dcrat | e810c9445e775019ee32d4a0d4aba7315a5e44527e854a444ad7f072c7dd891f

Analysis

max time kernel
23s
max time network
143s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02-11-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kirrstar.exe
Size

1.9MB
MD5

782545ebb1627aafbdd1f71cc52e50c7
SHA1

b1d27c1e03fe974d50137057951d1777439cc613
SHA256

e810c9445e775019ee32d4a0d4aba7315a5e44527e854a444ad7f072c7dd891f
SHA512

9083e247eebc90392c4a2b9e4b10a9c81eec85dc9a13c3f9b539918c7225d730f8dc470769ccdeb2bdf139ff68f6c640f7d2a1cd3bf1396236de80b5af7bf07c
SSDEEP

49152:HbA3FaX7C/8hUYjLY7rtMfDYj8Fun8rxe0SdqY:HbbX7C0E+Yjg9xnyv

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	3352	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	3352	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	3352	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	3352	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	3352	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	3352	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	3352	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	3352	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	3352	schtasks.exe	87

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x0028000000045061-13.dat	dcrat
behavioral1/memory/2040-16-0x00000000004E0000-0x0000000000682000-memory.dmp	dcrat
behavioral1/files/0x002800000004506a-333.dat	dcrat
behavioral1/files/0x002800000004506a-372.dat	dcrat
behavioral1/files/0x002800000004506a-409.dat	dcrat
behavioral1/files/0x002800000004506a-440.dat	dcrat

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RuntimeBroker.exeRuntimeBroker.exekirrstar.exeWScript.exehypercrtcommon.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	kirrstar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	hypercrtcommon.exe

Executes dropped EXE 3 IoCs

Processes:

hypercrtcommon.exeRuntimeBroker.exeRuntimeBroker.exe

pid	Process
2040	hypercrtcommon.exe
456	RuntimeBroker.exe
1708	RuntimeBroker.exe

Drops file in Program Files directory 6 IoCs

Processes:

hypercrtcommon.exe

description	ioc	Process
File created	C:\Program Files\Windows Security\BrowserCore\en-US\services.exe	hypercrtcommon.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\c5b4cb5e9653cc	hypercrtcommon.exe
File created	C:\Program Files\WindowsApps\Deleted\WmiPrvSE.exe	hypercrtcommon.exe
File created	C:\Program Files\ModifiableWindowsApps\sysmon.exe	hypercrtcommon.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe	hypercrtcommon.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\9e8d7a4ca61bd9	hypercrtcommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WScript.execmd.exekirrstar.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kirrstar.exe

Modifies registry class 2 IoCs

Processes:

kirrstar.exeRuntimeBroker.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings	kirrstar.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
1164	schtasks.exe
2468	schtasks.exe
3572	schtasks.exe
3432	schtasks.exe
2416	schtasks.exe
644	schtasks.exe
4244	schtasks.exe
1580	schtasks.exe
2132	schtasks.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

hypercrtcommon.exeRuntimeBroker.exeRuntimeBroker.exe

pid	Process
2040	hypercrtcommon.exe
2040	hypercrtcommon.exe
2040	hypercrtcommon.exe
2040	hypercrtcommon.exe
2040	hypercrtcommon.exe
2040	hypercrtcommon.exe
2040	hypercrtcommon.exe
2040	hypercrtcommon.exe
2040	hypercrtcommon.exe
456	RuntimeBroker.exe
1708	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

hypercrtcommon.exeRuntimeBroker.exeRuntimeBroker.exe

description	pid	Process
Token: SeDebugPrivilege	2040	hypercrtcommon.exe
Token: SeDebugPrivilege	456	RuntimeBroker.exe
Token: SeDebugPrivilege	1708	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

kirrstar.exeWScript.execmd.exehypercrtcommon.exeRuntimeBroker.exeWScript.exe

description	pid	Process	procid_target
PID 4760 wrote to memory of 2964	4760	kirrstar.exe	82
PID 4760 wrote to memory of 2964	4760	kirrstar.exe	82
PID 4760 wrote to memory of 2964	4760	kirrstar.exe	82
PID 2964 wrote to memory of 1636	2964	WScript.exe	89
PID 2964 wrote to memory of 1636	2964	WScript.exe	89
PID 2964 wrote to memory of 1636	2964	WScript.exe	89
PID 1636 wrote to memory of 2040	1636	cmd.exe	91
PID 1636 wrote to memory of 2040	1636	cmd.exe	91
PID 2040 wrote to memory of 456	2040	hypercrtcommon.exe	102
PID 2040 wrote to memory of 456	2040	hypercrtcommon.exe	102
PID 456 wrote to memory of 2128	456	RuntimeBroker.exe	103
PID 456 wrote to memory of 2128	456	RuntimeBroker.exe	103
PID 456 wrote to memory of 2748	456	RuntimeBroker.exe	104
PID 456 wrote to memory of 2748	456	RuntimeBroker.exe	104
PID 2128 wrote to memory of 1708	2128	WScript.exe	106
PID 2128 wrote to memory of 1708	2128	WScript.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\kirrstar.exe
"C:\Users\Admin\AppData\Local\Temp\kirrstar.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\serverWebRefcrt\nuGtg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\serverWebRefcrt\q5bwasDOM5YS7sD9.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Users\Admin\AppData\Roaming\serverWebRefcrt\hypercrtcommon.exe
      "C:\Users\Admin\AppData\Roaming\serverWebRefcrt\hypercrtcommon.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2040
    - - C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:456
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d72e627-5e6d-4dd3-a732-d521e792d23d.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42e44d48-790a-4576-b39f-09fd934edc2a.vbs"
        8⤵
        
        PID:5044
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe"
        9⤵
        
        PID:1204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cc19cfe-21b2-4d97-ab50-84f3fa380b56.vbs"
        10⤵
        
        PID:2732
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe"
        11⤵
        
        PID:4372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad054355-75a6-47eb-a8a1-7bcdea5e9582.vbs"
        12⤵
        
        PID:4672
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe"
        13⤵
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\182a894d-39a9-4bab-a4c3-39ceb977e087.vbs"
        14⤵
        
        PID:4804
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe"
        15⤵
        
        PID:2136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db72ad23-32de-4ad4-a6a2-696d51cf8678.vbs"
        16⤵
        
        PID:2852
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe"
        17⤵
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37fa3f8b-c30c-4a4e-9aeb-f2ddd3c1b617.vbs"
        18⤵
        
        PID:4288
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe"
        19⤵
        
        PID:3576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ab06943-127d-4c3b-9aa2-a1d869512349.vbs"
        20⤵
        
        PID:3196
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe"
        21⤵
        
        PID:2420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a891a0e-9f0f-4373-a1bc-7206dd1a2dea.vbs"
        22⤵
        
        PID:2956
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe"
        23⤵
        
        PID:716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7b3daea-e9bf-4614-b54d-39ccb0dd4f29.vbs"
        24⤵
        
        PID:3036
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe"
        25⤵
        
        PID:1432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4eaefc84-0851-4eb9-9925-6dd4162e6fb4.vbs"
        26⤵
        
        PID:2852
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe"
        27⤵
        
        PID:4768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc4cac53-46a1-47ea-874b-8aebcd453710.vbs"
        28⤵
        
        PID:824
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe"
        29⤵
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53a51ada-f97c-481e-914f-76663e0f57ec.vbs"
        30⤵
        
        PID:4492
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe"
        31⤵
        
        PID:1008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6038e740-948e-4c25-90cb-a36546afcadb.vbs"
        32⤵
        
        PID:4860
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe"
        33⤵
        
        PID:4656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb2f3e4f-967c-45c5-beb4-dd56351edb85.vbs"
        34⤵
        
        PID:3604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31ac270a-bb5c-44b8-a17a-d5708c0a9c92.vbs"
        34⤵
        
        PID:1692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdb99275-1727-4ca3-921d-bf586e2a9000.vbs"
        32⤵
        
        PID:376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f6f5982-a57c-4963-a2f9-973bb5091b01.vbs"
        30⤵
        
        PID:4312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f97ac3b-b830-4099-8ab8-596e234ed29c.vbs"
        28⤵
        
        PID:4908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58655bac-d5f2-4b7d-9df1-71c687ecd772.vbs"
        26⤵
        
        PID:4484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ddc8a96-18a1-49ab-9e25-9557cc7bf682.vbs"
        24⤵
        
        PID:3264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cff26d3-d9e8-4acc-8479-a654024a3248.vbs"
        22⤵
        
        PID:4472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c14999d0-d3bc-4dc4-a0a8-662b19de0297.vbs"
        20⤵
        
        PID:60
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4208378a-0be1-4f8d-a7cc-1ad727302781.vbs"
        18⤵
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46ddd8e2-27dd-49b5-9c82-14670ff35c0a.vbs"
        16⤵
        
        PID:3308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f05e71e-1212-4219-8154-9ae505df3300.vbs"
        14⤵
        
        PID:712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cec05498-27f7-4c33-87d8-a51a539627ca.vbs"
        12⤵
        
        PID:1096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d4c5741-4572-4038-a425-a39b7d6f7e07.vbs"
        10⤵
        
        PID:3824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b6c595e-1504-4061-b24a-93091ed2a0a8.vbs"
        8⤵
        
        PID:4200
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\881c0fc8-1b4c-46f9-bfe1-b0afdae11f1f.vbs"
        6⤵
        
        PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe

Filesize
1.4MB

MD5
6cc99ff0d90bfd79324d58f63bc52cf1

SHA1
6763e1c9ddb096d2c02498f9fa1c631b30e974ca

SHA256
a6433a948d4d1d181e601f6ad9ed752b137d26950c47e8ed3f1993ad7b9d611a

SHA512
4143b8e4e51e2e1a4d15f61c7187bb44a95ccfd4befa532c24c6ed10545da37b6f04489481b48208a2aac694bfc903cca884c6b3721513c94b3630d3869fadbd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe

Filesize
898KB

MD5
ecf40b09fdb4ceda764489dbf8f1721f

SHA1
116824114e26875bc5ae8995e28116130970086f

SHA256
7542fb1b1057b0261d7f516b53dc4d42e03802a9fab4eaaa911ebf249561204b

SHA512
ed4ffbaa6bb2a731786553ac6d2c8af7a1a3ad8b1542ca187885a280b5a433bc220d647278d1b1c497ea89d88fecf5db0ba1cef6019ff05f74f2b1b22b6b6129

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe

Filesize
923KB

MD5
4440be9ed4a16009e67386bd6a98d16a

SHA1
39e96f296d358847aa5ae7de7c4506c28405075e

SHA256
435929c13848ce57650e1bd1a934db1b749f41d2c003a4da0dfcfb839c787b8d

SHA512
085075dafa758f9a865f43a6da5dadfde0410dbde223f896117558fdfec81215e70e6009a86a4c10db5819be2d18617e8b95c6cc4c85d8be4080a85aa6398ad6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\RuntimeBroker.exe

Filesize
411KB

MD5
1eb9d09bb59bb6edfe8da1a1eb9f5f46

SHA1
7fc851f79afe554f26a8d3ad62eeabd02ca9c016

SHA256
66d18ff16bac169843c4b269b267bf6d0ded0f32a2015e6c777f998b117d9161

SHA512
ad8944e31334d7611a3e942406d2b1c6dd04c7f76b5d4aaf7797597eaec739ee142c9229efb9e7cbcc2555dd07f6af3afc41192a5d29aba49749987468fba695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
b4c6907205266a76d90a3fc6a40e2cee

SHA1
f1c7553e975b6e322b8032dc9e72f189cc1848f8

SHA256
52f69a7d18c90b1e096c2ee1898b8ed4f214ec4789622462281ebd799ed9acb6

SHA512
ffaf7a3ffe751d0a5467c0064c5233d9842e7ef828f186d153a48d6f66462c0a920e4eb23bdaea7da180f66f19fc81b860d59eca8eb0af2c7da439fa1f419b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\182a894d-39a9-4bab-a4c3-39ceb977e087.vbs

Filesize
749B

MD5
c8a06d8120a6d0b0d3dc366c1fac5503

SHA1
4e638310269dbb97ed34ba24b3fe6ca1ca35086e

SHA256
ca04976fd89316d28a9d7dd281b1435bc53de2da195a0b8661c3194312a3001a

SHA512
a63308617bee22706ae3fbd147481bac0e07b79b3861eb8a3932c191a4615e45947d7249833e7fa4d95b81b9aa69ec1a3252930b35cb6a1f764a91e1f087ad4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d72e627-5e6d-4dd3-a732-d521e792d23d.vbs

Filesize
748B

MD5
62ffa049f5a355d1afed2f1ee5fe9ce6

SHA1
a4f708b9e5240a6844f51c452abb1094e992b2c2

SHA256
149399d52507edb6548dfa239dca19f7dccb217a11af99f9e33125abf09ee9e9

SHA512
775e5711fe1c8fc44cb9567d75d399829f1ddaf970d5c972294da7bc4d117f72da570a5f4f6b44e63d2b2673c4a00532cecb74e6be086af84c92ad5a7c6171c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\37fa3f8b-c30c-4a4e-9aeb-f2ddd3c1b617.vbs

Filesize
749B

MD5
c3c57c50b765b7852d13376eb8e9794a

SHA1
1f249c52a489ebac39fcb3725f4717d82b7979f6

SHA256
2782934c36ca925365d5de1ec1c1b06e91d6e0012630f3cba0b13148de43fef4

SHA512
a00a53b6514199cdfd8ac608fb59b0abfa5a8382cf47a21f83bae8b284aeb66dcae993fc8976a7e6101bfe8512d66a7c192e0d08bbee20f5bacc4aca860eadb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\42e44d48-790a-4576-b39f-09fd934edc2a.vbs

Filesize
749B

MD5
5649ff2e625c55d0a24c67294dc39048

SHA1
c1bd547c9242a0f3c6d7de6d36088bc41a411b12

SHA256
7c0a2ce42b53931ccdc35ddccd80e54e5a104144305241c7321ba9843efb8186

SHA512
36bb113cf9a19bab71be4df67056dbd7fbc5186f5e4e02f4673f2c4552e66f210f4fc7c8237d1e05622abe218ebec35a68c6372b531c244f67ef568a80255960

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ab06943-127d-4c3b-9aa2-a1d869512349.vbs

Filesize
749B

MD5
974b841a4d9a63943a6600a8c7108dea

SHA1
4ebee33950d6e4b09034ddd9d866e0aa85c297e8

SHA256
f34d351b2f9239a826d7952d1fd606f8352800c6a93b000a4d7425bfd2324465

SHA512
ca7c3d750f429d77c2352bd13ad717dda55930ddd902541f31f3198dad38572a2e20666392ea2c940a21c48c897c81e31097bdcc6695cbe60d13709a4e82b1b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4cc19cfe-21b2-4d97-ab50-84f3fa380b56.vbs

Filesize
749B

MD5
ae22827f50e74077a5bc4ce566d7b1ab

SHA1
09b0645350f2343c2c24e74b7436b74695255c57

SHA256
ae5c075c8f166d98105ee732c96ad934e69fa1b2d1cf27f011cc3fa87af74b58

SHA512
8ad696b6cb2d3cb0882948e46fd06ee46b315c2a2792269d796038c132f0207a9f4302101406dccaf277967c37af03e844ec1e119a7a0f74bda00d7b37b24d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\4eaefc84-0851-4eb9-9925-6dd4162e6fb4.vbs

Filesize
749B

MD5
eb33122dc3d905c404fb3ffdcf9bf26f

SHA1
490113c88b8c2f5fb1f0c8ef3019717fab974bd8

SHA256
281c8e87cde75ab16264af6a5329ed56b4ebe516cfd60b3a60effc36b1591cfb

SHA512
5011cabbb6d81d52bbc85854e93f7bdcbb8fa8955936791f559ed597738fc3c722fcc7e7f5b83323a76cf963279c148ee2c9935fe63504570dfa4eec9303dc7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\53a51ada-f97c-481e-914f-76663e0f57ec.vbs

Filesize
749B

MD5
ec13af6bd5b327f355a0bbb51f791e85

SHA1
e6068141c440e5e67f4e597110c00bdc14915741

SHA256
e7ecd4d1e4ff16b04692b79551e0bdc39e3a9ad767846f42ecbad1a53fbc3dc6

SHA512
b75d87db091640c07f579947ad3aa0789ef77b82e611b49c4b47ad4add947972dac26caca70159775f9de305e2f982ddc29cce34e7d400cd5cd0984d057f2fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a891a0e-9f0f-4373-a1bc-7206dd1a2dea.vbs

Filesize
749B

MD5
fdf8fc656d80eef4e97b8ee9f90ed332

SHA1
8687f1f44f8f3817362dc9355ae8de2ada5c8554

SHA256
739d54e546eecd9631d6fe633f8408ec0c1b12e550e89c44ce40e7d8f3c6563b

SHA512
af9635ff5396104c52c674f987afa56383ba73b3c2e26c4c65de5b2f7ce410f75ac070ff533db716119323b5d3e40d539d98d9ba2eb49e0eb128487eb2c0a82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6038e740-948e-4c25-90cb-a36546afcadb.vbs

Filesize
749B

MD5
001982a167913214d7b5f15c02894529

SHA1
9744bb15526bed000ef84c0790c11e3e50dae108

SHA256
7210f3e4beb7a7de89e651b722439eec964826bc2161f671817268799a1f0ff3

SHA512
fb2e14c4e017a3b9524b21eb3d52774b6a2836d899346f090b186da1fda870d85c29d7cc3387c6da49d0a4ed83861c99e04cd4bc8c62faaec95e69cecff8bc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\881c0fc8-1b4c-46f9-bfe1-b0afdae11f1f.vbs

Filesize
525B

MD5
b6a49593c9180fea1ffce0265c59cf6e

SHA1
58aae213f216fc04254bd4707a8e8234aec53aa7

SHA256
97bda5add11a418ecc81719ad3f39bf27a2fd715bc8b2735327635a52fe19b06

SHA512
9be1b621b4eb7988f7bcfa25dfb1a7b7eee505e670677db3814a9fb9df05a0aa7b67ad3703d5397958ef4d42b0814ce6168384fbd387dfe581a67ceaa5a43e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad054355-75a6-47eb-a8a1-7bcdea5e9582.vbs

Filesize
749B

MD5
30674c5b685c230013953d6d826d7e93

SHA1
481ec5c53a509d804837cde8aec86c2977a5ca3a

SHA256
64c0bfb95234c2619ec6e694e7c088d234d61e3f5fd43dd13ab9cc0978355dee

SHA512
ae5e8dfc1aa1f48f796a5e449254f7e012733b198a0b4c4c118760e2141917805f6a5dc3b3344ce69bf6883513b85e08b9c107486d85000417395e4040159793

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb2f3e4f-967c-45c5-beb4-dd56351edb85.vbs

Filesize
749B

MD5
535902479104ab5ab0a1e339a96bd73f

SHA1
70d581f3466d92f02aba5c9192bebbb71eb21ccb

SHA256
389f2f2a6d6909f74f531141e94bd6a46f5804205e1fe6b833b7ed3720584831

SHA512
13237e5e4ea14b9f253d6a93ffc202b6e066f4195249f91fb9db8476454aa8279591441af4afb080521436f0fbd5773f8db8dfa9737055535cc25004e98b1fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\db72ad23-32de-4ad4-a6a2-696d51cf8678.vbs

Filesize
749B

MD5
254224339f57809508d3396d16ddf978

SHA1
d371a3348a28262dee27581b49b1c9fadb746a1d

SHA256
cfe40b64e2c443c78ae233513a82241d2e83fce315fae3dce506b2ad79afcb37

SHA512
0504f659d6749b2ded1e189cc6a6cfd121a54dfae580a9653cb27c8e39e4f8076707fd1ed183de532bfc3e77a43be2d742a6fc2a210f82de70461662b32a740c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7b3daea-e9bf-4614-b54d-39ccb0dd4f29.vbs

Filesize
748B

MD5
15fedb930ad9c0a8de0c7ce0cba2381d

SHA1
a8153f6c605563658b14afb609a30b25943ea9a2

SHA256
45cba2e8505a15592fedd2e887594946edc74f6cd62d93d8b37a499ba166f522

SHA512
1ff5c9abb1b178de0f81a105501ebeec7d6dadd9c74c847c34757dfac415ca6a3b23c9caee4c23cbcbd4587701b0e2ab0f4c7236bddb18c52df4421f4620f532

Download Submit
C:\Users\Admin\AppData\Local\Temp\fc4cac53-46a1-47ea-874b-8aebcd453710.vbs

Filesize
749B

MD5
dcc2818724190f60c2d1752b3e25412b

SHA1
924c134e4e2f57adab2d5bb7a23a2a86501cd914

SHA256
0c8d6d86abf53170fe13d95704db0e7d2c3aa44d1ef5b837f206e32064b8b7d1

SHA512
20a469a03881f47df043d659c048a977ea7eed49ea7d22ddf7069763496511007192353450b66b2fae250b3e692644d996d57c6743949e9a9d53a10bba2e4050

Download Submit
C:\Users\Admin\AppData\Roaming\serverWebRefcrt\hypercrtcommon.exe

Filesize
1.6MB

MD5
072edca5a98ae0ff356fa14ad186d76a

SHA1
0514122976c7d5e0bbbe14e6d0a1694f27a32b9e

SHA256
47d7589c2c7496edc95b731fcdec2d965acba56315ff83916c04e661c57e3601

SHA512
589f700ed723fdc972111b0072e6791aaf4d0e2b804dbde19cbaf1895ae1993e2572290c99c24227cb58a1182b1b0d717ef7e4f04a8d9177339c04bd5f0c4220

Download Submit
C:\Users\Admin\AppData\Roaming\serverWebRefcrt\nuGtg.vbe

Filesize
215B

MD5
95be41d8177ec747048637be28e9f418

SHA1
37f9979e22af99ffd429b6434382ae745d37743e

SHA256
b18e9afd19aacc32b0559a1b54c0edf163ac9f65f73915faad8c8f292ce9face

SHA512
b6d4e7fadfa3a69b0a4fe18553a50ca0efc33f38030cf976dbf2815b5e62248d88b8103e188c86553477aa21a8bbc9361079d21d5dd077cf2523d4ccf6249b68

Download Submit
C:\Users\Admin\AppData\Roaming\serverWebRefcrt\q5bwasDOM5YS7sD9.bat

Filesize
46B

MD5
c410c756184db7fecbe24e333980916c

SHA1
e0f7f117977531ffeffb38c09556dc8c6d03380a

SHA256
86227dbd23320383949944459a14570218eaaa702ec1765dbc64e8eb9190efe5

SHA512
55f233396d844febd12814026e37737d2ffbdc542d5f9feaa985fbf00dac6602895cd732931aba12dc01a02ef9485360342a41052e06f59997a6d43901a33158

Download Submit
memory/456-36-0x000000001D3A0000-0x000000001D3B2000-memory.dmp

Filesize
72KB

Download
memory/712-157-0x000002C10B450000-0x000002C10B48B000-memory.dmp

Filesize
236KB

Download
memory/712-156-0x000002C10B420000-0x000002C10B449000-memory.dmp

Filesize
164KB

Download
memory/816-71-0x0000025865930000-0x0000025865931000-memory.dmp

Filesize
4KB

Download
memory/816-72-0x0000025865930000-0x0000025865931000-memory.dmp

Filesize
4KB

Download
memory/816-80-0x0000025865930000-0x0000025865931000-memory.dmp

Filesize
4KB

Download
memory/816-79-0x0000025865930000-0x0000025865931000-memory.dmp

Filesize
4KB

Download
memory/816-78-0x0000025865930000-0x0000025865931000-memory.dmp

Filesize
4KB

Download
memory/816-77-0x0000025865930000-0x0000025865931000-memory.dmp

Filesize
4KB

Download
memory/816-76-0x0000025865930000-0x0000025865931000-memory.dmp

Filesize
4KB

Download
memory/816-82-0x0000025865930000-0x0000025865931000-memory.dmp

Filesize
4KB

Download
memory/816-70-0x0000025865930000-0x0000025865931000-memory.dmp

Filesize
4KB

Download
memory/816-81-0x0000025865930000-0x0000025865931000-memory.dmp

Filesize
4KB

Download
memory/1096-129-0x000002D7FE510000-0x000002D7FE539000-memory.dmp

Filesize
164KB

Download
memory/1096-130-0x000002D7FE540000-0x000002D7FE57B000-memory.dmp

Filesize
236KB

Download
memory/1968-175-0x000000001C7F0000-0x000000001C802000-memory.dmp

Filesize
72KB

Download
memory/2040-27-0x000000001BAB0000-0x000000001BABE000-memory.dmp

Filesize
56KB

Download
memory/2040-21-0x000000001B1E0000-0x000000001B1E8000-memory.dmp

Filesize
32KB

Download
memory/2040-15-0x00007FF9720C3000-0x00007FF9720C5000-memory.dmp

Filesize
8KB

Download
memory/2040-16-0x00000000004E0000-0x0000000000682000-memory.dmp

Filesize
1.6MB

Download
memory/2040-17-0x000000001B180000-0x000000001B18E000-memory.dmp

Filesize
56KB

Download
memory/2040-22-0x000000001B200000-0x000000001B20C000-memory.dmp

Filesize
48KB

Download
memory/2040-24-0x000000001B260000-0x000000001B272000-memory.dmp

Filesize
72KB

Download
memory/2040-23-0x000000001B1F0000-0x000000001B1F8000-memory.dmp

Filesize
32KB

Download
memory/2040-18-0x000000001B190000-0x000000001B1AC000-memory.dmp

Filesize
112KB

Download
memory/2040-19-0x000000001B210000-0x000000001B260000-memory.dmp

Filesize
320KB

Download
memory/2040-20-0x000000001B1C0000-0x000000001B1D6000-memory.dmp

Filesize
88KB

Download
memory/2040-29-0x000000001BAD0000-0x000000001BADC000-memory.dmp

Filesize
48KB

Download
memory/2040-25-0x000000001BFE0000-0x000000001C508000-memory.dmp

Filesize
5.2MB

Download
memory/2040-30-0x000000001BAE0000-0x000000001BAEA000-memory.dmp

Filesize
40KB

Download
memory/2040-28-0x000000001BAC0000-0x000000001BACE000-memory.dmp

Filesize
56KB

Download
memory/2040-26-0x000000001B290000-0x000000001B29A000-memory.dmp

Filesize
40KB

Download
memory/2748-55-0x000002986AB60000-0x000002986AB9B000-memory.dmp

Filesize
236KB

Download
memory/2748-54-0x000002986AB30000-0x000002986AB59000-memory.dmp

Filesize
164KB

Download
memory/2764-208-0x0000019E4E440000-0x0000019E4E47B000-memory.dmp

Filesize
236KB

Download
memory/2764-207-0x0000019E4E410000-0x0000019E4E439000-memory.dmp

Filesize
164KB

Download
memory/3308-200-0x0000016C1D970000-0x0000016C1D999000-memory.dmp

Filesize
164KB

Download
memory/3308-201-0x0000016C1D9A0000-0x0000016C1D9DB000-memory.dmp

Filesize
236KB

Download
memory/3824-125-0x000002056AA00000-0x000002056AA3B000-memory.dmp

Filesize
236KB

Download
memory/3824-124-0x000002056A9D0000-0x000002056A9F9000-memory.dmp

Filesize
164KB

Download
memory/4200-88-0x000001F0F3650000-0x000001F0F368B000-memory.dmp

Filesize
236KB

Download
memory/4200-87-0x000001F0F1110000-0x000001F0F1139000-memory.dmp

Filesize
164KB

Download
memory/4372-105-0x000000001C9C0000-0x000000001C9D2000-memory.dmp

Filesize
72KB

Download
memory/5044-85-0x000001F023710000-0x000001F023739000-memory.dmp

Filesize
164KB

Download
memory/5044-86-0x000001F024EF0000-0x000001F024F2B000-memory.dmp

Filesize
236KB

Download