dcrat | d9bed95674d8f25aba2b84067e0691d254c86d686a4ec42dec119a8a2b006c98

General

Target

file.exe
Size

1.1MB
MD5

06eae25115858e2475c1bab16bae9585
SHA1

657cdc54121fa9baaae7cc944ed935e1eddf4ebc
SHA256

d9bed95674d8f25aba2b84067e0691d254c86d686a4ec42dec119a8a2b006c98
SHA512

2ad4ccbbf950dac84d2353b9d59e8d59415ec3f9bef1d226270ebc4f416489dc6c39b5c4725dd10316b2cbc6adc8bef3e7db8e430ed581444857db8e0d0c53d1
SSDEEP

12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbiYS3HzuWTEv3L9aCcyYiqlbl117n1k4Rq5zs:U2G/nvxW3Ww0t03THqRaCQJThLis

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	4996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	4996	schtasks.exe

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providerwindriverHostDll\comNet.exe	dcrat
C:\providerwindriverHostDll\comNet.exe	dcrat
behavioral2/memory/3752-145-0x0000000000480000-0x0000000000556000-memory.dmp	dcrat
C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe	dcrat
C:\Program Files (x86)\Windows NT\TableTextService\StartMenuExperienceHost.exe	dcrat
C:\Program Files (x86)\Windows NT\TableTextService\StartMenuExperienceHost.exe	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exeWScript.execomNet.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	comNet.exe

Executes dropped EXE 2 IoCs

Processes:

comNet.exeStartMenuExperienceHost.exe

pid process

3752 comNet.exe
4896 StartMenuExperienceHost.exe

Drops file in Program Files directory 10 IoCs

Processes:

comNet.exe

description	ioc	process
File created	C:\Program Files\ModifiableWindowsApps\spoolsv.exe	comNet.exe
File created	C:\Program Files\Windows Portable Devices\wininit.exe	comNet.exe
File created	C:\Program Files\Windows Portable Devices\56085415360792	comNet.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\StartMenuExperienceHost.exe	comNet.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\55b276f4edf653	comNet.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\38384e6a620884	comNet.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe	comNet.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\6203df4a6bafc7	comNet.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Store.Purchase\Resources\Registry.exe	comNet.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\SearchApp.exe	comNet.exe

Drops file in Windows directory 3 IoCs

Processes:

comNet.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\431186354\services.exe	comNet.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\winlogon.exe	comNet.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\cc11b995f2a76d	comNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2464	schtasks.exe
3512	schtasks.exe
3208	schtasks.exe
2804	schtasks.exe
1180	schtasks.exe
3672	schtasks.exe
1304	schtasks.exe
2036	schtasks.exe
1208	schtasks.exe
1500	schtasks.exe
2436	schtasks.exe
4084	schtasks.exe
3544	schtasks.exe
4528	schtasks.exe
2512	schtasks.exe
2752	schtasks.exe
2872	schtasks.exe
3756	schtasks.exe
3980	schtasks.exe
3396	schtasks.exe
2156	schtasks.exe
892	schtasks.exe
684	schtasks.exe
4040	schtasks.exe
1464	schtasks.exe
432	schtasks.exe
4536	schtasks.exe
3080	schtasks.exe
860	schtasks.exe
4712	schtasks.exe
208	schtasks.exe
1128	schtasks.exe
4904	schtasks.exe
2100	schtasks.exe
444	schtasks.exe
4600	schtasks.exe
4508	schtasks.exe
2384	schtasks.exe
1876	schtasks.exe

Modifies registry class 1 IoCs

Processes:

file.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings file.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	file.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

comNet.exeStartMenuExperienceHost.exe

pid	process
3752	comNet.exe
3752	comNet.exe
3752	comNet.exe
3752	comNet.exe
3752	comNet.exe
3752	comNet.exe
3752	comNet.exe
3752	comNet.exe
4896	StartMenuExperienceHost.exe
4896	StartMenuExperienceHost.exe
4896	StartMenuExperienceHost.exe
4896	StartMenuExperienceHost.exe
4896	StartMenuExperienceHost.exe
4896	StartMenuExperienceHost.exe
4896	StartMenuExperienceHost.exe
4896	StartMenuExperienceHost.exe
4896	StartMenuExperienceHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid process

4896 StartMenuExperienceHost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

comNet.exeStartMenuExperienceHost.exe

description pid process

Token: SeDebugPrivilege 3752 comNet.exe
Token: SeDebugPrivilege 4896 StartMenuExperienceHost.exe

pid	process
4896	StartMenuExperienceHost.exe

description	pid	process
Token: SeDebugPrivilege	3752	comNet.exe
Token: SeDebugPrivilege	4896	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

file.exeWScript.execmd.execomNet.exe

description	pid	process	target process
PID 1624 wrote to memory of 4384	1624	file.exe	WScript.exe
PID 1624 wrote to memory of 4384	1624	file.exe	WScript.exe
PID 1624 wrote to memory of 4384	1624	file.exe	WScript.exe
PID 4384 wrote to memory of 2568	4384	WScript.exe	cmd.exe
PID 4384 wrote to memory of 2568	4384	WScript.exe	cmd.exe
PID 4384 wrote to memory of 2568	4384	WScript.exe	cmd.exe
PID 2568 wrote to memory of 3752	2568	cmd.exe	comNet.exe
PID 2568 wrote to memory of 3752	2568	cmd.exe	comNet.exe
PID 3752 wrote to memory of 4896	3752	comNet.exe	StartMenuExperienceHost.exe
PID 3752 wrote to memory of 4896	3752	comNet.exe	StartMenuExperienceHost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providerwindriverHostDll\eQhltUTnqbyYIJBHh.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providerwindriverHostDll\5O0IdEW060cxJkvUmnX.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\providerwindriverHostDll\comNet.exe
"C:\providerwindriverHostDll\comNet.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3752

C:\Program Files (x86)\Windows NT\TableTextService\StartMenuExperienceHost.exe
"C:\Program Files (x86)\Windows NT\TableTextService\StartMenuExperienceHost.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providerwindriverHostDll\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providerwindriverHostDll\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providerwindriverHostDll\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providerwindriverHostDll\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providerwindriverHostDll\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providerwindriverHostDll\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\odt\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\TableTextService\StartMenuExperienceHost.exe
Filesize
827KB

MD5
2b84697f835c36d37b5dc11106d655f5

SHA1
1f406d774af24ba55e55fcf03ee5928905fe7123

SHA256
148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731

SHA512
ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\StartMenuExperienceHost.exe
Filesize
827KB

MD5
2b84697f835c36d37b5dc11106d655f5

SHA1
1f406d774af24ba55e55fcf03ee5928905fe7123

SHA256
148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731

SHA512
ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934

Download Submit
C:\Program Files (x86)\Windows NT\TableTextService\lsass.exe
Filesize
827KB

MD5
2b84697f835c36d37b5dc11106d655f5

SHA1
1f406d774af24ba55e55fcf03ee5928905fe7123

SHA256
148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731

SHA512
ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934

Download Submit
C:\providerwindriverHostDll\5O0IdEW060cxJkvUmnX.bat
Filesize
40B

MD5
b7f686a12452b0e946a2b35746aa85d8

SHA1
3637b428ac91dd8e93259eb32e9fd8d1f43825f5

SHA256
91a97a0a5785891a0c5c68a17625dbd99324eb363f0c13707f9ba9be9417253f

SHA512
e70765edac455c33ac137ae6b3e67db616fcbbfe82298b5bbd59dc5179126ecc015fe4c18e9a0bd668da826d2cd4d2e3276dab7ed0331db7892795d6221c4ba8

Download Submit
C:\providerwindriverHostDll\comNet.exe
Filesize
827KB

MD5
2b84697f835c36d37b5dc11106d655f5

SHA1
1f406d774af24ba55e55fcf03ee5928905fe7123

SHA256
148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731

SHA512
ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934

Download Submit
C:\providerwindriverHostDll\comNet.exe
Filesize
827KB

MD5
2b84697f835c36d37b5dc11106d655f5

SHA1
1f406d774af24ba55e55fcf03ee5928905fe7123

SHA256
148197a0b0db24058a70a599a00ff4111376d4d085f796b3a5a3ad767d9ed731

SHA512
ad2d09513a04d055e26d3bce550bb2f7b577aba2449e9d2fb2454b6f58187441922acf541ca79be712f37d61ba16aead9aefd8f2d11a7180444d6ea69f0ee934

Download Submit
C:\providerwindriverHostDll\eQhltUTnqbyYIJBHh.vbe
Filesize
220B

MD5
175e0c8fb6f8d79de10516a3c70b8bd4

SHA1
c46ecb7f245a26cc06f9c227b75cb0e51fa5a922

SHA256
c2d8a00d704a88597d0d1a31b06965713efbf55a6ec68e567fccd4e0ad236079

SHA512
d2895a6260801876bac10b885e137bb3a1a62972d55660e45829aeafc76d25baa8af7857eb2a3d7245ee58404699278e24db4fe7e498f465e294b42578c60926

Download Submit
memory/3752-145-0x0000000000480000-0x0000000000556000-memory.dmp

Filesize
856KB

Download
memory/3752-146-0x000000001B1C0000-0x000000001B1D0000-memory.dmp

Filesize
64KB

Download
memory/4896-184-0x000000001B940000-0x000000001B950000-memory.dmp

Filesize
64KB

Download
memory/4896-185-0x000000001B940000-0x000000001B950000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads