dcrat | d9bed95674d8f25aba2b84067e0691d254c86d686a4ec42dec119a8a2b006c98

Analysis

max time kernel
44s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-06-2023 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.1MB
MD5

06eae25115858e2475c1bab16bae9585
SHA1

657cdc54121fa9baaae7cc944ed935e1eddf4ebc
SHA256

d9bed95674d8f25aba2b84067e0691d254c86d686a4ec42dec119a8a2b006c98
SHA512

2ad4ccbbf950dac84d2353b9d59e8d59415ec3f9bef1d226270ebc4f416489dc6c39b5c4725dd10316b2cbc6adc8bef3e7db8e430ed581444857db8e0d0c53d1
SSDEEP

12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbiYS3HzuWTEv3L9aCcyYiqlbl117n1k4Rq5zs:U2G/nvxW3Ww0t03THqRaCQJThLis

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	684	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	684	schtasks.exe

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providerwindriverHostDll\comNet.exe	dcrat
\providerwindriverHostDll\comNet.exe	dcrat
C:\providerwindriverHostDll\comNet.exe	dcrat
\providerwindriverHostDll\comNet.exe	dcrat
behavioral1/memory/1288-67-0x0000000000A20000-0x0000000000AF6000-memory.dmp	dcrat
C:\Windows\Registration\CRMLog\explorer.exe	dcrat
behavioral1/memory/1288-74-0x000000001AED0000-0x000000001AF50000-memory.dmp	dcrat
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe	dcrat
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe	dcrat
behavioral1/memory/328-112-0x0000000000B50000-0x0000000000C26000-memory.dmp	dcrat
behavioral1/memory/328-114-0x000000001B230000-0x000000001B2B0000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

comNet.exeSystem.exe

pid process

1288 comNet.exe
328 System.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1868 cmd.exe
1868 cmd.exe

pid	process
1868	cmd.exe
1868	cmd.exe

Drops file in Program Files directory 6 IoCs

Processes:

comNet.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\winlogon.exe	comNet.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\cc11b995f2a76d	comNet.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\dwm.exe	comNet.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\6cb0b6c459d5d3	comNet.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe	comNet.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\088424020bedd6	comNet.exe

Drops file in Windows directory 8 IoCs

Processes:

comNet.exe

description	ioc	process
File created	C:\Windows\Globalization\Sorting\cc11b995f2a76d	comNet.exe
File created	C:\Windows\inf\ASP.NET\0015\conhost.exe	comNet.exe
File created	C:\Windows\inf\ASP.NET\0015\088424020bedd6	comNet.exe
File created	C:\Windows\IME\conhost.exe	comNet.exe
File created	C:\Windows\IME\088424020bedd6	comNet.exe
File created	C:\Windows\Registration\CRMLog\explorer.exe	comNet.exe
File created	C:\Windows\Registration\CRMLog\7a0fd90576e088	comNet.exe
File created	C:\Windows\Globalization\Sorting\winlogon.exe	comNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1348	schtasks.exe
1804	schtasks.exe
1952	schtasks.exe
1616	schtasks.exe
568	schtasks.exe
732	schtasks.exe
1756	schtasks.exe
1992	schtasks.exe
1700	schtasks.exe
1612	schtasks.exe
1480	schtasks.exe
608	schtasks.exe
1740	schtasks.exe
1628	schtasks.exe
860	schtasks.exe
1824	schtasks.exe
880	schtasks.exe
1240	schtasks.exe
608	schtasks.exe
1608	schtasks.exe
1312	schtasks.exe
1084	schtasks.exe
1984	schtasks.exe
1292	schtasks.exe
2028	schtasks.exe
856	schtasks.exe
1280	schtasks.exe
1840	schtasks.exe
804	schtasks.exe
808	schtasks.exe
1676	schtasks.exe
668	schtasks.exe
1676	schtasks.exe
976	schtasks.exe
1568	schtasks.exe
1292	schtasks.exe
1824	schtasks.exe
1148	schtasks.exe
1616	schtasks.exe
1936	schtasks.exe
652	schtasks.exe
804	schtasks.exe
1312	schtasks.exe
1992	schtasks.exe
732	schtasks.exe
764	schtasks.exe
1664	schtasks.exe
432	schtasks.exe
2028	schtasks.exe
1556	schtasks.exe
1492	schtasks.exe
1624	schtasks.exe
2020	schtasks.exe
984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

comNet.exeSystem.exe

pid	process
1288	comNet.exe
1288	comNet.exe
1288	comNet.exe
1288	comNet.exe
1288	comNet.exe
328	System.exe
328	System.exe
328	System.exe
328	System.exe
328	System.exe
328	System.exe
328	System.exe
328	System.exe
328	System.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

comNet.exeSystem.exe

description pid process

Token: SeDebugPrivilege 1288 comNet.exe
Token: SeDebugPrivilege 328 System.exe

description	pid	process
Token: SeDebugPrivilege	1288	comNet.exe
Token: SeDebugPrivilege	328	System.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

file.exeWScript.execmd.execomNet.execmd.exe

description	pid	process	target process
PID 1344 wrote to memory of 900	1344	file.exe	WScript.exe
PID 1344 wrote to memory of 900	1344	file.exe	WScript.exe
PID 1344 wrote to memory of 900	1344	file.exe	WScript.exe
PID 1344 wrote to memory of 900	1344	file.exe	WScript.exe
PID 900 wrote to memory of 1868	900	WScript.exe	cmd.exe
PID 900 wrote to memory of 1868	900	WScript.exe	cmd.exe
PID 900 wrote to memory of 1868	900	WScript.exe	cmd.exe
PID 900 wrote to memory of 1868	900	WScript.exe	cmd.exe
PID 1868 wrote to memory of 1288	1868	cmd.exe	comNet.exe
PID 1868 wrote to memory of 1288	1868	cmd.exe	comNet.exe
PID 1868 wrote to memory of 1288	1868	cmd.exe	comNet.exe
PID 1868 wrote to memory of 1288	1868	cmd.exe	comNet.exe
PID 1288 wrote to memory of 664	1288	comNet.exe	cmd.exe
PID 1288 wrote to memory of 664	1288	comNet.exe	cmd.exe
PID 1288 wrote to memory of 664	1288	comNet.exe	cmd.exe
PID 664 wrote to memory of 1992	664	cmd.exe	w32tm.exe
PID 664 wrote to memory of 1992	664	cmd.exe	w32tm.exe
PID 664 wrote to memory of 1992	664	cmd.exe	w32tm.exe
PID 664 wrote to memory of 328	664	cmd.exe	System.exe
PID 664 wrote to memory of 328	664	cmd.exe	System.exe
PID 664 wrote to memory of 328	664	cmd.exe	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providerwindriverHostDll\eQhltUTnqbyYIJBHh.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providerwindriverHostDll\5O0IdEW060cxJkvUmnX.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868

C:\providerwindriverHostDll\comNet.exe
"C:\providerwindriverHostDll\comNet.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h1kfb9ummi.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:1992

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe
"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providerwindriverHostDll\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providerwindriverHostDll\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providerwindriverHostDll\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\CRMLog\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comNetc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\comNet.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comNet" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\comNet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "comNetc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\comNet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\Sorting\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\Sorting\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\inf\ASP.NET\0015\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\inf\ASP.NET\0015\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\inf\ASP.NET\0015\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\providerwindriverHostDll\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providerwindriverHostDll\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\providerwindriverHostDll\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providerwindriverHostDll\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providerwindriverHostDll\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\providerwindriverHostDll\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providerwindriverHostDll\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providerwindriverHostDll\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providerwindriverHostDll\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providerwindriverHostDll\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providerwindriverHostDll\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providerwindriverHostDll\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\providerwindriverHostDll\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providerwindriverHostDll\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\providerwindriverHostDll\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\IME\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\3c215342-b1b4-11ed-8beb-cee1c2fbb193\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe
Filesize
827KB

MD5
2b84697f835c36d37b5dc11106d655f5

SHA1
1f406d774af24ba55e55fcf03ee5928905fe7123

SHA256
148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731

SHA512
ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe
Filesize
827KB

MD5
2b84697f835c36d37b5dc11106d655f5

SHA1
1f406d774af24ba55e55fcf03ee5928905fe7123

SHA256
148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731

SHA512
ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934

Download Submit
C:\Users\Admin\AppData\Local\Temp\h1kfb9ummi.bat
Filesize
238B

MD5
9068450edc1eab9ddb58e2058b0982aa

SHA1
e4d141a96b322df1b36275195717ca02e4029126

SHA256
59bf7dbd8874848b8c7f6b46173a73c1c30a4970eca42c946c1e1dcab0d70024

SHA512
133c9376238f42ca22f070e6388dd122ccfd4009434de0bd0f4d801f90205066a0ea5b5406bb5e107467dd7acffa398428b2251f57f721ff85305efe2e59cf1c

Download Submit
C:\Windows\Registration\CRMLog\explorer.exe
Filesize
827KB

MD5
2b84697f835c36d37b5dc11106d655f5

SHA1
1f406d774af24ba55e55fcf03ee5928905fe7123

SHA256
148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731

SHA512
ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934

Download Submit
C:\providerwindriverHostDll\5O0IdEW060cxJkvUmnX.bat
Filesize
40B

MD5
b7f686a12452b0e946a2b35746aa85d8

SHA1
3637b428ac91dd8e93259eb32e9fd8d1f43825f5

SHA256
91a97a0a5785891a0c5c68a17625dbd99324eb363f0c13707f9ba9be9417253f

SHA512
e70765edac455c33ac137ae6b3e67db616fcbbfe82298b5bbd59dc5179126ecc015fe4c18e9a0bd668da826d2cd4d2e3276dab7ed0331db7892795d6221c4ba8

Download Submit
C:\providerwindriverHostDll\comNet.exe
Filesize
827KB

MD5
2b84697f835c36d37b5dc11106d655f5

SHA1
1f406d774af24ba55e55fcf03ee5928905fe7123

SHA256
148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731

SHA512
ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934

Download Submit
C:\providerwindriverHostDll\comNet.exe
Filesize
827KB

MD5
2b84697f835c36d37b5dc11106d655f5

SHA1
1f406d774af24ba55e55fcf03ee5928905fe7123

SHA256
148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731

SHA512
ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934

Download Submit
C:\providerwindriverHostDll\eQhltUTnqbyYIJBHh.vbe
Filesize
220B

MD5
175e0c8fb6f8d79de10516a3c70b8bd4

SHA1
c46ecb7f245a26cc06f9c227b75cb0e51fa5a922

SHA256
c2d8a00d704a88597d0d1a31b06965713efbf55a6ec68e567fccd4e0ad236079

SHA512
d2895a6260801876bac10b885e137bb3a1a62972d55660e45829aeafc76d25baa8af7857eb2a3d7245ee58404699278e24db4fe7e498f465e294b42578c60926

Download Submit
\providerwindriverHostDll\comNet.exe
Filesize
827KB

MD5
2b84697f835c36d37b5dc11106d655f5

SHA1
1f406d774af24ba55e55fcf03ee5928905fe7123

SHA256
148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731

SHA512
ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934

Download Submit
\providerwindriverHostDll\comNet.exe
Filesize
827KB

MD5
2b84697f835c36d37b5dc11106d655f5

SHA1
1f406d774af24ba55e55fcf03ee5928905fe7123

SHA256
148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731

SHA512
ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934

Download Submit
memory/328-112-0x0000000000B50000-0x0000000000C26000-memory.dmp

Filesize
856KB

Download
memory/328-113-0x000000001B230000-0x000000001B2B0000-memory.dmp

Filesize
512KB

Download
memory/328-114-0x000000001B230000-0x000000001B2B0000-memory.dmp

Filesize
512KB

Download
memory/1288-74-0x000000001AED0000-0x000000001AF50000-memory.dmp

Filesize
512KB

Download
memory/1288-67-0x0000000000A20000-0x0000000000AF6000-memory.dmp

Filesize
856KB

Download