dcrat | 1a659b2d6922bd1ea186c53148094c26733368e9099ea037a83912c02a59d410

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2023 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a29004d57b0582196965b9344e0eb7b4.exe
Size

3.5MB
MD5

a29004d57b0582196965b9344e0eb7b4
SHA1

6e0ab8638b3559750dc40e4c23623552d84b5d8c
SHA256

1a659b2d6922bd1ea186c53148094c26733368e9099ea037a83912c02a59d410
SHA512

b097b10dcf833740b4bbd922a035c3658e51d8aeb6dd4f27ff1e8661da8c2ea47593e53b6400af5096943e6eebb27407c1c92b3ea2c10913150edad2f593b5b1
SSDEEP

98304:XFXg7GTzJBVeXbdAWTUjpI5q05tzpMpKcvA0T:XFw7CzgXRAh9O4K5m

Score

10^/10

dcrat evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3800	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	564	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	564	schtasks.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

containerSvc.exeRuntimeBroker.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DCRE.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\DCRE.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\DCRE.exe	dcrat
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe	dcrat
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe	dcrat
behavioral2/memory/4392-180-0x0000000000E70000-0x0000000001180000-memory.dmp	dcrat
C:\Windows\Temp\Crashpad\dllhost.exe	dcrat
C:\Recovery\WindowsRE\RuntimeBroker.exe	dcrat
C:\Recovery\WindowsRE\RuntimeBroker.exe	dcrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a29004d57b0582196965b9344e0eb7b4.exeDCRE.exeWScript.execontainerSvc.exeRuntimeBroker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	a29004d57b0582196965b9344e0eb7b4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	DCRE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	containerSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 4 IoCs

Processes:

DCRE.exeSLIPWARE.execontainerSvc.exeRuntimeBroker.exe

pid process

3936 DCRE.exe
4424 SLIPWARE.exe
4392 containerSvc.exe
3980 RuntimeBroker.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3936	DCRE.exe
4424	SLIPWARE.exe
4392	containerSvc.exe
3980	RuntimeBroker.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

containerSvc.exeRuntimeBroker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	containerSvc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Drops file in Program Files directory 2 IoCs

Processes:

containerSvc.exe

description	ioc	process
File created	C:\Program Files\Windows NT\TableTextService\en-US\winlogon.exe	containerSvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\cc11b995f2a76d	containerSvc.exe

Drops file in Windows directory 5 IoCs

Processes:

containerSvc.exe

description	ioc	process
File created	C:\Windows\PolicyDefinitions\ja-JP\services.exe	containerSvc.exe
File created	C:\Windows\PolicyDefinitions\ja-JP\c5b4cb5e9653cc	containerSvc.exe
File created	C:\Windows\TAPI\fontdrvhost.exe	containerSvc.exe
File created	C:\Windows\TAPI\5b884080fd4f94	containerSvc.exe
File created	C:\Windows\OCR\en-us\cmd.exe	containerSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4304	schtasks.exe
2664	schtasks.exe
4936	schtasks.exe
524	schtasks.exe
2760	schtasks.exe
4744	schtasks.exe
1888	schtasks.exe
2384	schtasks.exe
4940	schtasks.exe
4668	schtasks.exe
3444	schtasks.exe
3800	schtasks.exe
4928	schtasks.exe
4284	schtasks.exe
2224	schtasks.exe
5072	schtasks.exe
4828	schtasks.exe
4840	schtasks.exe
2268	schtasks.exe
2024	schtasks.exe
4852	schtasks.exe
1932	schtasks.exe
4204	schtasks.exe
560	schtasks.exe
2148	schtasks.exe
4628	schtasks.exe
4908	schtasks.exe

Modifies registry class 2 IoCs

Processes:

DCRE.exeRuntimeBroker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	DCRE.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SLIPWARE.execontainerSvc.exeRuntimeBroker.exe

pid	process
4424	SLIPWARE.exe
4424	SLIPWARE.exe
4424	SLIPWARE.exe
4392	containerSvc.exe
4392	containerSvc.exe
4392	containerSvc.exe
4392	containerSvc.exe
4392	containerSvc.exe
4424	SLIPWARE.exe
4392	containerSvc.exe
4392	containerSvc.exe
4392	containerSvc.exe
4392	containerSvc.exe
4392	containerSvc.exe
4392	containerSvc.exe
4392	containerSvc.exe
4392	containerSvc.exe
4392	containerSvc.exe
4392	containerSvc.exe
4424	SLIPWARE.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
4424	SLIPWARE.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
4424	SLIPWARE.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
4424	SLIPWARE.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
4424	SLIPWARE.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
4424	SLIPWARE.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
4424	SLIPWARE.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe
3980	RuntimeBroker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RuntimeBroker.exe

pid process

3980 RuntimeBroker.exe

pid	process
3980	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

SLIPWARE.execontainerSvc.exeRuntimeBroker.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4424	SLIPWARE.exe
Token: SeDebugPrivilege	4392	containerSvc.exe
Token: SeDebugPrivilege	3980	RuntimeBroker.exe
Token: SeBackupPrivilege	4172	vssvc.exe
Token: SeRestorePrivilege	4172	vssvc.exe
Token: SeAuditPrivilege	4172	vssvc.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

a29004d57b0582196965b9344e0eb7b4.exeDCRE.exeWScript.execmd.execontainerSvc.exeRuntimeBroker.exe

description	pid	process	target process
PID 1064 wrote to memory of 3936	1064	a29004d57b0582196965b9344e0eb7b4.exe	DCRE.exe
PID 1064 wrote to memory of 3936	1064	a29004d57b0582196965b9344e0eb7b4.exe	DCRE.exe
PID 1064 wrote to memory of 3936	1064	a29004d57b0582196965b9344e0eb7b4.exe	DCRE.exe
PID 1064 wrote to memory of 4424	1064	a29004d57b0582196965b9344e0eb7b4.exe	SLIPWARE.exe
PID 1064 wrote to memory of 4424	1064	a29004d57b0582196965b9344e0eb7b4.exe	SLIPWARE.exe
PID 3936 wrote to memory of 32	3936	DCRE.exe	WScript.exe
PID 3936 wrote to memory of 32	3936	DCRE.exe	WScript.exe
PID 3936 wrote to memory of 32	3936	DCRE.exe	WScript.exe
PID 3936 wrote to memory of 3836	3936	DCRE.exe	WScript.exe
PID 3936 wrote to memory of 3836	3936	DCRE.exe	WScript.exe
PID 3936 wrote to memory of 3836	3936	DCRE.exe	WScript.exe
PID 32 wrote to memory of 4492	32	WScript.exe	cmd.exe
PID 32 wrote to memory of 4492	32	WScript.exe	cmd.exe
PID 32 wrote to memory of 4492	32	WScript.exe	cmd.exe
PID 4492 wrote to memory of 4392	4492	cmd.exe	containerSvc.exe
PID 4492 wrote to memory of 4392	4492	cmd.exe	containerSvc.exe
PID 4392 wrote to memory of 3980	4392	containerSvc.exe	RuntimeBroker.exe
PID 4392 wrote to memory of 3980	4392	containerSvc.exe	RuntimeBroker.exe
PID 3980 wrote to memory of 3816	3980	RuntimeBroker.exe	WScript.exe
PID 3980 wrote to memory of 3816	3980	RuntimeBroker.exe	WScript.exe
PID 3980 wrote to memory of 1404	3980	RuntimeBroker.exe	WScript.exe
PID 3980 wrote to memory of 1404	3980	RuntimeBroker.exe	WScript.exe

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

Processes:

containerSvc.exeRuntimeBroker.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	containerSvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a29004d57b0582196965b9344e0eb7b4.exe
"C:\Users\Admin\AppData\Local\Temp\a29004d57b0582196965b9344e0eb7b4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1064

C:\Users\Admin\AppData\Local\Temp\DCRE.exe
"C:\Users\Admin\AppData\Local\Temp\DCRE.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msMonitorDll\OD39V0ZVybL6mpt7I8.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\msMonitorDll\150EIi8HhNIkntcrdLIIm.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe
"C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe"
5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4392

C:\Recovery\WindowsRE\RuntimeBroker.exe
"C:\Recovery\WindowsRE\RuntimeBroker.exe"
6⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3980

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba1be1e6-d526-485a-b01a-ec962b9c74ba.vbs"
7⤵
PID:3816

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\536c4fa1-321e-4376-aeda-d25e47da90ce.vbs"
7⤵
PID:1404

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msMonitorDll\file.vbs"
3⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
"C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\Videos\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\Crashpad\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\TAPI\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\odt\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\odt\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\odt\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2268

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\RuntimeBroker.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\536c4fa1-321e-4376-aeda-d25e47da90ce.vbs
Filesize
491B

MD5
dda8f6591cfeff38b137583fa2250939

SHA1
daa47f92b77c6f012fa0583ded991988f58fd4df

SHA256
b64b356270a5aae435e77cf114230753b54d91c74d997316e0f8ad1a88b6ca15

SHA512
a8a3434e9c1b5ca803da7ff722753eb53588f486247a57ceabaee104782734aac3287a683efe45174889f1e615d19aac6d3c3e34fcd9fb631eab5c2a6f3bb4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRE.exe
Filesize
3.3MB

MD5
13146f7d739a36053c50fbd0aa3e9d8d

SHA1
de10c9ff567a2413f3fc2ffbd3c9e95c8ce4160c

SHA256
f0aaba469aeda1a6dd59f9c235179e4e826ecbcf7ef02978984c99286d05aff6

SHA512
c1560fd025cb5278067540bf8b2a8bb419046e2c6998346946944f77816bc260f6f9bfc9716e9a91a606ed3b65b4ed605cd53e136e6201c9669f894b2738829d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRE.exe
Filesize
3.3MB

MD5
13146f7d739a36053c50fbd0aa3e9d8d

SHA1
de10c9ff567a2413f3fc2ffbd3c9e95c8ce4160c

SHA256
f0aaba469aeda1a6dd59f9c235179e4e826ecbcf7ef02978984c99286d05aff6

SHA512
c1560fd025cb5278067540bf8b2a8bb419046e2c6998346946944f77816bc260f6f9bfc9716e9a91a606ed3b65b4ed605cd53e136e6201c9669f894b2738829d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRE.exe
Filesize
3.3MB

MD5
13146f7d739a36053c50fbd0aa3e9d8d

SHA1
de10c9ff567a2413f3fc2ffbd3c9e95c8ce4160c

SHA256
f0aaba469aeda1a6dd59f9c235179e4e826ecbcf7ef02978984c99286d05aff6

SHA512
c1560fd025cb5278067540bf8b2a8bb419046e2c6998346946944f77816bc260f6f9bfc9716e9a91a606ed3b65b4ed605cd53e136e6201c9669f894b2738829d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
Filesize
563KB

MD5
6a0aa70c2ae786f560c7261c5c5f34b0

SHA1
42cf55d6070e88f12870aa78c0bf19d72c68fa5d

SHA256
0df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9

SHA512
58369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
Filesize
563KB

MD5
6a0aa70c2ae786f560c7261c5c5f34b0

SHA1
42cf55d6070e88f12870aa78c0bf19d72c68fa5d

SHA256
0df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9

SHA512
58369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SLIPWARE.exe
Filesize
563KB

MD5
6a0aa70c2ae786f560c7261c5c5f34b0

SHA1
42cf55d6070e88f12870aa78c0bf19d72c68fa5d

SHA256
0df25151605d6aaa9be8b371af6edc0f36d6620243a0c94495d21d4fe6951bf9

SHA512
58369aee426de92eafa2607eb05665134991850e2727c185f0b20654e513e3ea27dc38c0af5c967ce14a9c79dd6b31c68794496f75f7d4a74beb177162b92cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba1be1e6-d526-485a-b01a-ec962b9c74ba.vbs
Filesize
715B

MD5
c713f6bf1edec7c4ea3a00b3176e19a8

SHA1
733f495075cbe125080cb7adeacbaa209e6a62cb

SHA256
1886c56cb574714bf7bc108b367aed59b683eb554c9d5d6d5a1fed051e4e86bf

SHA512
46a815eff435a8f1c733833f71c69ad72e44af9052ace8d7144560549bccfc16c23c49381658df2378b2d4dd35ab5f433445bfee22212147220e8a0acc388b55

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\150EIi8HhNIkntcrdLIIm.bat
Filesize
41B

MD5
6daccbefb453cde7378d378574cc9c7b

SHA1
92b2145db1421878ffbdad18ba046247b2a4b159

SHA256
6a770c19c51d3806aedcff4d99c12b2e74e979050d68ea84c17adf5f10684041

SHA512
7cbbed8110e59c03aedbac23c8a85c4afac7c1671b36bb1a0947b3bcb1e35305cc8dd75104993d07de18c385a73840caa3a7ca2d2e5e8d444dcf56f420104308

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\OD39V0ZVybL6mpt7I8.vbe
Filesize
217B

MD5
e176c5bbb3e43b082a130d9b7af304c8

SHA1
cde44f62e6a436279028c7009833b8daf5171476

SHA256
f188560cf6c0b289e72f5d142d22f7b52b856928769a09acae5464671b54e84a

SHA512
95ec5a92acbbf337ff2519ac511fba3fe1cc56c8baa4c283e130ea2550b275b8b42c65f773d3fbe5f900f08fb788117b1d3e22574cf09210ada4224077455dbe

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\containerSvc.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
C:\Users\Admin\AppData\Roaming\msMonitorDll\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Windows\Temp\Crashpad\dllhost.exe
Filesize
3.0MB

MD5
bc8ab70d4bf5934131878ca8bf79e792

SHA1
48cac83b05468b0061e3a9d7e7f44ce638216b8a

SHA256
29ce99327ec8f7141924a58bfde49c3875226ee606b32426fca613e4003e27aa

SHA512
31dc3b6fd4e88c365d9885914542598d47152a5155ebe529351ff51362a51363e5d318fee2e6e40021662db7ef591c58ad1ba42805cd1152268221f6b08f0d66

Download Submit
memory/3980-226-0x000000001F430000-0x000000001F5F2000-memory.dmp

Filesize
1.8MB

Download
memory/4392-181-0x000000001BDB0000-0x000000001BDC0000-memory.dmp

Filesize
64KB

Download
memory/4392-183-0x000000001CB00000-0x000000001D028000-memory.dmp

Filesize
5.2MB

Download
memory/4392-182-0x000000001C410000-0x000000001C460000-memory.dmp

Filesize
320KB

Download
memory/4392-180-0x0000000000E70000-0x0000000001180000-memory.dmp

Filesize
3.1MB

Download
memory/4424-172-0x000001BB79570000-0x000001BB7957E000-memory.dmp

Filesize
56KB

Download
memory/4424-171-0x000001BB7B960000-0x000001BB7B998000-memory.dmp

Filesize
224KB

Download
memory/4424-174-0x000001BB7B720000-0x000001BB7B730000-memory.dmp

Filesize
64KB

Download
memory/4424-175-0x000001BB7B720000-0x000001BB7B730000-memory.dmp

Filesize
64KB

Download
memory/4424-170-0x000001BB79550000-0x000001BB79558000-memory.dmp

Filesize
32KB

Download
memory/4424-169-0x000001BB79640000-0x000001BB7965A000-memory.dmp

Filesize
104KB

Download
memory/4424-213-0x000001BB7B720000-0x000001BB7B730000-memory.dmp

Filesize
64KB

Download
memory/4424-214-0x000001BB7B720000-0x000001BB7B730000-memory.dmp

Filesize
64KB

Download
memory/4424-222-0x000001BB7B720000-0x000001BB7B730000-memory.dmp

Filesize
64KB

Download
memory/4424-163-0x000001BB7B720000-0x000001BB7B730000-memory.dmp

Filesize
64KB

Download
memory/4424-153-0x000001BB79110000-0x000001BB791A2000-memory.dmp

Filesize
584KB

Download
memory/4424-225-0x000001BB7B720000-0x000001BB7B730000-memory.dmp

Filesize
64KB

Download
memory/4424-173-0x000001BB7B720000-0x000001BB7B730000-memory.dmp

Filesize
64KB

Download