dcrat | 900ccdd38370b47717625cd48c813226a968fd8a30651ca5bd8112df94e47155

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExtremeInjectorv3exeexeex.exe
Size

1.1MB
MD5

952787e3a56affaa50f055dc9a9e8138
SHA1

95a0f7fe9ffc730871ca37357459e0a5a82301fe
SHA256

900ccdd38370b47717625cd48c813226a968fd8a30651ca5bd8112df94e47155
SHA512

f116dfe733dd8565bfe3f1d1529ac269172509f7cd7748d7e4c6cecb96b91a81a1dd3e8a8f9af97aa53d07bc14e0eeb192971c7bf56e7911a9ae167039912ff8
SSDEEP

24576:U2G/nvxW3Ww0tfieCsfxqRyqCOmaqxn57oPqV3o2F:UbA30fiMYRyfi9K

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	2108	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2108	schtasks.exe	88

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0006000000023202-143.dat	dcrat
behavioral2/files/0x0006000000023202-144.dat	dcrat
behavioral2/memory/3640-145-0x00000000007E0000-0x00000000008B6000-memory.dmp	dcrat
behavioral2/files/0x0006000000023207-149.dat	dcrat
behavioral2/files/0x000600000002321d-191.dat	dcrat
behavioral2/files/0x000600000002321d-193.dat	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	ExtremeInjectorv3exeexeex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation	hypersavescommon.exe

Executes dropped EXE 2 IoCs

pid	Process
3640	hypersavescommon.exe
3432	RuntimeBroker.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\66fc9ff0ee96c2	hypersavescommon.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\System.exe	hypersavescommon.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\27d1bcfc3c54e0	hypersavescommon.exe
File created	C:\Program Files\Google\Chrome\Application\System.exe	hypersavescommon.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe	hypersavescommon.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\Registry.exe	hypersavescommon.exe
File created	C:\Program Files\Uninstall Information\69ddcba757bf72	hypersavescommon.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\sihost.exe	hypersavescommon.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\088424020bedd6	hypersavescommon.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\ee2ad38f3d4382	hypersavescommon.exe
File created	C:\Program Files\Uninstall Information\smss.exe	hypersavescommon.exe
File created	C:\Program Files\Google\Chrome\Application\27d1bcfc3c54e0	hypersavescommon.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Vss\Writers\Application\cmd.exe	hypersavescommon.exe
File created	C:\Windows\Vss\Writers\Application\ebf1f9fa8afd6d	hypersavescommon.exe
File created	C:\Windows\Help\Help\taskhostw.exe	hypersavescommon.exe
File created	C:\Windows\Help\Help\ea9f0e6c9e2dcd	hypersavescommon.exe
File created	C:\Windows\bcastdvr\unsecapp.exe	hypersavescommon.exe
File created	C:\Windows\bcastdvr\29c1c3cc0f7685	hypersavescommon.exe
File created	C:\Windows\CSC\StartMenuExperienceHost.exe	hypersavescommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4736	schtasks.exe
2760	schtasks.exe
64	schtasks.exe
4320	schtasks.exe
3536	schtasks.exe
4908	schtasks.exe
4464	schtasks.exe
4728	schtasks.exe
1056	schtasks.exe
5064	schtasks.exe
3656	schtasks.exe
2544	schtasks.exe
2500	schtasks.exe
4752	schtasks.exe
1200	schtasks.exe
4352	schtasks.exe
3908	schtasks.exe
4412	schtasks.exe
2528	schtasks.exe
4980	schtasks.exe
4732	schtasks.exe
2996	schtasks.exe
1348	schtasks.exe
2224	schtasks.exe
2188	schtasks.exe
3760	schtasks.exe
3916	schtasks.exe
1208	schtasks.exe
3704	schtasks.exe
4492	schtasks.exe
4656	schtasks.exe
3780	schtasks.exe
3764	schtasks.exe
3616	schtasks.exe
4152	schtasks.exe
3892	schtasks.exe
3936	schtasks.exe
464	schtasks.exe
2676	schtasks.exe
3660	schtasks.exe
632	schtasks.exe
4564	schtasks.exe
2496	schtasks.exe
1852	schtasks.exe
3648	schtasks.exe
532	schtasks.exe
1060	schtasks.exe
4124	schtasks.exe
4480	schtasks.exe
2028	schtasks.exe
996	schtasks.exe
5044	schtasks.exe
976	schtasks.exe
1784	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\Local Settings	ExtremeInjectorv3exeexeex.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3640	hypersavescommon.exe
3432	RuntimeBroker.exe
3432	RuntimeBroker.exe
3432	RuntimeBroker.exe
3432	RuntimeBroker.exe
3432	RuntimeBroker.exe
3432	RuntimeBroker.exe
3432	RuntimeBroker.exe
3432	RuntimeBroker.exe
3432	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3640	hypersavescommon.exe
Token: SeDebugPrivilege	3432	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 1760	2220	ExtremeInjectorv3exeexeex.exe	84
PID 2220 wrote to memory of 1760	2220	ExtremeInjectorv3exeexeex.exe	84
PID 2220 wrote to memory of 1760	2220	ExtremeInjectorv3exeexeex.exe	84
PID 1760 wrote to memory of 2848	1760	WScript.exe	85
PID 1760 wrote to memory of 2848	1760	WScript.exe	85
PID 1760 wrote to memory of 2848	1760	WScript.exe	85
PID 2848 wrote to memory of 3640	2848	cmd.exe	87
PID 2848 wrote to memory of 3640	2848	cmd.exe	87
PID 3640 wrote to memory of 3432	3640	hypersavescommon.exe	143
PID 3640 wrote to memory of 3432	3640	hypersavescommon.exe	143

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ExtremeInjectorv3exeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\ExtremeInjectorv3exeexeex.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\agentproviderhostCommon\K3yBHlVLiaCcvz4HpBHLUU1hEQE.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\agentproviderhostCommon\gRrW1usacKiPTA.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\agentproviderhostCommon\hypersavescommon.exe
      "C:\agentproviderhostCommon\hypersavescommon.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3640
    - - C:\odt\RuntimeBroker.exe
        
        "C:\odt\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Application\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\Application\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\agentproviderhostCommon\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\agentproviderhostCommon\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\agentproviderhostCommon\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\agentproviderhostCommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\agentproviderhostCommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\agentproviderhostCommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\Help\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Help\Help\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\Help\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Gadgets\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Gadgets\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\3D Objects\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\bcastdvr\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\bcastdvr\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre1.8.0_66\bin\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Java\jre1.8.0_66\bin\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre1.8.0_66\bin\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Vss\Writers\Application\cmd.exe

Filesize
827KB

MD5
e444951e5a3dfc00be07b161a2b5df5d

SHA1
26d283b52a4fdda9710207e50229388b36feaeea

SHA256
78c8c81204ed569b87cfa7a61cba3ec831b04cc6819c4aa03a60cd0e7ac29a1b

SHA512
8ab02f31f64c5706f1055b4ddf1b8be55755532f0d0c09715545e34eb67b78c6b8a7c3fbfd54fd3458d57e5e3dbbf40ffecbb90620ae3516ea0baf83e732b9af

Download Submit
C:\agentproviderhostCommon\K3yBHlVLiaCcvz4HpBHLUU1hEQE.vbe

Filesize
214B

MD5
45a060795037b771e0bf5b3bda2e1f20

SHA1
f8c5a958373fa11184e3e317d4fd8e73bcc2bf14

SHA256
a0631b079aad3bf4a093d203d82a793476b159971bd68293ad2ac14fae3f0d6c

SHA512
67e1d4942440680978d7b4bb128562644551a5664326c971ba5f1d3c585168683f2471c8a1697895d5dc284fb8488a02883371480d6ddc0c4f1333f48aca3ad4

Download Submit
C:\agentproviderhostCommon\gRrW1usacKiPTA.bat

Filesize
49B

MD5
66ffe5ec7277a9b39e1fa130b1efa086

SHA1
4cafe1480288039281ea25921fabfdb7782c47a5

SHA256
a98ff41a733284014184d27b72a9627358869b9c20008b4513a67fb9979a7f27

SHA512
6887e83b41d061a9d4216b74b6c7c3915c604884bfc5929a786c65e6c28feb917d7d3bbd275d4125fc654765839c3a1741f7c50cddaac5f77ee8c1447f542d36

Download Submit
C:\agentproviderhostCommon\hypersavescommon.exe

Filesize
827KB

MD5
e444951e5a3dfc00be07b161a2b5df5d

SHA1
26d283b52a4fdda9710207e50229388b36feaeea

SHA256
78c8c81204ed569b87cfa7a61cba3ec831b04cc6819c4aa03a60cd0e7ac29a1b

SHA512
8ab02f31f64c5706f1055b4ddf1b8be55755532f0d0c09715545e34eb67b78c6b8a7c3fbfd54fd3458d57e5e3dbbf40ffecbb90620ae3516ea0baf83e732b9af

Download Submit
C:\agentproviderhostCommon\hypersavescommon.exe

Filesize
827KB

MD5
e444951e5a3dfc00be07b161a2b5df5d

SHA1
26d283b52a4fdda9710207e50229388b36feaeea

SHA256
78c8c81204ed569b87cfa7a61cba3ec831b04cc6819c4aa03a60cd0e7ac29a1b

SHA512
8ab02f31f64c5706f1055b4ddf1b8be55755532f0d0c09715545e34eb67b78c6b8a7c3fbfd54fd3458d57e5e3dbbf40ffecbb90620ae3516ea0baf83e732b9af

Download Submit
C:\odt\RuntimeBroker.exe

Filesize
827KB

MD5
e444951e5a3dfc00be07b161a2b5df5d

SHA1
26d283b52a4fdda9710207e50229388b36feaeea

SHA256
78c8c81204ed569b87cfa7a61cba3ec831b04cc6819c4aa03a60cd0e7ac29a1b

SHA512
8ab02f31f64c5706f1055b4ddf1b8be55755532f0d0c09715545e34eb67b78c6b8a7c3fbfd54fd3458d57e5e3dbbf40ffecbb90620ae3516ea0baf83e732b9af

Download Submit
C:\odt\RuntimeBroker.exe

Filesize
827KB

MD5
e444951e5a3dfc00be07b161a2b5df5d

SHA1
26d283b52a4fdda9710207e50229388b36feaeea

SHA256
78c8c81204ed569b87cfa7a61cba3ec831b04cc6819c4aa03a60cd0e7ac29a1b

SHA512
8ab02f31f64c5706f1055b4ddf1b8be55755532f0d0c09715545e34eb67b78c6b8a7c3fbfd54fd3458d57e5e3dbbf40ffecbb90620ae3516ea0baf83e732b9af

Download Submit
memory/3640-145-0x00000000007E0000-0x00000000008B6000-memory.dmp

Filesize
856KB

Download
memory/3640-148-0x0000000002960000-0x0000000002970000-memory.dmp

Filesize
64KB

Download