dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
60s
max time network
60s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86c8fa2e136e29f51a3670f440b9f0a0.exe
Size

2.5MB
MD5

86c8fa2e136e29f51a3670f440b9f0a0
SHA1

103d45983c01fc861cb7390afe5db10ff2892fc0
SHA256

da49bed9676a8352a71fdd38dc855a01ca72f5dd393a91e9d7ad71ef9a4f11eb
SHA512

7c5f74c7a041c38216dc4a7f1d60d1a622227b8cd5aea5c1c4d200a5ccfabd7cbd2a17b22ca2ff028fc45dd0373df8cf9a5998cbefe7873fa7f9eda7ad117ddb
SSDEEP

49152:BjLLQdzMIwA7G5ALF/CT2vyYSjEf+QSs5saA2R97oF/cZ8ekY4E7Jy:B2l7G5Auotf+Lg4ElM

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1344	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6068	1344	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1344	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1344	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	1344	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	1344	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	1344	schtasks.exe	86

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1196	powershell.exe
5212	powershell.exe
4364	powershell.exe
4628	powershell.exe
4972	powershell.exe
4716	powershell.exe
3476	powershell.exe
5220	powershell.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	86c8fa2e136e29f51a3670f440b9f0a0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 6 IoCs

pid	Process
4504	fontdrvhost.exe
628	fontdrvhost.exe
4172	fontdrvhost.exe
4028	fontdrvhost.exe
3028	fontdrvhost.exe
1340	fontdrvhost.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\security\\sppsvc.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\Saved Games\\services.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\ProgramData\\Packages\\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\\S-1-5-21-3975168204-1612096350-4002976354-1000\\SystemAppData\\spoolsv.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\86c8fa2e136e29f51a3670f440b9f0a0 = "\"C:\\Users\\Public\\Pictures\\86c8fa2e136e29f51a3670f440b9f0a0.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\mfc140ita\\RuntimeBroker.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\PerfLogs\\smss.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\umpowmi\\fontdrvhost.exe\""	86c8fa2e136e29f51a3670f440b9f0a0.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\mfc140ita\9e8d7a4ca61bd9	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\umpowmi\fontdrvhost.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\umpowmi\5b884080fd4f94	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\umpowmi\RCX95C4.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\mfc140ita\RCX90BF.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\mfc140ita\RCX90C0.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\mfc140ita\RuntimeBroker.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\umpowmi\RCX95C5.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\System32\umpowmi\fontdrvhost.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\System32\mfc140ita\RuntimeBroker.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\security\sppsvc.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\security\sppsvc.exe	86c8fa2e136e29f51a3670f440b9f0a0.exe
File created	C:\Windows\security\0a1fd5f707cd16	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\security\RCX9847.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe
File opened for modification	C:\Windows\security\RCX98C5.tmp	86c8fa2e136e29f51a3670f440b9f0a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	86c8fa2e136e29f51a3670f440b9f0a0.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1792	schtasks.exe
6068	schtasks.exe
2044	schtasks.exe
2756	schtasks.exe
3712	schtasks.exe
4616	schtasks.exe
4424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
3476	powershell.exe
3476	powershell.exe
5220	powershell.exe
5220	powershell.exe
4364	powershell.exe
4364	powershell.exe
1196	powershell.exe
1196	powershell.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5212	powershell.exe
5212	powershell.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
4716	powershell.exe
4716	powershell.exe
4972	powershell.exe
4972	powershell.exe
3476	powershell.exe
4628	powershell.exe
4628	powershell.exe
4628	powershell.exe
5220	powershell.exe
4972	powershell.exe
4364	powershell.exe
5212	powershell.exe
4716	powershell.exe
1196	powershell.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
4504	fontdrvhost.exe
4504	fontdrvhost.exe
4504	fontdrvhost.exe
4504	fontdrvhost.exe
4504	fontdrvhost.exe
4504	fontdrvhost.exe
4504	fontdrvhost.exe
4504	fontdrvhost.exe
4504	fontdrvhost.exe
4504	fontdrvhost.exe
4504	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe
Token: SeDebugPrivilege	3476	powershell.exe
Token: SeDebugPrivilege	5220	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	5212	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	4716	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	4504	fontdrvhost.exe
Token: SeDebugPrivilege	628	fontdrvhost.exe
Token: SeDebugPrivilege	4172	fontdrvhost.exe
Token: SeDebugPrivilege	4028	fontdrvhost.exe
Token: SeDebugPrivilege	3028	fontdrvhost.exe
Token: SeDebugPrivilege	1340	fontdrvhost.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 5704 wrote to memory of 4628	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe	97
PID 5704 wrote to memory of 4628	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe	97
PID 5704 wrote to memory of 4972	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe	98
PID 5704 wrote to memory of 4972	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe	98
PID 5704 wrote to memory of 4716	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe	99
PID 5704 wrote to memory of 4716	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe	99
PID 5704 wrote to memory of 3476	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe	100
PID 5704 wrote to memory of 3476	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe	100
PID 5704 wrote to memory of 5220	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe	101
PID 5704 wrote to memory of 5220	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe	101
PID 5704 wrote to memory of 1196	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe	102
PID 5704 wrote to memory of 1196	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe	102
PID 5704 wrote to memory of 5212	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe	103
PID 5704 wrote to memory of 5212	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe	103
PID 5704 wrote to memory of 4364	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe	104
PID 5704 wrote to memory of 4364	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe	104
PID 5704 wrote to memory of 4504	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe	114
PID 5704 wrote to memory of 4504	5704	86c8fa2e136e29f51a3670f440b9f0a0.exe	114
PID 4504 wrote to memory of 2208	4504	fontdrvhost.exe	115
PID 4504 wrote to memory of 2208	4504	fontdrvhost.exe	115
PID 4504 wrote to memory of 3712	4504	fontdrvhost.exe	116
PID 4504 wrote to memory of 3712	4504	fontdrvhost.exe	116
PID 2208 wrote to memory of 628	2208	WScript.exe	119
PID 2208 wrote to memory of 628	2208	WScript.exe	119
PID 628 wrote to memory of 2848	628	fontdrvhost.exe	120
PID 628 wrote to memory of 2848	628	fontdrvhost.exe	120
PID 628 wrote to memory of 5572	628	fontdrvhost.exe	121
PID 628 wrote to memory of 5572	628	fontdrvhost.exe	121
PID 2848 wrote to memory of 4172	2848	WScript.exe	123
PID 2848 wrote to memory of 4172	2848	WScript.exe	123
PID 4172 wrote to memory of 3672	4172	fontdrvhost.exe	125
PID 4172 wrote to memory of 3672	4172	fontdrvhost.exe	125
PID 4172 wrote to memory of 1232	4172	fontdrvhost.exe	126
PID 4172 wrote to memory of 1232	4172	fontdrvhost.exe	126
PID 3672 wrote to memory of 4028	3672	WScript.exe	129
PID 3672 wrote to memory of 4028	3672	WScript.exe	129
PID 4028 wrote to memory of 2040	4028	fontdrvhost.exe	130
PID 4028 wrote to memory of 2040	4028	fontdrvhost.exe	130
PID 4028 wrote to memory of 2240	4028	fontdrvhost.exe	131
PID 4028 wrote to memory of 2240	4028	fontdrvhost.exe	131
PID 2040 wrote to memory of 3028	2040	WScript.exe	135
PID 2040 wrote to memory of 3028	2040	WScript.exe	135
PID 3028 wrote to memory of 4628	3028	fontdrvhost.exe	136
PID 3028 wrote to memory of 4628	3028	fontdrvhost.exe	136
PID 3028 wrote to memory of 5544	3028	fontdrvhost.exe	137
PID 3028 wrote to memory of 5544	3028	fontdrvhost.exe	137
PID 4628 wrote to memory of 1340	4628	WScript.exe	138
PID 4628 wrote to memory of 1340	4628	WScript.exe	138
PID 1340 wrote to memory of 3804	1340	fontdrvhost.exe	139
PID 1340 wrote to memory of 3804	1340	fontdrvhost.exe	139
PID 1340 wrote to memory of 2984	1340	fontdrvhost.exe	140
PID 1340 wrote to memory of 2984	1340	fontdrvhost.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\86c8fa2e136e29f51a3670f440b9f0a0.exe
"C:\Users\Admin\AppData\Local\Temp\86c8fa2e136e29f51a3670f440b9f0a0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86c8fa2e136e29f51a3670f440b9f0a0.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\S-1-5-21-3975168204-1612096350-4002976354-1000\SystemAppData\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\86c8fa2e136e29f51a3670f440b9f0a0.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\mfc140ita\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\umpowmi\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\System32\umpowmi\fontdrvhost.exe
  "C:\Windows\System32\umpowmi\fontdrvhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5812f91-2d74-461d-a7ee-50613d6f040c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\System32\umpowmi\fontdrvhost.exe
      C:\Windows\System32\umpowmi\fontdrvhost.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:628
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86153d11-60bf-448e-8346-edae3b201303.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2848
      - C:\Windows\System32\umpowmi\fontdrvhost.exe
        
        C:\Windows\System32\umpowmi\fontdrvhost.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb65268e-e7e2-464c-b2c8-97570ff02304.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\System32\umpowmi\fontdrvhost.exe
        
        C:\Windows\System32\umpowmi\fontdrvhost.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b6d1372-c70b-4d45-b06a-b2783476b5ca.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\System32\umpowmi\fontdrvhost.exe
        
        C:\Windows\System32\umpowmi\fontdrvhost.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbd23af7-135c-470e-b290-81f6c841fc07.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\System32\umpowmi\fontdrvhost.exe
        
        C:\Windows\System32\umpowmi\fontdrvhost.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40f9b6b5-3725-417c-80f7-f33aef68fa17.vbs"
        13⤵
        
        PID:3804
        
        C:\Windows\System32\umpowmi\fontdrvhost.exe
        
        C:\Windows\System32\umpowmi\fontdrvhost.exe
        14⤵
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05dce78c-2d11-4bb8-85a6-cef747e6586a.vbs"
        13⤵
        
        PID:2984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7d2fa14-235a-4327-980e-8090eec4e4a2.vbs"
        11⤵
        
        PID:5544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c26598d-47cc-4ca7-99bc-dcac1340484a.vbs"
        9⤵
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b2352bd-9174-4630-8097-0d9c172f86a9.vbs"
        7⤵
        
        PID:1232
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70a9b191-7151-4fd2-b670-aa64eedef249.vbs"
        5⤵
        
        PID:5572
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee3cff16-d4c5-4aca-97f1-46cb09bd49d7.vbs"
    3⤵
    PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\S-1-5-21-3975168204-1612096350-4002976354-1000\SystemAppData\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "86c8fa2e136e29f51a3670f440b9f0a0" /sc ONLOGON /tr "'C:\Users\Public\Pictures\86c8fa2e136e29f51a3670f440b9f0a0.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\mfc140ita\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\PerfLogs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\umpowmi\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\security\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\smss.exe

Filesize
2.5MB

MD5
86c8fa2e136e29f51a3670f440b9f0a0

SHA1
103d45983c01fc861cb7390afe5db10ff2892fc0

SHA256
da49bed9676a8352a71fdd38dc855a01ca72f5dd393a91e9d7ad71ef9a4f11eb

SHA512
7c5f74c7a041c38216dc4a7f1d60d1a622227b8cd5aea5c1c4d200a5ccfabd7cbd2a17b22ca2ff028fc45dd0373df8cf9a5998cbefe7873fa7f9eda7ad117ddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
9699cf9bb24ebbc9b1035710e92b7bd2

SHA1
73f0f26db57ea306970a76f42c647bbce02a3f23

SHA256
fd35f3609663bec79a5254866d1c47342fbde3f94808acff8c3eaa19b24f67e5

SHA512
3a433f40f25b5a5c09f8de45ebd0b5485b3b54eb0c1c08a1dbae776629710b8d8f5fee21329d146867e49b5d35108bba6eff3995fb7c6246dbe6fe475eadf0bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fd95e4475b8798a58a9e9d19409c1eac

SHA1
571d070dd6315847c4ba334670beffd245a35c45

SHA256
d33812e9c83075812c904e8ea736f744d614cb597e4c7aa4420021e492390729

SHA512
1ad95b0411ffbdeff090c3c71000377027095ecbc8ad27d9b4c8b7b469e669f7d76cd13f7ab2012779b6ac12c5ff2671f4e44fa8d1f2aefae3824ed74a9fa7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c667bc406c30dedf08683212c4a204b5

SHA1
4d713119a8483f32461a45e8291a2b8dc1fc4e7d

SHA256
0789d8328acb13062de330425e072019c1d81bea70923d5ef5428f9604d969cf

SHA512
1f6b49f11baf3b4289677d8b27537e016896fc878d14af3d8c132d6800a591a632b31203edd570f3f8b90e7c0047a4f4ecd938c10520832d2df55ba35a53bd48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
efd2dfedf7e67764ce4dc0c1475d5543

SHA1
be775a500ecf6c234153afad0b8ec07e56ad74fa

SHA256
662c4f869810ea7f43ce3ccbeccc5b80c443161c56a346fb9054fb1fa613a7ad

SHA512
b167fa92f6d63b18e6247445b1c532a2a229a0fc6dcd26c9d1526749f80c7ec01524b7ce497ab94a3df814f9ce4b7394d872d85555323ddcd08798d565f3211e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
75b793d8785da13700a6ebd48c30d77d

SHA1
b7d004bac69f44d9c847a49933d1df3e4dafd5db

SHA256
ab63179aa6eded5be6820711bfa2b7a9ba0184e6247a9a2aa1ebd839aba08a6b

SHA512
37e43c7b8d21173bc02237c5e1871a79ec95a96984671eeb5f9863dfce157f5f2bc90a6102b1beac6c8c8f928aa5b5094ae822d953f3833ea4e119ec664d4070

Download Submit
C:\Users\Admin\AppData\Local\Temp\40f9b6b5-3725-417c-80f7-f33aef68fa17.vbs

Filesize
719B

MD5
fdcef98175b232eae04058e6405ffd68

SHA1
17c0cd903aeba1fcfe0eb7ebc6b42d9295bc78cb

SHA256
1e8772cd40576f4d5c2950a15bdb759e7cf9baa8804f9fdb5335e37b02c49ffc

SHA512
eb7f7404772ec92414edf526426c1938774c2e356f29b35fe894cb03856d502b998bac8a722ad4e81e5d574f652995587817bf7f49213ba14e5858fc73519db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b6d1372-c70b-4d45-b06a-b2783476b5ca.vbs

Filesize
719B

MD5
7844bfd68aeab7d995e3b4ee5ad9128a

SHA1
0872cfc0c27d297b1f3dc525a9506efb5413b893

SHA256
0545e6a2cc49ef5b2644db82194a319b1f073bfac55bd4b9098f7354aaf9fe9d

SHA512
705835567a6bf13ceeeb55d5d0035c80a3c67a85bd8635deba65e2657a5fe4a287b60eb1b22c5880b5b49b569615ca3c60dc779b73f317c9aec6e656deaddb7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\86153d11-60bf-448e-8346-edae3b201303.vbs

Filesize
718B

MD5
38470b9b8af8bc7198f0d2e7802343ff

SHA1
e6d4c1b438a184867c274eec8f4dd98aeabb17f8

SHA256
89d8327fd42c0eb27fed6ce2c03a5cfb0df5d724b65ab36b463432e569a01173

SHA512
1bce5ee22db16298ae3dd522e7e16cd36de7705d60609dc5f054e729bb0b05fe4955a5f725d2c6f801477eb434c10ac6fffc67031773983ff3464cd66eb058aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hlsrot15.5lm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5812f91-2d74-461d-a7ee-50613d6f040c.vbs

Filesize
719B

MD5
a67630470a7a3e1999c7128fed61f21b

SHA1
fa618a23115345a60726d6e1516f995be3ee2621

SHA256
4c9f39436eb2fb81db594c5bbebd21d7371bbbdf5ddaf791d90936306d561e05

SHA512
a87e4c827786a7057f828e0669506c423b37566f6c7e6c0ca8a494931fddc6128e52e436de9cebf0c5c2a5a0c57c1ae02c7a14d9b60ce9b6da846bc3b55e34fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb65268e-e7e2-464c-b2c8-97570ff02304.vbs

Filesize
719B

MD5
cee3e8f6b3e58934548e32509514909a

SHA1
df99890131dee0547febd4888126ae2169b0561d

SHA256
e6cf1d57b0f36bc6a0ee355987b4a108ab38d98b324e1f8f03193bf5dbc4d1ab

SHA512
c25cabd884ead900e1c8c56d5fdb5effb7f0bc0247b0c4413825849e7badda9bab098ff5f2d08171f36207f11f8d274453349a60d0dc80dda5a9a2079d8d4c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbd23af7-135c-470e-b290-81f6c841fc07.vbs

Filesize
719B

MD5
8bd71239e2acb286e2701a0ce86f4b2a

SHA1
14eac4b46c5c4e85d14cd41836cf01d77fb64aa9

SHA256
acb49727aba630c957f6f81fe72cffcc74fb09d6ebb47977f22f38406b5d2328

SHA512
88a7624710669b8bfb8265dc7c35791fcbb5684a9918322ae4915b4e494d2055e4d40d46fc8352148577680df4226fe7aa88ad93628c16b116e013ca99ebfb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee3cff16-d4c5-4aca-97f1-46cb09bd49d7.vbs

Filesize
495B

MD5
90017c3674ab57b707ad5d49bf36ea1b

SHA1
56062ac30325c1b549cf62dbf815feef91221e39

SHA256
728031913bdbd5fe60b8337a0298b840db85d89739c91475edef3a99b455aeab

SHA512
f4e003e81e950cda1cb79de1851aff3d56bf35b79980372c9526f05d0364cd5f0abc374b1296d611bea6b05e8d6ebc45135c2dcff59832df3ffbd6a9a41197da

Download Submit
C:\Users\Admin\Saved Games\services.exe

Filesize
2.5MB

MD5
b1f564c06649968918bc179de7b680f9

SHA1
eef052397ea8307b5445cd93a22330161d1c8e92

SHA256
89b23ec90c1d7de2c634682218445de6acc26266a8f69d51038e4c4457c80b95

SHA512
42d59c3044fce815cf17a6b4cb17dca9ad8eafb23b978965cda01a3a3dcd5a9148e8998db43f12e0283fbea179f6bb38c45e80dc7e7113be8c142f81f37a3f09

Download Submit
C:\Windows\System32\umpowmi\fontdrvhost.exe

Filesize
513KB

MD5
363b234ad1f30d4405fc7999b48fa5c8

SHA1
26225ca1d3640ce84e8681d848f3a67253f5c24a

SHA256
ba93dae3e94c7a58dc30346c8a2ef6a1e9bdf2c2334488093a459adf47e4b9eb

SHA512
16a2f9701aabdf9bac0952c31b375d80a190b4f44950de182f5eaea9c795fe0b9625d5a6e1ff7033eabff18c66ccdd340861a7e39a79a532a21e3571e99f3ac4

Download Submit
C:\Windows\security\sppsvc.exe

Filesize
2.5MB

MD5
f3508139babed98fe64bf1e3875cb553

SHA1
11e1a62956224fc8ece9a0c4bf01c66546869224

SHA256
b0ff27bdaa5d3a867cfe236bc84e556ddbb653f20d0adf92dbf91c08e584e4f7

SHA512
bd94ac3affb0ef7093a503d031f993870f42d499ac56c81a6aeb8054c4dd1b91426e816f0b35338227038189700a71ecb3ceb291bfcff8313080ac1275cdbae2

Download Submit
memory/628-294-0x000000001BC50000-0x000000001BD52000-memory.dmp

Filesize
1.0MB

Download
memory/1340-329-0x000000001B570000-0x000000001B582000-memory.dmp

Filesize
72KB

Download
memory/3476-176-0x000001BF3F7A0000-0x000001BF3F7C2000-memory.dmp

Filesize
136KB

Download
memory/4504-252-0x000000001BD30000-0x000000001BD86000-memory.dmp

Filesize
344KB

Download
memory/4504-281-0x000000001CEC0000-0x000000001CFC2000-memory.dmp

Filesize
1.0MB

Download
memory/4504-253-0x000000001B420000-0x000000001B432000-memory.dmp

Filesize
72KB

Download
memory/5704-9-0x0000000002550000-0x0000000002558000-memory.dmp

Filesize
32KB

Download
memory/5704-0-0x00007FF8AC0E3000-0x00007FF8AC0E5000-memory.dmp

Filesize
8KB

Download
memory/5704-14-0x000000001B010000-0x000000001B01C000-memory.dmp

Filesize
48KB

Download
memory/5704-13-0x000000001B000000-0x000000001B00A000-memory.dmp

Filesize
40KB

Download
memory/5704-12-0x000000001AFF0000-0x000000001AFFA000-memory.dmp

Filesize
40KB

Download
memory/5704-16-0x000000001B810000-0x000000001B81C000-memory.dmp

Filesize
48KB

Download
memory/5704-10-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/5704-5-0x000000001B6C0000-0x000000001B710000-memory.dmp

Filesize
320KB

Download
memory/5704-8-0x000000001B670000-0x000000001B6C6000-memory.dmp

Filesize
344KB

Download
memory/5704-251-0x00007FF8AC0E0000-0x00007FF8ACBA1000-memory.dmp

Filesize
10.8MB

Download
memory/5704-11-0x000000001BF20000-0x000000001C448000-memory.dmp

Filesize
5.2MB

Download
memory/5704-6-0x00000000024C0000-0x00000000024D0000-memory.dmp

Filesize
64KB

Download
memory/5704-7-0x0000000002540000-0x0000000002550000-memory.dmp

Filesize
64KB

Download
memory/5704-17-0x000000001B820000-0x000000001B828000-memory.dmp

Filesize
32KB

Download
memory/5704-4-0x0000000002520000-0x000000000253C000-memory.dmp

Filesize
112KB

Download
memory/5704-3-0x00000000024B0000-0x00000000024BC000-memory.dmp

Filesize
48KB

Download
memory/5704-2-0x00007FF8AC0E0000-0x00007FF8ACBA1000-memory.dmp

Filesize
10.8MB

Download
memory/5704-18-0x000000001B830000-0x000000001B83A000-memory.dmp

Filesize
40KB

Download
memory/5704-1-0x0000000000070000-0x00000000002F6000-memory.dmp

Filesize
2.5MB

Download
memory/5704-15-0x000000001B880000-0x000000001B88A000-memory.dmp

Filesize
40KB

Download