a3ecd09f65ca4e7821a0b7f8596edcd679573f5b

            SHA256

            fa78ac8f4c94923c7e53a3bf6936b46aff02f7746ee9518460c2d529ea2982d4

            SHA512

            a6d1a2b6363ad8a560567e6c11a48f8d1bc4cdfc36474902edf39f676440be82619aae52279121a776486d0edfe7a448f0fe9707b27ae760c1d6dd0201f6adc3

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\agentreviewPerf.exe.log
            Filesize

            1KB

            MD5

            bbb951a34b516b66451218a3ec3b0ae1

            SHA1

            7393835a2476ae655916e0a9687eeaba3ee876e9

            SHA256

            eb70c64ae99d14ac2588b7a84854fbf3c420532d7fe4dfd49c7b5a70c869943a

            SHA512

            63bcbfcf8e7421c66855c487c31b2991a989bdea0c1edd4c40066b52fa3eb3d9d37db1cd21b8eb4f33dd5870cc20532c8f485eab9c0b4f6b0793a35c077f2d6f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\3afbd30b939f55f45d129c7b61b03737ca46b2654.5.32144592a011a543d8eda902c9c49d53ec922af603
            Filesize

            1KB

            MD5

            0cec91392f3fe34effd7a011a6ff097e

            SHA1

            a6c8c41c4d993e0679442f0eefeb46b15d959709

            SHA256

            232ba2c9b478ce70b437dca0848f59f89b27c5299bf6dcd3b2d85c672ec5ec3b

            SHA512

            b1d08ed6703d4c1d05293c4a28075978754841f6556bf9a0b3f979f71c08d0748c52a8967a1cee503115e9de1773a61c8c67a2770e17767e577b87106af2e278

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\FtjbdhksCw.bat
            Filesize

            206B

            MD5

            2a654d40439c6f9d0ea27c5e49786019

            SHA1

            c779b4e8e5c8a7b7930f6cbfa8910f239121fb14

            SHA256

            eabd41d926bdcca7782ff8bacf890d30419e9fca8ff79f643b54aae3bee7a74c

            SHA512

            9029671b9f04e25496eb330ea32407e8655d3ef5c34c0fe0e76350a5f4e90233cc069497a5c8f0e876017822d0e4a1ad657e24f40c43a5893f6bbed1c71c5267

            Download Submit

          • memory/1736-43-0x000000001B3E0000-0x000000001B3F2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1736-42-0x000000001B980000-0x000000001B9D6000-memory.dmp

            Filesize

            344KB

            Download

          • memory/3700-6-0x0000000002780000-0x00000000027D6000-memory.dmp

            Filesize

            344KB

            Download

          • memory/3700-41-0x00007FFD6EFA0000-0x00007FFD6FA61000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3700-10-0x000000001B030000-0x000000001B038000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3700-9-0x00000000027E0000-0x00000000027EE000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3700-11-0x000000001B040000-0x000000001B048000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3700-7-0x00000000027D0000-0x00000000027E2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/3700-5-0x0000000002760000-0x0000000002776000-memory.dmp

            Filesize

            88KB

            Download

          • memory/3700-8-0x000000001BEA0000-0x000000001C3C8000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/3700-0-0x00007FFD6EFA3000-0x00007FFD6EFA5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3700-4-0x000000001AFC0000-0x000000001B010000-memory.dmp

            Filesize

            320KB

            Download

          • memory/3700-3-0x00000000025E0000-0x00000000025FC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/3700-2-0x00007FFD6EFA0000-0x00007FFD6FA61000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3700-1-0x00000000000B0000-0x0000000000302000-memory.dmp

            Filesize

            2.3MB

            Download

          • memory/4048-92-0x000000001B680000-0x000000001B6D6000-memory.dmp

            Filesize

            344KB

            Download

          • memory/4048-93-0x0000000001300000-0x0000000001312000-memory.dmp

            Filesize

            72KB

            Download