dcrat | 79dd01cce6f984152a8e07f6bbc447387a355794bc717a1348644f8b57565a98

Analysis

max time kernel
19s
max time network
20s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79dd01cce6f984152a8e07f6bbc447387a355794bc717a1348644f8b57565a98.exe
Size

1.6MB
MD5

e4d5bf96ef8643dcfd7a7f54e572cf59
SHA1

b80bc4046716b909a2f0692faef8d037a61cb9ee
SHA256

79dd01cce6f984152a8e07f6bbc447387a355794bc717a1348644f8b57565a98
SHA512

6704a1d6da446ab58717dc154180d817d4d3561a4e369d7f066421302c514950a51dd6104ec1e1b180488f7262c2bff00c02438aabc5e74e00e554e2290e1822
SSDEEP

24576:yTbBv5rUTxMWorF6OswaKn31LdWnriW26/kSBn3vwof0XcpDAFsGo5kCfBC2MRy:UBaM3ZdjV4nri+FT0XPQLCBRy

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\TAPI\\WmiPrvSE.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\TAPI\\WmiPrvSE.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\TAPI\\WmiPrvSE.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\services.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\TAPI\\WmiPrvSE.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\services.exe\", \"C:\\Windows\\ServiceProfiles\\NetworkService\\Pictures\\explorer.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\TAPI\\WmiPrvSE.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\services.exe\", \"C:\\Windows\\ServiceProfiles\\NetworkService\\Pictures\\explorer.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\bridgeChainBlockreviewWin\\DrivermonitorNetdhcp.exe\""	DrivermonitorNetdhcp.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4664	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	4664	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4664	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4664	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4664	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4664	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4664	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4664	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4664	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4664	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	4664	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4664	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	4664	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	4664	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	4664	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	4664	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	4664	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	4664	schtasks.exe	33

Executes dropped EXE 2 IoCs

pid	Process
3036	DrivermonitorNetdhcp.exe
940	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2824	cmd.exe
2824	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\DrivermonitorNetdhcp = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bridgeChainBlockreviewWin\\DrivermonitorNetdhcp.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\TAPI\\WmiPrvSE.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\TAPI\\WmiPrvSE.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\Idle.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\services.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\services.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\ServiceProfiles\\NetworkService\\Pictures\\explorer.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\ServiceProfiles\\NetworkService\\Pictures\\explorer.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\dwm.exe\""	DrivermonitorNetdhcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DrivermonitorNetdhcp = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bridgeChainBlockreviewWin\\DrivermonitorNetdhcp.exe\""	DrivermonitorNetdhcp.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC8676223DEDF54F47AAC2316E88F175F.TMP	csc.exe
File created	\??\c:\Windows\System32\qrosn9.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\services.exe	DrivermonitorNetdhcp.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\c5b4cb5e9653cc	DrivermonitorNetdhcp.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\Idle.exe	DrivermonitorNetdhcp.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\6ccacd8608530f	DrivermonitorNetdhcp.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\NetworkService\Pictures\explorer.exe	DrivermonitorNetdhcp.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\Pictures\explorer.exe	DrivermonitorNetdhcp.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Pictures\7a0fd90576e088	DrivermonitorNetdhcp.exe
File created	C:\Windows\TAPI\WmiPrvSE.exe	DrivermonitorNetdhcp.exe
File created	C:\Windows\TAPI\24dbde2999530e	DrivermonitorNetdhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79dd01cce6f984152a8e07f6bbc447387a355794bc717a1348644f8b57565a98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4872	schtasks.exe
4928	schtasks.exe
5080	schtasks.exe
2880	schtasks.exe
4900	schtasks.exe
5020	schtasks.exe
2648	schtasks.exe
2172	schtasks.exe
4724	schtasks.exe
4992	schtasks.exe
5108	schtasks.exe
1016	schtasks.exe
1852	schtasks.exe
4700	schtasks.exe
4760	schtasks.exe
4960	schtasks.exe
5052	schtasks.exe
2532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe
3036	DrivermonitorNetdhcp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	DrivermonitorNetdhcp.exe
Token: SeDebugPrivilege	940	dwm.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2304	1712	79dd01cce6f984152a8e07f6bbc447387a355794bc717a1348644f8b57565a98.exe	29
PID 1712 wrote to memory of 2304	1712	79dd01cce6f984152a8e07f6bbc447387a355794bc717a1348644f8b57565a98.exe	29
PID 1712 wrote to memory of 2304	1712	79dd01cce6f984152a8e07f6bbc447387a355794bc717a1348644f8b57565a98.exe	29
PID 1712 wrote to memory of 2304	1712	79dd01cce6f984152a8e07f6bbc447387a355794bc717a1348644f8b57565a98.exe	29
PID 2304 wrote to memory of 2824	2304	WScript.exe	30
PID 2304 wrote to memory of 2824	2304	WScript.exe	30
PID 2304 wrote to memory of 2824	2304	WScript.exe	30
PID 2304 wrote to memory of 2824	2304	WScript.exe	30
PID 2824 wrote to memory of 3036	2824	cmd.exe	32
PID 2824 wrote to memory of 3036	2824	cmd.exe	32
PID 2824 wrote to memory of 3036	2824	cmd.exe	32
PID 2824 wrote to memory of 3036	2824	cmd.exe	32
PID 3036 wrote to memory of 4784	3036	DrivermonitorNetdhcp.exe	37
PID 3036 wrote to memory of 4784	3036	DrivermonitorNetdhcp.exe	37
PID 3036 wrote to memory of 4784	3036	DrivermonitorNetdhcp.exe	37
PID 4784 wrote to memory of 4828	4784	csc.exe	39
PID 4784 wrote to memory of 4828	4784	csc.exe	39
PID 4784 wrote to memory of 4828	4784	csc.exe	39
PID 3036 wrote to memory of 2444	3036	DrivermonitorNetdhcp.exe	55
PID 3036 wrote to memory of 2444	3036	DrivermonitorNetdhcp.exe	55
PID 3036 wrote to memory of 2444	3036	DrivermonitorNetdhcp.exe	55
PID 2444 wrote to memory of 2572	2444	cmd.exe	57
PID 2444 wrote to memory of 2572	2444	cmd.exe	57
PID 2444 wrote to memory of 2572	2444	cmd.exe	57
PID 2444 wrote to memory of 1804	2444	cmd.exe	58
PID 2444 wrote to memory of 1804	2444	cmd.exe	58
PID 2444 wrote to memory of 1804	2444	cmd.exe	58
PID 2444 wrote to memory of 940	2444	cmd.exe	59
PID 2444 wrote to memory of 940	2444	cmd.exe	59
PID 2444 wrote to memory of 940	2444	cmd.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\79dd01cce6f984152a8e07f6bbc447387a355794bc717a1348644f8b57565a98.exe
"C:\Users\Admin\AppData\Local\Temp\79dd01cce6f984152a8e07f6bbc447387a355794bc717a1348644f8b57565a98.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin\3gKZAXCAg1FGbpHNytlddzV22hguHiZY84812G8yGhM.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin\KfNj92OB2q89BQqYS4KdyWp300Lk8au5.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin\DrivermonitorNetdhcp.exe
      "C:\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin/DrivermonitorNetdhcp.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vllr21bk\vllr21bk.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4784
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5551.tmp" "c:\Windows\System32\CSC8676223DEDF54F47AAC2316E88F175F.TMP"
        6⤵
        
        PID:4828
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GlsfXLn63c.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2444
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2572
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1804
      - C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\NetworkService\Pictures\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\NetworkService\Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DrivermonitorNetdhcpD" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin\DrivermonitorNetdhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DrivermonitorNetdhcp" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin\DrivermonitorNetdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DrivermonitorNetdhcpD" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin\DrivermonitorNetdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GlsfXLn63c.bat

Filesize
246B

MD5
ef9d852c68ba974e36db75e5f1b000d4

SHA1
aaa851f781450b1a2be06058980f059c884fcc92

SHA256
62b51a2992b3b2761141e621cae1e7f3a9d8b7623537d1f57060774304c5d6b6

SHA512
f8d3f0af7a43fec683d5854294ee2711baf8b8e170c982c82951f33bb0e19daf81bd08171a68e18ac3e79ffbb0612a3ee3cafadbcbf29ad3a7673f4a26e9b850

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5551.tmp

Filesize
1KB

MD5
5a8c9c742f0b15b03ce8d6de966bb508

SHA1
2a9b2cdd20a865a0c8beab135b940089a90f0e9f

SHA256
2594b2c9256174052ef925d4e380fdb1744f7bd0967d20aab5ddb301dd1deb2d

SHA512
30d7602dcd6de2bccad44eeb6d099857e612eb0ce6227491b2034a21667c59d86c58e6ea308d7772821043c5c394d50e67e93607035a80950afcb2475558dce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin\3gKZAXCAg1FGbpHNytlddzV22hguHiZY84812G8yGhM.vbe

Filesize
239B

MD5
bfa798b1e505fdf4c3d5935690d520c1

SHA1
c0f49114a795b2475d0b8b22b0a55455a50d29e5

SHA256
dbf18fbdbc65ebf9ef0fe14d2241f00c03dd2a1666e49ddb47c4871c67db2e8d

SHA512
cf512995697de828d6bdb198d0e38c3173ea486e266744eded48541a128cfafb690324c7ff21c921854c78ea43a471bd286625af0307f4974ef24b875daf0460

Download Submit
C:\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin\KfNj92OB2q89BQqYS4KdyWp300Lk8au5.bat

Filesize
90B

MD5
ca4c23f79ee470ef660f3c2c7fa64e86

SHA1
b7de68c9d60b668a1d92d32b61c676f99c605f8d

SHA256
6af8a46b462cb8d14dbd4d0fd0cb753341bbf1bd4eee84c97a87a6ef9e5ed739

SHA512
46a2eef31a505e43fb2f42b7901169ee04213da51a0e51b9004743cf04171d0727279ace095bf0e256a65c8ed27ff1438722079216a9b8f46ee95edaab78056c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vllr21bk\vllr21bk.0.cs

Filesize
402B

MD5
d8d9a1ffddbf96f78c9cf6b2ff5034d7

SHA1
20c021f62965fb23978140b74d2e22db8d8eb3da

SHA256
1511b495797111338d74cce833955de21a0fbb5eadf858b6caa57f4dab2ac450

SHA512
8ec12f3159ec299ddfd5d1654f4bc750cf26cbee04893e57b640f339a944cb07c8f3b4a862fecd66dd5c430b6e2ccf2e2806d09f7646a2d49b7b1e06c23f995f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vllr21bk\vllr21bk.cmdline

Filesize
235B

MD5
1496db1ab27a97423b27069fda5a1ac0

SHA1
9a4b40ab12fd4029b268c7be33e8b26b00053092

SHA256
954d3ea04d0002d0599259585a0aaae9bf764b3b013fd04bf7fd58485bc839cc

SHA512
37b838cc9e9a1170d6caa3ba07d9b0911a328b49731f3ce905c835cdce129c3a4dc00ce99dd251ff2727a8cacc8791f7abbc0fa2f0082b8157546c44184a4d91

Download Submit
\??\c:\Windows\System32\CSC8676223DEDF54F47AAC2316E88F175F.TMP

Filesize
1KB

MD5
332eb1c3dc41d312a6495d9ea0a81166

SHA1
1d5c1b68be781b14620d9e98183506f8651f4afd

SHA256
bab20fa8251fcee3c944e76bdc082850ae4a32fd2eff761fec3bc445f58d11f2

SHA512
2c5ae1de2d4cb7f1e1540b455f7876eb1f494cda57bfb8e78a81aa01f3f453c5488b986cd170d6dc96bf684874c54257bfd0335a78764cc3fa43fe310a0cf440

Download Submit
\Users\Admin\AppData\Local\Temp\bridgeChainBlockreviewWin\DrivermonitorNetdhcp.exe

Filesize
1.3MB

MD5
f7ed452b6b36fe1a6ad40017405f95a2

SHA1
de073fdf34b56af4f03d0ec8a2d221cbf4d0c5d4

SHA256
509a80dd4d58739d863b7fefbbfce44c3588119e9b5a258e0cbf58ac4bc8fb04

SHA512
a51f7e2028ff8016ab9dddfd0f5a320e9b3516ea32476a7bc82f9d3f33339fe2aa104bb48b630f3081deda2146a58164705af150519eb5ec1b6ecb3b8e0e6635

Download Submit
memory/940-3605-0x0000000000070000-0x0000000000078000-memory.dmp

Filesize
32KB

Download
memory/3036-72-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-68-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-26-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-22-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-28-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-32-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-34-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-36-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-38-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-40-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-42-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-61-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-66-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-20-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-78-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-64-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-76-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-74-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-70-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-24-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-62-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-58-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-56-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-54-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-52-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-50-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-48-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-46-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-44-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-3572-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/3036-3574-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/3036-30-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-18-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-16-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-15-0x000000001AD80000-0x000000001AF25000-memory.dmp

Filesize
1.6MB

Download
memory/3036-14-0x000000001AD80000-0x000000001AF2A000-memory.dmp

Filesize
1.7MB

Download
memory/3036-13-0x00000000012C0000-0x00000000012C8000-memory.dmp

Filesize
32KB

Download