dcrat | 32619382ab72416dff258bff30a8b505d6e69e818345612892a121c28f3b23b0

Analysis

max time kernel
103s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21cad48edbc93da2d1e1ab6f6632461a.exe
Size

6.8MB
MD5

21cad48edbc93da2d1e1ab6f6632461a
SHA1

667a584eae5a57937d66d64249c26c8b1b2abf8f
SHA256

32619382ab72416dff258bff30a8b505d6e69e818345612892a121c28f3b23b0
SHA512

9125263a9b31336d350e19f9c79460038f7a6c48db109001e93fd8d7e8aba30c3bf44a362c4f3ee87294d3cf9052cbc8d7da518d34356212cb6f914a9990a21d
SSDEEP

196608:UQKQUc/HMlS2JxmYcmcg7XGqb6Msq51GPo:XKwslSDVoXGe1GQ

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	5092	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	5092	schtasks.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2252-0-0x0000000000400000-0x0000000000AD7000-memory.dmp	dcrat
behavioral2/memory/2252-2-0x0000000000400000-0x0000000000AD7000-memory.dmp	dcrat
C:\Users\Admin\AppData\Local\Temp\Modrinth.exe	dcrat
behavioral2/memory/2252-14-0x0000000000400000-0x0000000000AD7000-memory.dmp	dcrat
behavioral2/memory/2252-17-0x0000000000400000-0x0000000000AD7000-memory.dmp	dcrat
C:\intosessionperfcrtSvc\Componentwebfont.exe	dcrat
behavioral2/memory/2664-41-0x0000000000070000-0x00000000001A4000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe21cad48edbc93da2d1e1ab6f6632461a.exeModrinth.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	21cad48edbc93da2d1e1ab6f6632461a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Modrinth.exe

Executes dropped EXE 2 IoCs

Processes:

Modrinth.exeComponentwebfont.exe

pid process

1568 Modrinth.exe
2664 Componentwebfont.exe
Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

35 1848 msiexec.exe

pid	process
1568	Modrinth.exe
2664	Componentwebfont.exe

flow	pid	process
35	1848	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Program Files directory 11 IoCs

Processes:

Componentwebfont.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Mail\66fc9ff0ee96c2	Componentwebfont.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe	Componentwebfont.exe
File created	C:\Program Files\Windows Portable Devices\services.exe	Componentwebfont.exe
File created	C:\Program Files\Windows Portable Devices\c5b4cb5e9653cc	Componentwebfont.exe
File created	C:\Program Files\MsEdgeCrashpad\reports\61a52ddc9dd915	Componentwebfont.exe
File created	C:\Program Files\MsEdgeCrashpad\reports\msedge.exe	Componentwebfont.exe
File created	C:\Program Files (x86)\Windows Mail\sihost.exe	Componentwebfont.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe	Componentwebfont.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\e6c9b481da804f	Componentwebfont.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\System.exe	Componentwebfont.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\27d1bcfc3c54e0	Componentwebfont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

Modrinth.exe21cad48edbc93da2d1e1ab6f6632461a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	Modrinth.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	21cad48edbc93da2d1e1ab6f6632461a.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
4112	schtasks.exe
624	schtasks.exe
1712	schtasks.exe
3800	schtasks.exe
4108	schtasks.exe
4032	schtasks.exe
4748	schtasks.exe
4348	schtasks.exe
320	schtasks.exe
2696	schtasks.exe
2376	schtasks.exe
1052	schtasks.exe
3148	schtasks.exe
4392	schtasks.exe
5088	schtasks.exe
2256	schtasks.exe
4360	schtasks.exe
1244	schtasks.exe
2784	schtasks.exe
1708	schtasks.exe
4704	schtasks.exe
1200	schtasks.exe
444	schtasks.exe
4892	schtasks.exe
4704	schtasks.exe
3944	schtasks.exe
3912	schtasks.exe
4308	schtasks.exe
1712	schtasks.exe
2444	schtasks.exe
4572	schtasks.exe
2796	schtasks.exe
1352	schtasks.exe
2772	schtasks.exe
1368	schtasks.exe
2492	schtasks.exe
4776	schtasks.exe
396	schtasks.exe
1116	schtasks.exe
4548	schtasks.exe
1488	schtasks.exe
4280	schtasks.exe
4520	schtasks.exe
3520	schtasks.exe
3988	schtasks.exe
4476	schtasks.exe
2508	schtasks.exe
2368	schtasks.exe
3588	schtasks.exe
1620	schtasks.exe
1972	schtasks.exe
884	schtasks.exe
1332	schtasks.exe
3408	schtasks.exe
3584	schtasks.exe
60	schtasks.exe
2892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Componentwebfont.exe

pid process

2664 Componentwebfont.exe
2664 Componentwebfont.exe

pid	process
2664	Componentwebfont.exe
2664	Componentwebfont.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

msiexec.exemsiexec.exeComponentwebfont.exe

description	pid	process
Token: SeShutdownPrivilege	1848	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1848	msiexec.exe
Token: SeSecurityPrivilege	4508	msiexec.exe
Token: SeCreateTokenPrivilege	1848	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1848	msiexec.exe
Token: SeLockMemoryPrivilege	1848	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1848	msiexec.exe
Token: SeMachineAccountPrivilege	1848	msiexec.exe
Token: SeTcbPrivilege	1848	msiexec.exe
Token: SeSecurityPrivilege	1848	msiexec.exe
Token: SeTakeOwnershipPrivilege	1848	msiexec.exe
Token: SeLoadDriverPrivilege	1848	msiexec.exe
Token: SeSystemProfilePrivilege	1848	msiexec.exe
Token: SeSystemtimePrivilege	1848	msiexec.exe
Token: SeProfSingleProcessPrivilege	1848	msiexec.exe
Token: SeIncBasePriorityPrivilege	1848	msiexec.exe
Token: SeCreatePagefilePrivilege	1848	msiexec.exe
Token: SeCreatePermanentPrivilege	1848	msiexec.exe
Token: SeBackupPrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe
Token: SeShutdownPrivilege	1848	msiexec.exe
Token: SeDebugPrivilege	1848	msiexec.exe
Token: SeAuditPrivilege	1848	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1848	msiexec.exe
Token: SeChangeNotifyPrivilege	1848	msiexec.exe
Token: SeRemoteShutdownPrivilege	1848	msiexec.exe
Token: SeUndockPrivilege	1848	msiexec.exe
Token: SeSyncAgentPrivilege	1848	msiexec.exe
Token: SeEnableDelegationPrivilege	1848	msiexec.exe
Token: SeManageVolumePrivilege	1848	msiexec.exe
Token: SeImpersonatePrivilege	1848	msiexec.exe
Token: SeCreateGlobalPrivilege	1848	msiexec.exe
Token: SeDebugPrivilege	2664	Componentwebfont.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1848 msiexec.exe

pid	process
1848	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

21cad48edbc93da2d1e1ab6f6632461a.exeModrinth.exeWScript.execmd.exe

description	pid	process	target process
PID 2252 wrote to memory of 1568	2252	21cad48edbc93da2d1e1ab6f6632461a.exe	Modrinth.exe
PID 2252 wrote to memory of 1568	2252	21cad48edbc93da2d1e1ab6f6632461a.exe	Modrinth.exe
PID 2252 wrote to memory of 1568	2252	21cad48edbc93da2d1e1ab6f6632461a.exe	Modrinth.exe
PID 2252 wrote to memory of 1848	2252	21cad48edbc93da2d1e1ab6f6632461a.exe	msiexec.exe
PID 2252 wrote to memory of 1848	2252	21cad48edbc93da2d1e1ab6f6632461a.exe	msiexec.exe
PID 2252 wrote to memory of 1848	2252	21cad48edbc93da2d1e1ab6f6632461a.exe	msiexec.exe
PID 1568 wrote to memory of 4448	1568	Modrinth.exe	WScript.exe
PID 1568 wrote to memory of 4448	1568	Modrinth.exe	WScript.exe
PID 1568 wrote to memory of 4448	1568	Modrinth.exe	WScript.exe
PID 4448 wrote to memory of 3920	4448	WScript.exe	cmd.exe
PID 4448 wrote to memory of 3920	4448	WScript.exe	cmd.exe
PID 4448 wrote to memory of 3920	4448	WScript.exe	cmd.exe
PID 3920 wrote to memory of 2664	3920	cmd.exe	Componentwebfont.exe
PID 3920 wrote to memory of 2664	3920	cmd.exe	Componentwebfont.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\21cad48edbc93da2d1e1ab6f6632461a.exe
"C:\Users\Admin\AppData\Local\Temp\21cad48edbc93da2d1e1ab6f6632461a.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252

C:\Users\Admin\AppData\Local\Temp\Modrinth.exe
"C:\Users\Admin\AppData\Local\Temp\Modrinth.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\intosessionperfcrtSvc\x6qhfc.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\intosessionperfcrtSvc\QvJVxLMgIdUXKZXo3vjvMJd9h.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3920

C:\intosessionperfcrtSvc\Componentwebfont.exe
"C:\intosessionperfcrtSvc\Componentwebfont.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\odt\StartMenuExperienceHost.exe
"C:\odt\StartMenuExperienceHost.exe"
6⤵
PID:5104

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.7.1_x64_en-US.msi"
2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:872

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Program Files\MsEdgeCrashpad\reports\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\MsEdgeCrashpad\reports\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Program Files\MsEdgeCrashpad\reports\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\odt\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 8 /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\odt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Pictures\Camera Roll\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Camera Roll\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Pictures\Camera Roll\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\intosessionperfcrtSvc\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\intosessionperfcrtSvc\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\intosessionperfcrtSvc\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 9 /tr "'C:\odt\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\odt\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\intosessionperfcrtSvc\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\intosessionperfcrtSvc\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\intosessionperfcrtSvc\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.7.1_x64_en-US.msi
Filesize
5.0MB

MD5
5003486a784143bc96c3577172bbb44a

SHA1
9a960998807126041fae5b4fe9488d7ff3c5ca42

SHA256
b1ac36000cee14b9c36aea4cef7f53ed2e7c18c9534b4ff66f07da11e8c07b59

SHA512
3fd871414cffe35ae649dbb02935eddcad75ee094f2d61f2cef48827dfb852ff3b8e4211f913bf65e4619b2a4989a2807d876a920a105735ac3e59362802ee19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Modrinth.exe
Filesize
1.6MB

MD5
24f86edba8782175bb4583a8ca79ea5a

SHA1
b3acfb862923762902bccaf7920afe9e627a4868

SHA256
17b6cee122e0e8aec959b45f83646d5f7e4e2657677ecbb17ffbaad33d3d5c0b

SHA512
ec3089f6b115a908ede383372277beb36eddc4daa1e8e5e66c7ea87f09578937528028f1087f75409e745a905d4de92e8b3afb2d51c509b7cc1961713039e417

Download Submit
C:\intosessionperfcrtSvc\Componentwebfont.exe
Filesize
1.2MB

MD5
4830c66c5387bfaa6373a25814227c96

SHA1
078b04372a13022208dfe05e40377e76b03fc3e2

SHA256
b9bf137b0ca0aa62f1bdf06327b54d32e26e51b821fa812f5121e8918186fc7f

SHA512
ed42ce5fad26561ed76c181beac01bbc0c9d88ea631e6af6920c04115887e24c8261658842fc3a8cfb9294b86a7008493d9f9c11a72908abc95af48b58f0d5eb

Download Submit
C:\intosessionperfcrtSvc\QvJVxLMgIdUXKZXo3vjvMJd9h.bat
Filesize
47B

MD5
ff5c5922fce8aef2b2169426de756ecc

SHA1
1bb7f0446529c29bae7cbf2f69f7038174dc82dc

SHA256
30c583f42f076c1308bb0e98d1614c3ada94b7c3415413b4aca3a23d1fd3a171

SHA512
4415ca2688f2451fb359bca04427caf647c9724db1f2738ccb280de5716262358e58bf6aab317d30504fd34d10528d57f08214a0a974c059f7a2a38cc80cfe61

Download Submit
C:\intosessionperfcrtSvc\x6qhfc.vbe
Filesize
223B

MD5
f2015b7ecf00bd67c413b1c7cf459beb

SHA1
c76006f8d6e51a4ba90dbdc718838df74ce98785

SHA256
cddddda87b944983edbf6cd8594665f18c81fab3605334f569a9185ee06a5e46

SHA512
d37aaead1a61f22f92b0725f380ff94e2fe17d41bf15ef0c65388e77d10a806a4b411df1e8b38857736e6f37e12f10ea6cb48361fee8086050d1d15100bdb24d

Download Submit
memory/2252-17-0x0000000000400000-0x0000000000AD7000-memory.dmp

Filesize
6.8MB

Download
memory/2252-0-0x0000000000400000-0x0000000000AD7000-memory.dmp

Filesize
6.8MB

Download
memory/2252-14-0x0000000000400000-0x0000000000AD7000-memory.dmp

Filesize
6.8MB

Download
memory/2252-2-0x0000000000400000-0x0000000000AD7000-memory.dmp

Filesize
6.8MB

Download
memory/2664-41-0x0000000000070000-0x00000000001A4000-memory.dmp

Filesize
1.2MB

Download
memory/2664-42-0x000000001ADC0000-0x000000001ADDC000-memory.dmp

Filesize
112KB

Download
memory/2664-43-0x000000001B370000-0x000000001B3C0000-memory.dmp

Filesize
320KB

Download
memory/2664-44-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2664-46-0x0000000002390000-0x000000000239C000-memory.dmp

Filesize
48KB

Download
memory/2664-45-0x000000001AD80000-0x000000001AD96000-memory.dmp

Filesize
88KB

Download