dcrat | e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6

Analysis

max time kernel
119s
max time network
148s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DC86.exe
Size

2.2MB
MD5

50ee114bba99ce3a7ba3e64c0080a644
SHA1

3c9f1189b07b612888a1124714d1586408c78ba0
SHA256

e7fb15dc103eca61803e214b533fb4dd3fa3d4b171886f452eb6ab8353ee2aa6
SHA512

58b94a8596d4a94b28da6f0051d90bf098d9def8a112d9541eca814c7b46f5bae619a331831c060eff04f39b62cac1a2ad2a5fe380c75f59aa79322e09a4b64d
SSDEEP

49152:IBJaWLMtwyMxRizAwgueOJNN3lRHiKLWDWUs:yALwyMb9ue0NTH2Ps

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hyperIntoBroker\\OSPPSVC.exe\", \"C:\\Users\\Default User\\cmd.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hyperIntoBroker\\OSPPSVC.exe\", \"C:\\Users\\Default User\\cmd.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\WmiPrvSE.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hyperIntoBroker\\OSPPSVC.exe\", \"C:\\Users\\Default User\\cmd.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hyperIntoBroker\\OSPPSVC.exe\", \"C:\\Users\\Default User\\cmd.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\audiodg.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hyperIntoBroker\\OSPPSVC.exe\", \"C:\\Users\\Default User\\cmd.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\WmiPrvSE.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\audiodg.exe\", \"C:\\hyperIntoBroker\\hyperProviderbrokermonitorNet.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\hyperIntoBroker\\OSPPSVC.exe\""	hyperProviderbrokermonitorNet.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	1748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	1748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	1748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	1748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	1748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1748	schtasks.exe	34

Executes dropped EXE 2 IoCs

pid	Process
2568	hyperProviderbrokermonitorNet.exe
2208	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
2808	cmd.exe
2808	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\WmiPrvSE.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\audiodg.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\hyperIntoBroker\\OSPPSVC.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\hyperIntoBroker\\OSPPSVC.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Default User\\cmd.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Default User\\cmd.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\WmiPrvSE.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\hyperProviderbrokermonitorNet = "\"C:\\hyperIntoBroker\\hyperProviderbrokermonitorNet.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\System.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Program Files\\Google\\Chrome\\Application\\106.0.5249.119\\audiodg.exe\""	hyperProviderbrokermonitorNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyperProviderbrokermonitorNet = "\"C:\\hyperIntoBroker\\hyperProviderbrokermonitorNet.exe\""	hyperProviderbrokermonitorNet.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC633C1B43AD0F43D09F750EA55A618.TMP	csc.exe
File created	\??\c:\Windows\System32\8wawgv.exe	csc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\audiodg.exe	hyperProviderbrokermonitorNet.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\audiodg.exe	hyperProviderbrokermonitorNet.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\42af1c969fbb7b	hyperProviderbrokermonitorNet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DC86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1720	schtasks.exe
2024	schtasks.exe
2996	schtasks.exe
2004	schtasks.exe
480	schtasks.exe
1764	schtasks.exe
1256	schtasks.exe
1660	schtasks.exe
2128	schtasks.exe
1240	schtasks.exe
2448	schtasks.exe
2420	schtasks.exe
1108	schtasks.exe
2332	schtasks.exe
1924	schtasks.exe
2168	schtasks.exe
2040	schtasks.exe
1060	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe
2568	hyperProviderbrokermonitorNet.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	hyperProviderbrokermonitorNet.exe
Token: SeDebugPrivilege	2208	OSPPSVC.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2856	2380	DC86.exe	30
PID 2380 wrote to memory of 2856	2380	DC86.exe	30
PID 2380 wrote to memory of 2856	2380	DC86.exe	30
PID 2380 wrote to memory of 2856	2380	DC86.exe	30
PID 2856 wrote to memory of 2808	2856	WScript.exe	31
PID 2856 wrote to memory of 2808	2856	WScript.exe	31
PID 2856 wrote to memory of 2808	2856	WScript.exe	31
PID 2856 wrote to memory of 2808	2856	WScript.exe	31
PID 2808 wrote to memory of 2568	2808	cmd.exe	33
PID 2808 wrote to memory of 2568	2808	cmd.exe	33
PID 2808 wrote to memory of 2568	2808	cmd.exe	33
PID 2808 wrote to memory of 2568	2808	cmd.exe	33
PID 2568 wrote to memory of 2028	2568	hyperProviderbrokermonitorNet.exe	38
PID 2568 wrote to memory of 2028	2568	hyperProviderbrokermonitorNet.exe	38
PID 2568 wrote to memory of 2028	2568	hyperProviderbrokermonitorNet.exe	38
PID 2028 wrote to memory of 2788	2028	csc.exe	40
PID 2028 wrote to memory of 2788	2028	csc.exe	40
PID 2028 wrote to memory of 2788	2028	csc.exe	40
PID 2568 wrote to memory of 700	2568	hyperProviderbrokermonitorNet.exe	56
PID 2568 wrote to memory of 700	2568	hyperProviderbrokermonitorNet.exe	56
PID 2568 wrote to memory of 700	2568	hyperProviderbrokermonitorNet.exe	56
PID 700 wrote to memory of 1856	700	cmd.exe	58
PID 700 wrote to memory of 1856	700	cmd.exe	58
PID 700 wrote to memory of 1856	700	cmd.exe	58
PID 700 wrote to memory of 272	700	cmd.exe	59
PID 700 wrote to memory of 272	700	cmd.exe	59
PID 700 wrote to memory of 272	700	cmd.exe	59
PID 700 wrote to memory of 2208	700	cmd.exe	60
PID 700 wrote to memory of 2208	700	cmd.exe	60
PID 700 wrote to memory of 2208	700	cmd.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DC86.exe
"C:\Users\Admin\AppData\Local\Temp\DC86.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\hyperIntoBroker\vN1MMUTrCtC1FtSWQe4vLUvQugg9bTGuni3V.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\hyperIntoBroker\7ZVJJhRLWkC.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe
      "C:\hyperIntoBroker/hyperProviderbrokermonitorNet.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ggnovqd4\ggnovqd4.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2028
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5496.tmp" "c:\Windows\System32\CSC633C1B43AD0F43D09F750EA55A618.TMP"
        6⤵
        
        PID:2788
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0tGW8o7coX.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:700
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1856
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:272
      - C:\hyperIntoBroker\OSPPSVC.exe
        
        "C:\hyperIntoBroker\OSPPSVC.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\hyperIntoBroker\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\hyperIntoBroker\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\hyperIntoBroker\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperProviderbrokermonitorNeth" /sc MINUTE /mo 7 /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperProviderbrokermonitorNet" /sc ONLOGON /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperProviderbrokermonitorNeth" /sc MINUTE /mo 7 /tr "'C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0tGW8o7coX.bat

Filesize
206B

MD5
38fe38896686f8a6ae2b2b0e2653378d

SHA1
3d265bb1477cfd7be04c0ba9f64cb0c66b1ab296

SHA256
548bec6bf356bdd0ac07e1c0691b6689d8bdbb4eb320f421a26cff7af34c7cf1

SHA512
5eedc6405dab98c54863f21eac500b1df3d00bd4a93c4125bf762d450887c93b6a00114a025b349f683dbeb7abff1460abd9c90a1b553c35ce81b764225454f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5496.tmp

Filesize
1KB

MD5
63a5133b35a0c233a421f8c31ce38cbd

SHA1
dfaae05652799cec20e318ac514080f3673be2ad

SHA256
3047f6f93351a085e500942753b1fda6c007667a4f59b4b507812cb671b343d5

SHA512
577bec566ba8a9a4616db4fc57f0ba6f28974bb6908a89c2ff05452d03f461a4b8cffe6ca88881ce4c862fafc649f12d7b39479ae840276578f85eada44f2626

Download Submit
C:\hyperIntoBroker\7ZVJJhRLWkC.bat

Filesize
78B

MD5
65f873c875c73f084119594a4449ecea

SHA1
9f050c5bfc5cd3d94c37acac16105f031658904f

SHA256
825a9f47fd1242c15bd81fea64d0f739c9e74f62a1820e182cfa069e1726fd90

SHA512
c4c2886fd99303e222a379a02c981532070c932acb70d2a7460fe257e22b8b0625018fab158e7be011bd5b2f7c45517e2c2fc947b11b84bbbda37ecc1bdc8d63

Download Submit
C:\hyperIntoBroker\hyperProviderbrokermonitorNet.exe

Filesize
1.9MB

MD5
54eff01605da5e7cbdb382c98ece2c2a

SHA1
be2ecfc24603a5e282bdfbb7780a03c1410879b8

SHA256
26bda6e083db3a3c3ccaf29434850d91bbb9e10c48886a6f6a06bbf6c183448d

SHA512
dd00705fb9741c6400145e2433af42605264a95e4c1fe44ee1579ac464463f9b493d8bdef98af4a5b03d717cd79357674cc09e5b8780c4ffe31a9704b08c89d0

Download Submit
C:\hyperIntoBroker\vN1MMUTrCtC1FtSWQe4vLUvQugg9bTGuni3V.vbe

Filesize
205B

MD5
3abc77a7e4977f35cab6e9f29e677438

SHA1
bd300a11ea5af663fe723883f8b5d980d1cbb417

SHA256
e987a0608105af1e7422322184159c1559b26e3d84c27917408c2cdbbd9f9a72

SHA512
b445fd9b854e822077d17b060edd7e253b8e8aeb8ebfb4e1084e2d604276295d715101f0ce1e1b25f0d83247385f76b1ab8885efd7ba6286cd8317d994359cb1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ggnovqd4\ggnovqd4.0.cs

Filesize
362B

MD5
cd1889cde3f6cf5cfbc10f976d8cd44d

SHA1
cd228117281dc5cb00175dd2b21f8d78650a517f

SHA256
eccb961c4547b1894c9f646632dfe778faa8401b91beceebaa21947fd7284483

SHA512
a038281774e66586ea978d33245316d5c70375963ffe89fbe5d32e1d25ddcbbb394f921a8781f0ff84d9188a25d84bbe7dec116ba8f703075c16d8e72d91911a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ggnovqd4\ggnovqd4.cmdline

Filesize
235B

MD5
ef28758bc38cc4ef2f860ca03826eddc

SHA1
798aa5cd83aa6dfc1fced88863793ee698b7a3dd

SHA256
57ef6786fc53825c280a9fa17f8317c412b48ff9476ac0950defc829651fa7c3

SHA512
5914d32c0563c2fc6927ddbf575cafd02efed16b623bd00eb2838a32b7304b5f7c6f9cc8aed64ec96859eb430ebc4d0936ef2e49ec6844f47a3815453d4bed72

Download Submit
\??\c:\Windows\System32\CSC633C1B43AD0F43D09F750EA55A618.TMP

Filesize
1KB

MD5
028d4cd290ab6fe13d6fecce144a32cc

SHA1
e1d9531cb2e6bc9cab285b1f19e5d627257a3394

SHA256
3f42f68eb3df49cf836fbb0019b8206af735e22f3d528e7b122fa9b2541fdde3

SHA512
2f99d37a56444831298f8efaef425e5dadec938ac459bfc0cdaf3708ef8662f12bd8d687a58fc1dd6bbdac6c806214b65a21489a24d3160c1e8575968e3caa6e

Download Submit
memory/2208-58-0x0000000000340000-0x0000000000534000-memory.dmp

Filesize
2.0MB

Download
memory/2568-15-0x0000000000780000-0x000000000078E000-memory.dmp

Filesize
56KB

Download
memory/2568-27-0x0000000002250000-0x000000000225C000-memory.dmp

Filesize
48KB

Download
memory/2568-25-0x0000000002140000-0x000000000214E000-memory.dmp

Filesize
56KB

Download
memory/2568-23-0x00000000007A0000-0x00000000007AC000-memory.dmp

Filesize
48KB

Download
memory/2568-21-0x0000000000790000-0x000000000079C000-memory.dmp

Filesize
48KB

Download
memory/2568-19-0x0000000002120000-0x0000000002138000-memory.dmp

Filesize
96KB

Download
memory/2568-17-0x0000000000950000-0x000000000096C000-memory.dmp

Filesize
112KB

Download
memory/2568-13-0x0000000000050000-0x0000000000244000-memory.dmp

Filesize
2.0MB

Download