dcrat | 2f476997ecdb5116621e72532460d7149299a6b058bee5b58501484da80d523b

General

Target

2F476997ECDB5116621E72532460D7149299A6B058BEE.exe
Size

1.6MB
MD5

2baa6f19fa7f4ef5941e92335aa2c06d
SHA1

68c4872eba868d9e8b640e0e76cb1a4a00331d8e
SHA256

2f476997ecdb5116621e72532460d7149299a6b058bee5b58501484da80d523b
SHA512

ee875b4c223bba5864aa1d5ca165d798625442a8ef0a35ec16dc4283ad404d7656bfeeb262ef2ebdc8d3fe954416c019a210c59e2caba6507ae89f13d12d2d27
SSDEEP

24576:e2G/nvxW3WXeGxRoXGkxVsAjtxWCu2RdBaYwqf36eYmMyXxRlRYSZF083SFN:ebA3V6aXGkzFaPmUzyXnlqSZE

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	1880	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	1880	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercomponentbrowsersessionnet\providerDriver.exe	dcrat
C:\providercomponentbrowsersessionnet\providerDriver.exe	dcrat
behavioral2/memory/3144-145-0x0000000000010000-0x000000000016E000-memory.dmp	dcrat
C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe	dcrat
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe	dcrat
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2F476997ECDB5116621E72532460D7149299A6B058BEE.exeWScript.exeproviderDriver.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	2F476997ECDB5116621E72532460D7149299A6B058BEE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	providerDriver.exe

Executes dropped EXE 2 IoCs

Processes:

providerDriver.exesihost.exe

pid process

3144 providerDriver.exe
5052 sihost.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 ipinfo.io
42 ipinfo.io

flow	ioc
43	ipinfo.io
42	ipinfo.io

Drops file in Program Files directory 13 IoCs

Processes:

providerDriver.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\24dbde2999530e	providerDriver.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\ea9f0e6c9e2dcd	providerDriver.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\89b2ff246e3c18	providerDriver.exe
File created	C:\Program Files (x86)\Windows Mail\sihost.exe	providerDriver.exe
File created	C:\Program Files (x86)\Windows Mail\66fc9ff0ee96c2	providerDriver.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe	providerDriver.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\6203df4a6bafc7	providerDriver.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\66fc9ff0ee96c2	providerDriver.exe
File created	C:\Program Files\Common Files\microsoft shared\WmiPrvSE.exe	providerDriver.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe	providerDriver.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\providerDriver.exe	providerDriver.exe
File created	C:\Program Files\ModifiableWindowsApps\providerDriver.exe	providerDriver.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe	providerDriver.exe

Drops file in Windows directory 4 IoCs

Processes:

providerDriver.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\431186354\services.exe	providerDriver.exe
File created	C:\Windows\Containers\RuntimeBroker.exe	providerDriver.exe
File created	C:\Windows\Containers\9e8d7a4ca61bd9	providerDriver.exe
File created	C:\Windows\WinSxS\csrss.exe	providerDriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2676	schtasks.exe
1296	schtasks.exe
2536	schtasks.exe
3728	schtasks.exe
3892	schtasks.exe
1388	schtasks.exe
2784	schtasks.exe
2328	schtasks.exe
1624	schtasks.exe
3984	schtasks.exe
216	schtasks.exe
2700	schtasks.exe
5056	schtasks.exe
4460	schtasks.exe
3668	schtasks.exe
1772	schtasks.exe
3868	schtasks.exe
692	schtasks.exe
2456	schtasks.exe
2076	schtasks.exe
5024	schtasks.exe
3916	schtasks.exe
2816	schtasks.exe
924	schtasks.exe
2876	schtasks.exe
1592	schtasks.exe
1896	schtasks.exe
4784	schtasks.exe
852	schtasks.exe
3600	schtasks.exe
4668	schtasks.exe
3828	schtasks.exe
3864	schtasks.exe
4212	schtasks.exe
3008	schtasks.exe
1840	schtasks.exe
3340	schtasks.exe
4696	schtasks.exe
1736	schtasks.exe

Modifies registry class 2 IoCs

Processes:

2F476997ECDB5116621E72532460D7149299A6B058BEE.exeproviderDriver.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	2F476997ECDB5116621E72532460D7149299A6B058BEE.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	providerDriver.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

providerDriver.exesihost.exe

pid	process
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
3144	providerDriver.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe
5052	sihost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sihost.exe

pid process

5052 sihost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

providerDriver.exesihost.exe

description pid process

Token: SeDebugPrivilege 3144 providerDriver.exe
Token: SeDebugPrivilege 5052 sihost.exe

pid	process
5052	sihost.exe

description	pid	process
Token: SeDebugPrivilege	3144	providerDriver.exe
Token: SeDebugPrivilege	5052	sihost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

2F476997ECDB5116621E72532460D7149299A6B058BEE.exeWScript.execmd.exeproviderDriver.execmd.exe

description	pid	process	target process
PID 4552 wrote to memory of 456	4552	2F476997ECDB5116621E72532460D7149299A6B058BEE.exe	WScript.exe
PID 4552 wrote to memory of 456	4552	2F476997ECDB5116621E72532460D7149299A6B058BEE.exe	WScript.exe
PID 4552 wrote to memory of 456	4552	2F476997ECDB5116621E72532460D7149299A6B058BEE.exe	WScript.exe
PID 456 wrote to memory of 1872	456	WScript.exe	cmd.exe
PID 456 wrote to memory of 1872	456	WScript.exe	cmd.exe
PID 456 wrote to memory of 1872	456	WScript.exe	cmd.exe
PID 1872 wrote to memory of 3144	1872	cmd.exe	providerDriver.exe
PID 1872 wrote to memory of 3144	1872	cmd.exe	providerDriver.exe
PID 3144 wrote to memory of 4168	3144	providerDriver.exe	cmd.exe
PID 3144 wrote to memory of 4168	3144	providerDriver.exe	cmd.exe
PID 4168 wrote to memory of 3296	4168	cmd.exe	w32tm.exe
PID 4168 wrote to memory of 3296	4168	cmd.exe	w32tm.exe
PID 4168 wrote to memory of 5052	4168	cmd.exe	sihost.exe
PID 4168 wrote to memory of 5052	4168	cmd.exe	sihost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2F476997ECDB5116621E72532460D7149299A6B058BEE.exe
"C:\Users\Admin\AppData\Local\Temp\2F476997ECDB5116621E72532460D7149299A6B058BEE.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercomponentbrowsersessionnet\RMsUvdXKMQWO2B.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercomponentbrowsersessionnet\VeZgJ.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\providercomponentbrowsersessionnet\providerDriver.exe
"C:\providercomponentbrowsersessionnet\providerDriver.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\70SMjx38IK.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:4168

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:3296

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\providercomponentbrowsersessionnet\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercomponentbrowsersessionnet\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\providercomponentbrowsersessionnet\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\microsoft shared\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\microsoft shared\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerDriverp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\providerDriver.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerDriver" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\providerDriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "providerDriverp" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\providerDriver.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Recent\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercomponentbrowsersessionnet\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercomponentbrowsersessionnet\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercomponentbrowsersessionnet\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Containers\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Containers\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Containers\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Music\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe
Filesize
1.3MB

MD5
859a819f981ca77301ff688f574fdcb1

SHA1
a071e3d67c5e92caf3d417005bd5311e9012fae7

SHA256
406c06dd07479d167bd2cc4d482811c4497b5b766eb185b6d7987af1048fee0a

SHA512
29dfd1101a3798efea8d2d5ebf16b089e3cbe19f81c830dbf924b3e61b63062f1eed183c40bee8fea5d63d8ee6b634215c568129999182b341bfbd3e73437179

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sihost.exe
Filesize
1.3MB

MD5
859a819f981ca77301ff688f574fdcb1

SHA1
a071e3d67c5e92caf3d417005bd5311e9012fae7

SHA256
406c06dd07479d167bd2cc4d482811c4497b5b766eb185b6d7987af1048fee0a

SHA512
29dfd1101a3798efea8d2d5ebf16b089e3cbe19f81c830dbf924b3e61b63062f1eed183c40bee8fea5d63d8ee6b634215c568129999182b341bfbd3e73437179

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe
Filesize
1.3MB

MD5
859a819f981ca77301ff688f574fdcb1

SHA1
a071e3d67c5e92caf3d417005bd5311e9012fae7

SHA256
406c06dd07479d167bd2cc4d482811c4497b5b766eb185b6d7987af1048fee0a

SHA512
29dfd1101a3798efea8d2d5ebf16b089e3cbe19f81c830dbf924b3e61b63062f1eed183c40bee8fea5d63d8ee6b634215c568129999182b341bfbd3e73437179

Download Submit
C:\Users\Admin\AppData\Local\Temp\70SMjx38IK.bat
Filesize
249B

MD5
b08132c5ba125b65d9533b4d6cbac076

SHA1
84db75ca66ae47f92a8867ef3bfc89e38c4d5be6

SHA256
329124c875a6fd8e578cdbb4d9218b18ea1a2930c40a062acc42afab7a324d36

SHA512
18c19b3dd3e5f4dc452966458dcf0ebb30de25ae90b32b08b50e4f4b258e8ace2b199ee3fae1433cfbf11282c05dca99af0c72061d23bd2a6e99bce6334d6c3d

Download Submit
C:\providercomponentbrowsersessionnet\RMsUvdXKMQWO2B.vbe
Filesize
216B

MD5
5def842da05330520251c8387fad9324

SHA1
280555ffb06b6140968c4e283ccf626600bd76d5

SHA256
8c848ba2be36eac17d91fde15420454ba880b08fabc0d5f6a8b5a1a7490d9bcb

SHA512
aca06163bf5d80c5a7f7d1be66da2553dc438303143e3813b334dbe528278893e20722d30668b4be639a9a799acb546c2cd481d086b963357b903f65b6eb83ca

Download Submit
C:\providercomponentbrowsersessionnet\VeZgJ.bat
Filesize
58B

MD5
936487934c40b7b6efbede5d4665bfe5

SHA1
f5119e4128c38bf607c07a100f670be4b033c4ea

SHA256
7734b8c67c13c61d236a9f437875a85ae13450720be7e4ce398a4e197136395d

SHA512
1bda0aaab8f4988924525c264e6e05a2b16aae2834cd3863474dd31f2581ddb16458bb6fea1cc8edfaec97901af2926be7e28f28f46dc96d039d59176761d2d3

Download Submit
C:\providercomponentbrowsersessionnet\providerDriver.exe
Filesize
1.3MB

MD5
859a819f981ca77301ff688f574fdcb1

SHA1
a071e3d67c5e92caf3d417005bd5311e9012fae7

SHA256
406c06dd07479d167bd2cc4d482811c4497b5b766eb185b6d7987af1048fee0a

SHA512
29dfd1101a3798efea8d2d5ebf16b089e3cbe19f81c830dbf924b3e61b63062f1eed183c40bee8fea5d63d8ee6b634215c568129999182b341bfbd3e73437179

Download Submit
C:\providercomponentbrowsersessionnet\providerDriver.exe
Filesize
1.3MB

MD5
859a819f981ca77301ff688f574fdcb1

SHA1
a071e3d67c5e92caf3d417005bd5311e9012fae7

SHA256
406c06dd07479d167bd2cc4d482811c4497b5b766eb185b6d7987af1048fee0a

SHA512
29dfd1101a3798efea8d2d5ebf16b089e3cbe19f81c830dbf924b3e61b63062f1eed183c40bee8fea5d63d8ee6b634215c568129999182b341bfbd3e73437179

Download Submit
memory/3144-148-0x000000001ADD0000-0x000000001ADE0000-memory.dmp

Filesize
64KB

Download
memory/3144-147-0x000000001B9E0000-0x000000001BF08000-memory.dmp

Filesize
5.2MB

Download
memory/3144-146-0x000000001B2E0000-0x000000001B330000-memory.dmp

Filesize
320KB

Download
memory/3144-145-0x0000000000010000-0x000000000016E000-memory.dmp

Filesize
1.4MB

Download
memory/5052-184-0x000000001B0E0000-0x000000001B0F0000-memory.dmp

Filesize
64KB

Download
memory/5052-185-0x000000001CC40000-0x000000001CE02000-memory.dmp

Filesize
1.8MB

Download
memory/5052-186-0x000000001B0E0000-0x000000001B0F0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads