dcrat | f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a

Analysis

max time kernel
300s
max time network
303s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
10-01-2023 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a.exe
Size

2.7MB
MD5

03568cc59bb988ddeb9df3481f81882c
SHA1

1d366a8f9a7cd51b18a69643a1d93dc3af82da65
SHA256

f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a
SHA512

7f9b9fd8e5af7a4660cd1d9ec19489eb7daf759d2065fdb5386c07cb363a0ec0c08a333da994762fadcf523a49896f234ca6e6465727b8a6886baf59f7436b2d
SSDEEP

49152:jbA30Dluyq908xIgQSZjQEoKG7iBNFqPGgeTVvXB8t15KQA+zv+3FGOGp:jbcL5jAiNA+pBvB8v5TAhVGrp

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2012	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2012	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

WmiPrvSE.exepolaw.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	polaw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	polaw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	polaw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1088-75-0x0000000000960000-0x0000000000EF4000-memory.dmp	dcrat
behavioral1/memory/1088-95-0x0000000000960000-0x0000000000EF4000-memory.dmp	dcrat
behavioral1/memory/1968-96-0x0000000000340000-0x00000000008D4000-memory.dmp	dcrat
behavioral1/memory/1968-97-0x0000000000340000-0x00000000008D4000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

Processes:

work.exepolaw.exeWmiPrvSE.exe

pid process

1044 work.exe
1088 polaw.exe
1968 WmiPrvSE.exe
Loads dropped DLL 8 IoCs

Processes:

cmd.exework.exepolaw.exe

pid process

1972 cmd.exe
1044 work.exe
1044 work.exe
1044 work.exe
1044 work.exe
1044 work.exe
1088 polaw.exe
1088 polaw.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1044	work.exe
1088	polaw.exe
1968	WmiPrvSE.exe

pid	process
1972	cmd.exe
1044	work.exe
1044	work.exe
1044	work.exe
1044	work.exe
1044	work.exe
1088	polaw.exe
1088	polaw.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

polaw.exeWmiPrvSE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	polaw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	polaw.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 20 IoCs

Processes:

polaw.exeWmiPrvSE.exe

pid	process
1088	polaw.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe

Drops file in Program Files directory 2 IoCs

Processes:

polaw.exe

description ioc process

File created C:\Program Files\MSBuild\WMIADAP.exe polaw.exe
File created C:\Program Files\MSBuild\75a57c1bdf437c polaw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Program Files\MSBuild\WMIADAP.exe	polaw.exe
File created	C:\Program Files\MSBuild\75a57c1bdf437c	polaw.exe

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1784	schtasks.exe
956	schtasks.exe
1432	schtasks.exe
1948	schtasks.exe
1256	schtasks.exe
1120	schtasks.exe
1712	schtasks.exe
1968	schtasks.exe
588	schtasks.exe
868	schtasks.exe
636	schtasks.exe
1892	schtasks.exe
1496	schtasks.exe
1020	schtasks.exe
1328	schtasks.exe
1732	schtasks.exe
1980	schtasks.exe
2000	schtasks.exe
1716	schtasks.exe
692	schtasks.exe
1212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

polaw.exeWmiPrvSE.exe

pid	process
1088	polaw.exe
1088	polaw.exe
1088	polaw.exe
1088	polaw.exe
1088	polaw.exe
1088	polaw.exe
1088	polaw.exe
1088	polaw.exe
1088	polaw.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe
1968	WmiPrvSE.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WmiPrvSE.exe

pid process

1968 WmiPrvSE.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

polaw.exeWmiPrvSE.exe

description pid process

Token: SeDebugPrivilege 1088 polaw.exe
Token: SeDebugPrivilege 1968 WmiPrvSE.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

polaw.exeWmiPrvSE.exe

pid process

1088 polaw.exe
1968 WmiPrvSE.exe

pid	process
1968	WmiPrvSE.exe

description	pid	process
Token: SeDebugPrivilege	1088	polaw.exe
Token: SeDebugPrivilege	1968	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a.execmd.exework.exepolaw.exe

description	pid	process	target process
PID 1324 wrote to memory of 1972	1324	f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a.exe	cmd.exe
PID 1324 wrote to memory of 1972	1324	f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a.exe	cmd.exe
PID 1324 wrote to memory of 1972	1324	f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a.exe	cmd.exe
PID 1324 wrote to memory of 1972	1324	f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a.exe	cmd.exe
PID 1972 wrote to memory of 1044	1972	cmd.exe	work.exe
PID 1972 wrote to memory of 1044	1972	cmd.exe	work.exe
PID 1972 wrote to memory of 1044	1972	cmd.exe	work.exe
PID 1972 wrote to memory of 1044	1972	cmd.exe	work.exe
PID 1044 wrote to memory of 1088	1044	work.exe	polaw.exe
PID 1044 wrote to memory of 1088	1044	work.exe	polaw.exe
PID 1044 wrote to memory of 1088	1044	work.exe	polaw.exe
PID 1044 wrote to memory of 1088	1044	work.exe	polaw.exe
PID 1088 wrote to memory of 1968	1088	polaw.exe	WmiPrvSE.exe
PID 1088 wrote to memory of 1968	1088	polaw.exe	WmiPrvSE.exe
PID 1088 wrote to memory of 1968	1088	polaw.exe	WmiPrvSE.exe
PID 1088 wrote to memory of 1968	1088	polaw.exe	WmiPrvSE.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

polaw.exeWmiPrvSE.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	polaw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	polaw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	polaw.exe

C:\Users\Admin\AppData\Local\Temp\f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a.exe
"C:\Users\Admin\AppData\Local\Temp\f6c1990f00c7c5ff1740807aab4d950e424aaec26010dc8d10c3a6fadff2e47a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Local\Temp\RarSFX1\polaw.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\polaw.exe"
4⤵
- UAC bypass
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1088

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "workw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\work.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "work" /sc ONLOGON /tr "'C:\Users\Default\work.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "workw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\work.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\MSBuild\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\5e97ab82-6219-11ed-b9ee-5e34c4ab0fa3\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\taskeng.exe
taskeng.exe {1F335CA0-3C0F-47AD-A65F-10E8767F23A3} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]
1⤵
PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
Filesize
2.3MB

MD5
40dfa5d6ea29340db151e24859b6d84e

SHA1
1fac98312ed935a9a0ba9b512c21927ebd8b15c2

SHA256
3090c4184f28e71de8af49ac011b9cf257d3dab9c7a062dbfc3711ff9d3d1fe3

SHA512
d504059721f0264668c49b0be8aa2a73c29520d6a2c5d10446cfba3b4a1e9475abd360385f74fac7b884e7c441335259743eb9a08ebf98541bd4681dcd40435a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
Filesize
2.6MB

MD5
3a2500e0bafbdafa76666fc6d9e77b35

SHA1
4f38bec9102d11cb714994cde77b88c95744aeb4

SHA256
b1e91ef2f0be9acf51446d80c65c2385030a300498c9f22552f9e01998160b66

SHA512
db0d4b74769f936b1785a46093be47feac1d4ab8372adea7793eddab7af544742ed367f8030f0eb00f903af1c3faefe69bf02a0371dc00638043ff6f38757df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
Filesize
2.6MB

MD5
3a2500e0bafbdafa76666fc6d9e77b35

SHA1
4f38bec9102d11cb714994cde77b88c95744aeb4

SHA256
b1e91ef2f0be9acf51446d80c65c2385030a300498c9f22552f9e01998160b66

SHA512
db0d4b74769f936b1785a46093be47feac1d4ab8372adea7793eddab7af544742ed367f8030f0eb00f903af1c3faefe69bf02a0371dc00638043ff6f38757df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\polaw.exe
Filesize
2.3MB

MD5
40dfa5d6ea29340db151e24859b6d84e

SHA1
1fac98312ed935a9a0ba9b512c21927ebd8b15c2

SHA256
3090c4184f28e71de8af49ac011b9cf257d3dab9c7a062dbfc3711ff9d3d1fe3

SHA512
d504059721f0264668c49b0be8aa2a73c29520d6a2c5d10446cfba3b4a1e9475abd360385f74fac7b884e7c441335259743eb9a08ebf98541bd4681dcd40435a

Download Submit
\??\c:\msocache\all users\{90140000-001b-0409-0000-0000000ff1ce}-c\wmiprvse.exe
Filesize
2.3MB

MD5
40dfa5d6ea29340db151e24859b6d84e

SHA1
1fac98312ed935a9a0ba9b512c21927ebd8b15c2

SHA256
3090c4184f28e71de8af49ac011b9cf257d3dab9c7a062dbfc3711ff9d3d1fe3

SHA512
d504059721f0264668c49b0be8aa2a73c29520d6a2c5d10446cfba3b4a1e9475abd360385f74fac7b884e7c441335259743eb9a08ebf98541bd4681dcd40435a

Download Submit
\??\c:\users\admin\appdata\local\temp\rarsfx1\polaw.exe
Filesize
2.3MB

MD5
40dfa5d6ea29340db151e24859b6d84e

SHA1
1fac98312ed935a9a0ba9b512c21927ebd8b15c2

SHA256
3090c4184f28e71de8af49ac011b9cf257d3dab9c7a062dbfc3711ff9d3d1fe3

SHA512
d504059721f0264668c49b0be8aa2a73c29520d6a2c5d10446cfba3b4a1e9475abd360385f74fac7b884e7c441335259743eb9a08ebf98541bd4681dcd40435a

Download Submit
\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
Filesize
2.3MB

MD5
40dfa5d6ea29340db151e24859b6d84e

SHA1
1fac98312ed935a9a0ba9b512c21927ebd8b15c2

SHA256
3090c4184f28e71de8af49ac011b9cf257d3dab9c7a062dbfc3711ff9d3d1fe3

SHA512
d504059721f0264668c49b0be8aa2a73c29520d6a2c5d10446cfba3b4a1e9475abd360385f74fac7b884e7c441335259743eb9a08ebf98541bd4681dcd40435a

Download Submit
\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
Filesize
2.3MB

MD5
40dfa5d6ea29340db151e24859b6d84e

SHA1
1fac98312ed935a9a0ba9b512c21927ebd8b15c2

SHA256
3090c4184f28e71de8af49ac011b9cf257d3dab9c7a062dbfc3711ff9d3d1fe3

SHA512
d504059721f0264668c49b0be8aa2a73c29520d6a2c5d10446cfba3b4a1e9475abd360385f74fac7b884e7c441335259743eb9a08ebf98541bd4681dcd40435a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
Filesize
2.6MB

MD5
3a2500e0bafbdafa76666fc6d9e77b35

SHA1
4f38bec9102d11cb714994cde77b88c95744aeb4

SHA256
b1e91ef2f0be9acf51446d80c65c2385030a300498c9f22552f9e01998160b66

SHA512
db0d4b74769f936b1785a46093be47feac1d4ab8372adea7793eddab7af544742ed367f8030f0eb00f903af1c3faefe69bf02a0371dc00638043ff6f38757df2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\polaw.exe
Filesize
2.3MB

MD5
40dfa5d6ea29340db151e24859b6d84e

SHA1
1fac98312ed935a9a0ba9b512c21927ebd8b15c2

SHA256
3090c4184f28e71de8af49ac011b9cf257d3dab9c7a062dbfc3711ff9d3d1fe3

SHA512
d504059721f0264668c49b0be8aa2a73c29520d6a2c5d10446cfba3b4a1e9475abd360385f74fac7b884e7c441335259743eb9a08ebf98541bd4681dcd40435a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\polaw.exe
Filesize
2.3MB

MD5
40dfa5d6ea29340db151e24859b6d84e

SHA1
1fac98312ed935a9a0ba9b512c21927ebd8b15c2

SHA256
3090c4184f28e71de8af49ac011b9cf257d3dab9c7a062dbfc3711ff9d3d1fe3

SHA512
d504059721f0264668c49b0be8aa2a73c29520d6a2c5d10446cfba3b4a1e9475abd360385f74fac7b884e7c441335259743eb9a08ebf98541bd4681dcd40435a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\polaw.exe
Filesize
2.3MB

MD5
40dfa5d6ea29340db151e24859b6d84e

SHA1
1fac98312ed935a9a0ba9b512c21927ebd8b15c2

SHA256
3090c4184f28e71de8af49ac011b9cf257d3dab9c7a062dbfc3711ff9d3d1fe3

SHA512
d504059721f0264668c49b0be8aa2a73c29520d6a2c5d10446cfba3b4a1e9475abd360385f74fac7b884e7c441335259743eb9a08ebf98541bd4681dcd40435a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\polaw.exe
Filesize
2.3MB

MD5
40dfa5d6ea29340db151e24859b6d84e

SHA1
1fac98312ed935a9a0ba9b512c21927ebd8b15c2

SHA256
3090c4184f28e71de8af49ac011b9cf257d3dab9c7a062dbfc3711ff9d3d1fe3

SHA512
d504059721f0264668c49b0be8aa2a73c29520d6a2c5d10446cfba3b4a1e9475abd360385f74fac7b884e7c441335259743eb9a08ebf98541bd4681dcd40435a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\polaw.exe
Filesize
2.3MB

MD5
40dfa5d6ea29340db151e24859b6d84e

SHA1
1fac98312ed935a9a0ba9b512c21927ebd8b15c2

SHA256
3090c4184f28e71de8af49ac011b9cf257d3dab9c7a062dbfc3711ff9d3d1fe3

SHA512
d504059721f0264668c49b0be8aa2a73c29520d6a2c5d10446cfba3b4a1e9475abd360385f74fac7b884e7c441335259743eb9a08ebf98541bd4681dcd40435a

Download Submit
memory/1044-71-0x0000000003A10000-0x0000000003FA4000-memory.dmp

Filesize
5.6MB

Download
memory/1044-72-0x0000000003A10000-0x0000000003FA4000-memory.dmp

Filesize
5.6MB

Download
memory/1044-73-0x0000000003A10000-0x0000000003FA4000-memory.dmp

Filesize
5.6MB

Download
memory/1044-59-0x0000000000000000-mapping.dmp

Download
memory/1088-76-0x00000000008B0000-0x00000000008BE000-memory.dmp

Filesize
56KB

Download
memory/1088-86-0x0000000005030000-0x000000000503C000-memory.dmp

Filesize
48KB

Download
memory/1088-77-0x0000000002410000-0x000000000242C000-memory.dmp

Filesize
112KB

Download
memory/1088-78-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/1088-79-0x0000000002590000-0x00000000025A0000-memory.dmp

Filesize
64KB

Download
memory/1088-80-0x00000000027D0000-0x00000000027E6000-memory.dmp

Filesize
88KB

Download
memory/1088-81-0x0000000002730000-0x0000000002738000-memory.dmp

Filesize
32KB

Download
memory/1088-82-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/1088-83-0x0000000002DE0000-0x0000000002DEA000-memory.dmp

Filesize
40KB

Download
memory/1088-84-0x0000000002E00000-0x0000000002E56000-memory.dmp

Filesize
344KB

Download
memory/1088-85-0x0000000002E50000-0x0000000002E62000-memory.dmp

Filesize
72KB

Download
memory/1088-95-0x0000000000960000-0x0000000000EF4000-memory.dmp

Filesize
5.6MB

Download
memory/1088-87-0x0000000005040000-0x000000000504E000-memory.dmp

Filesize
56KB

Download
memory/1088-88-0x0000000005050000-0x000000000505C000-memory.dmp

Filesize
48KB

Download
memory/1088-75-0x0000000000960000-0x0000000000EF4000-memory.dmp

Filesize
5.6MB

Download
memory/1088-67-0x0000000000000000-mapping.dmp

Download
memory/1088-74-0x0000000000960000-0x0000000000EF4000-memory.dmp

Filesize
5.6MB

Download
memory/1324-54-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1968-91-0x0000000000000000-mapping.dmp

Download
memory/1968-96-0x0000000000340000-0x00000000008D4000-memory.dmp

Filesize
5.6MB

Download
memory/1968-97-0x0000000000340000-0x00000000008D4000-memory.dmp

Filesize
5.6MB

Download
memory/1968-98-0x0000000000340000-0x00000000008D4000-memory.dmp

Filesize
5.6MB

Download
memory/1972-55-0x0000000000000000-mapping.dmp

Download