dcrat | 2f476997ecdb5116621e72532460d7149299a6b058bee5b58501484da80d523b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2023, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2F476997ECDB5116621E72532460D7149299A6B058BEE.exe
Size

1.6MB
MD5

2baa6f19fa7f4ef5941e92335aa2c06d
SHA1

68c4872eba868d9e8b640e0e76cb1a4a00331d8e
SHA256

2f476997ecdb5116621e72532460d7149299a6b058bee5b58501484da80d523b
SHA512

ee875b4c223bba5864aa1d5ca165d798625442a8ef0a35ec16dc4283ad404d7656bfeeb262ef2ebdc8d3fe954416c019a210c59e2caba6507ae89f13d12d2d27
SSDEEP

24576:e2G/nvxW3WXeGxRoXGkxVsAjtxWCu2RdBaYwqf36eYmMyXxRlRYSZF083SFN:ebA3V6aXGkzFaPmUzyXnlqSZE

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	4120	schtasks.exe	65
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	4120	schtasks.exe	65

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000300000001e703-143.dat	dcrat
behavioral2/files/0x000300000001e703-144.dat	dcrat
behavioral2/memory/4488-145-0x0000000000C10000-0x0000000000D6E000-memory.dmp	dcrat
behavioral2/files/0x0002000000021916-151.dat	dcrat
behavioral2/files/0x0008000000021639-187.dat	dcrat
behavioral2/files/0x0008000000021639-188.dat	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	providerDriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	2F476997ECDB5116621E72532460D7149299A6B058BEE.exe

Executes dropped EXE 2 IoCs

pid	Process
4488	providerDriver.exe
4396	OfficeClickToRun.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	ipinfo.io
30	ipinfo.io

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe	providerDriver.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\886983d96e3d3e	providerDriver.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WaaSMedicAgent.exe	providerDriver.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\c82b8037eab33d	providerDriver.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe	providerDriver.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\7a0fd90576e088	providerDriver.exe
File created	C:\Program Files\Windows Portable Devices\RuntimeBroker.exe	providerDriver.exe
File created	C:\Program Files\Windows Portable Devices\9e8d7a4ca61bd9	providerDriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3368	schtasks.exe
4040	schtasks.exe
2640	schtasks.exe
2712	schtasks.exe
4532	schtasks.exe
756	schtasks.exe
3732	schtasks.exe
4148	schtasks.exe
1248	schtasks.exe
2220	schtasks.exe
3900	schtasks.exe
4404	schtasks.exe
3076	schtasks.exe
5012	schtasks.exe
1396	schtasks.exe
2708	schtasks.exe
3320	schtasks.exe
1144	schtasks.exe
732	schtasks.exe
1824	schtasks.exe
4708	schtasks.exe
4816	schtasks.exe
1272	schtasks.exe
4164	schtasks.exe
3568	schtasks.exe
1784	schtasks.exe
2032	schtasks.exe
4408	schtasks.exe
412	schtasks.exe
3944	schtasks.exe
3188	schtasks.exe
4264	schtasks.exe
2560	schtasks.exe
1556	schtasks.exe
4856	schtasks.exe
1136	schtasks.exe
4664	schtasks.exe
3736	schtasks.exe
1868	schtasks.exe
648	schtasks.exe
3480	schtasks.exe
1056	schtasks.exe
4564	schtasks.exe
3788	schtasks.exe
2168	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	2F476997ECDB5116621E72532460D7149299A6B058BEE.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4488	providerDriver.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe
4396	OfficeClickToRun.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4396	OfficeClickToRun.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4488	providerDriver.exe
Token: SeDebugPrivilege	4396	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 3156	2868	2F476997ECDB5116621E72532460D7149299A6B058BEE.exe	83
PID 2868 wrote to memory of 3156	2868	2F476997ECDB5116621E72532460D7149299A6B058BEE.exe	83
PID 2868 wrote to memory of 3156	2868	2F476997ECDB5116621E72532460D7149299A6B058BEE.exe	83
PID 3156 wrote to memory of 2088	3156	WScript.exe	88
PID 3156 wrote to memory of 2088	3156	WScript.exe	88
PID 3156 wrote to memory of 2088	3156	WScript.exe	88
PID 2088 wrote to memory of 4488	2088	cmd.exe	90
PID 2088 wrote to memory of 4488	2088	cmd.exe	90
PID 4488 wrote to memory of 4396	4488	providerDriver.exe	138
PID 4488 wrote to memory of 4396	4488	providerDriver.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2F476997ECDB5116621E72532460D7149299A6B058BEE.exe
"C:\Users\Admin\AppData\Local\Temp\2F476997ECDB5116621E72532460D7149299A6B058BEE.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercomponentbrowsersessionnet\RMsUvdXKMQWO2B.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercomponentbrowsersessionnet\VeZgJ.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\providercomponentbrowsersessionnet\providerDriver.exe
      "C:\providercomponentbrowsersessionnet\providerDriver.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4488
    - - C:\Recovery\WindowsRE\OfficeClickToRun.exe
        
        "C:\Recovery\WindowsRE\OfficeClickToRun.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercomponentbrowsersessionnet\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercomponentbrowsersessionnet\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercomponentbrowsersessionnet\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\providercomponentbrowsersessionnet\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\providercomponentbrowsersessionnet\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\providercomponentbrowsersessionnet\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercomponentbrowsersessionnet\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercomponentbrowsersessionnet\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercomponentbrowsersessionnet\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\odt\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.3MB

MD5
859a819f981ca77301ff688f574fdcb1

SHA1
a071e3d67c5e92caf3d417005bd5311e9012fae7

SHA256
406c06dd07479d167bd2cc4d482811c4497b5b766eb185b6d7987af1048fee0a

SHA512
29dfd1101a3798efea8d2d5ebf16b089e3cbe19f81c830dbf924b3e61b63062f1eed183c40bee8fea5d63d8ee6b634215c568129999182b341bfbd3e73437179

Download Submit
C:\Recovery\WindowsRE\OfficeClickToRun.exe

Filesize
1.3MB

MD5
859a819f981ca77301ff688f574fdcb1

SHA1
a071e3d67c5e92caf3d417005bd5311e9012fae7

SHA256
406c06dd07479d167bd2cc4d482811c4497b5b766eb185b6d7987af1048fee0a

SHA512
29dfd1101a3798efea8d2d5ebf16b089e3cbe19f81c830dbf924b3e61b63062f1eed183c40bee8fea5d63d8ee6b634215c568129999182b341bfbd3e73437179

Download Submit
C:\providercomponentbrowsersessionnet\RMsUvdXKMQWO2B.vbe

Filesize
216B

MD5
5def842da05330520251c8387fad9324

SHA1
280555ffb06b6140968c4e283ccf626600bd76d5

SHA256
8c848ba2be36eac17d91fde15420454ba880b08fabc0d5f6a8b5a1a7490d9bcb

SHA512
aca06163bf5d80c5a7f7d1be66da2553dc438303143e3813b334dbe528278893e20722d30668b4be639a9a799acb546c2cd481d086b963357b903f65b6eb83ca

Download Submit
C:\providercomponentbrowsersessionnet\VeZgJ.bat

Filesize
58B

MD5
936487934c40b7b6efbede5d4665bfe5

SHA1
f5119e4128c38bf607c07a100f670be4b033c4ea

SHA256
7734b8c67c13c61d236a9f437875a85ae13450720be7e4ce398a4e197136395d

SHA512
1bda0aaab8f4988924525c264e6e05a2b16aae2834cd3863474dd31f2581ddb16458bb6fea1cc8edfaec97901af2926be7e28f28f46dc96d039d59176761d2d3

Download Submit
C:\providercomponentbrowsersessionnet\conhost.exe

Filesize
1.3MB

MD5
859a819f981ca77301ff688f574fdcb1

SHA1
a071e3d67c5e92caf3d417005bd5311e9012fae7

SHA256
406c06dd07479d167bd2cc4d482811c4497b5b766eb185b6d7987af1048fee0a

SHA512
29dfd1101a3798efea8d2d5ebf16b089e3cbe19f81c830dbf924b3e61b63062f1eed183c40bee8fea5d63d8ee6b634215c568129999182b341bfbd3e73437179

Download Submit
C:\providercomponentbrowsersessionnet\providerDriver.exe

Filesize
1.3MB

MD5
859a819f981ca77301ff688f574fdcb1

SHA1
a071e3d67c5e92caf3d417005bd5311e9012fae7

SHA256
406c06dd07479d167bd2cc4d482811c4497b5b766eb185b6d7987af1048fee0a

SHA512
29dfd1101a3798efea8d2d5ebf16b089e3cbe19f81c830dbf924b3e61b63062f1eed183c40bee8fea5d63d8ee6b634215c568129999182b341bfbd3e73437179

Download Submit
C:\providercomponentbrowsersessionnet\providerDriver.exe

Filesize
1.3MB

MD5
859a819f981ca77301ff688f574fdcb1

SHA1
a071e3d67c5e92caf3d417005bd5311e9012fae7

SHA256
406c06dd07479d167bd2cc4d482811c4497b5b766eb185b6d7987af1048fee0a

SHA512
29dfd1101a3798efea8d2d5ebf16b089e3cbe19f81c830dbf924b3e61b63062f1eed183c40bee8fea5d63d8ee6b634215c568129999182b341bfbd3e73437179

Download Submit
memory/4396-190-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

Filesize
64KB

Download
memory/4396-191-0x000000001CA80000-0x000000001CC42000-memory.dmp

Filesize
1.8MB

Download
memory/4396-192-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

Filesize
64KB

Download
memory/4488-148-0x000000001C540000-0x000000001CA68000-memory.dmp

Filesize
5.2MB

Download
memory/4488-147-0x000000001B930000-0x000000001B940000-memory.dmp

Filesize
64KB

Download
memory/4488-146-0x000000001BEB0000-0x000000001BF00000-memory.dmp

Filesize
320KB

Download
memory/4488-145-0x0000000000C10000-0x0000000000D6E000-memory.dmp

Filesize
1.4MB

Download