dcrat | 96ddb4fa1a296cccac8a22faa8773f1343e2ced466b478980d64f1af493c103a

Analysis

max time kernel
147s
max time network
154s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
03-08-2022 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96ddb4fa1a296cccac8a22faa8773f1343e2ced466b47.exe
Size

2.0MB
MD5

4f64c5ba875a44be67619fa8342bc777
SHA1

c192a53b53940892febe4bdba9adf9c940988d0f
SHA256

96ddb4fa1a296cccac8a22faa8773f1343e2ced466b478980d64f1af493c103a
SHA512

433086c6e4a26d8b7e58f67176ebb4ff9655fff67d07899911e3e5d49100a2e02d1d41907e0f1bdd2f627bc198a88fe907419755941d3cb31957ca155298daa1

Score

10^/10

dcrat evasion infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

bridgesession.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Recovery\\060fe882-0475-11ed-b0e6-cc3dddd0fcef\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\dwm.exe\", \"C:\\MSOCache\\All Users\\conhost.exe\", \"C:\\Windows\\Temp\\Crashpad\\Idle.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\conhost.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Recovery\\060fe882-0475-11ed-b0e6-cc3dddd0fcef\\cmd.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Recovery\\060fe882-0475-11ed-b0e6-cc3dddd0fcef\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Recovery\\060fe882-0475-11ed-b0e6-cc3dddd0fcef\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\dwm.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Recovery\\060fe882-0475-11ed-b0e6-cc3dddd0fcef\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\dwm.exe\", \"C:\\MSOCache\\All Users\\conhost.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\", \"C:\\Recovery\\060fe882-0475-11ed-b0e6-cc3dddd0fcef\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\", \"C:\\Program Files\\Windows Photo Viewer\\de-DE\\dwm.exe\", \"C:\\MSOCache\\All Users\\conhost.exe\", \"C:\\Windows\\Temp\\Crashpad\\Idle.exe\""	bridgesession.exe

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	728	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	1540	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	1540	schtasks.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\componentweb\bridgesession.exe	dcrat
\Users\Admin\AppData\Roaming\componentweb\bridgesession.exe	dcrat
\Users\Admin\AppData\Roaming\componentweb\bridgesession.exe	dcrat
C:\Users\Admin\AppData\Roaming\componentweb\bridgesession.exe	dcrat
behavioral1/memory/288-68-0x0000000000210000-0x00000000003BE000-memory.dmp	dcrat
C:\Windows\Temp\Crashpad\Idle.exe	dcrat
C:\Windows\Temp\Crashpad\Idle.exe	dcrat
behavioral1/memory/1480-87-0x0000000000B40000-0x0000000000CEE000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

bridgesession.exeIdle.exe

pid process

288 bridgesession.exe
1480 Idle.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1360 cmd.exe
1360 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1360	cmd.exe
1360	cmd.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

bridgesession.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Photo Viewer\\de-DE\\dwm.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\conhost.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\060fe882-0475-11ed-b0e6-cc3dddd0fcef\\cmd.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Recovery\\060fe882-0475-11ed-b0e6-cc3dddd0fcef\\cmd.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\conhost.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\conhost.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Temp\\Crashpad\\Idle.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\conhost.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\winlogon.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Windows Photo Viewer\\de-DE\\dwm.exe\""	bridgesession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3440072777-2118400376-1759599358-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Windows\\Temp\\Crashpad\\Idle.exe\""	bridgesession.exe

Drops file in Program Files directory 7 IoCs

Processes:

bridgesession.exe

description	ioc	process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\088424020bedd6	bridgesession.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe	bridgesession.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe	bridgesession.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\cc11b995f2a76d	bridgesession.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\dwm.exe	bridgesession.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\6cb0b6c459d5d3	bridgesession.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe	bridgesession.exe

Drops file in Windows directory 1 IoCs

Processes:

bridgesession.exe

description	ioc	process
File created	C:\Windows\winsxs\x86_networking-mpssvc-svc.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_b8406654aa00440b\lsm.exe	bridgesession.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1780	schtasks.exe
1700	schtasks.exe
1392	schtasks.exe
1356	schtasks.exe
728	schtasks.exe
980	schtasks.exe
1972	schtasks.exe
1756	schtasks.exe
1208	schtasks.exe
1384	schtasks.exe
744	schtasks.exe
1464	schtasks.exe
1472	schtasks.exe
1744	schtasks.exe
328	schtasks.exe
856	schtasks.exe
908	schtasks.exe
1604	schtasks.exe
1956	schtasks.exe
1952	schtasks.exe
544	schtasks.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1000 reg.exe

pid	process
1000	reg.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

bridgesession.exeIdle.exe

pid	process
288	bridgesession.exe
1480	Idle.exe
1480	Idle.exe
1480	Idle.exe
1480	Idle.exe
1480	Idle.exe
1480	Idle.exe
1480	Idle.exe
1480	Idle.exe
1480	Idle.exe
1480	Idle.exe
1480	Idle.exe
1480	Idle.exe
1480	Idle.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bridgesession.exeIdle.exe

description pid process

Token: SeDebugPrivilege 288 bridgesession.exe
Token: SeDebugPrivilege 1480 Idle.exe

description	pid	process
Token: SeDebugPrivilege	288	bridgesession.exe
Token: SeDebugPrivilege	1480	Idle.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

96ddb4fa1a296cccac8a22faa8773f1343e2ced466b47.exeWScript.execmd.exebridgesession.execmd.exeIdle.exe

description	pid	process	target process
PID 1976 wrote to memory of 956	1976	96ddb4fa1a296cccac8a22faa8773f1343e2ced466b47.exe	WScript.exe
PID 1976 wrote to memory of 956	1976	96ddb4fa1a296cccac8a22faa8773f1343e2ced466b47.exe	WScript.exe
PID 1976 wrote to memory of 956	1976	96ddb4fa1a296cccac8a22faa8773f1343e2ced466b47.exe	WScript.exe
PID 1976 wrote to memory of 956	1976	96ddb4fa1a296cccac8a22faa8773f1343e2ced466b47.exe	WScript.exe
PID 1976 wrote to memory of 988	1976	96ddb4fa1a296cccac8a22faa8773f1343e2ced466b47.exe	WScript.exe
PID 1976 wrote to memory of 988	1976	96ddb4fa1a296cccac8a22faa8773f1343e2ced466b47.exe	WScript.exe
PID 1976 wrote to memory of 988	1976	96ddb4fa1a296cccac8a22faa8773f1343e2ced466b47.exe	WScript.exe
PID 1976 wrote to memory of 988	1976	96ddb4fa1a296cccac8a22faa8773f1343e2ced466b47.exe	WScript.exe
PID 956 wrote to memory of 1360	956	WScript.exe	cmd.exe
PID 956 wrote to memory of 1360	956	WScript.exe	cmd.exe
PID 956 wrote to memory of 1360	956	WScript.exe	cmd.exe
PID 956 wrote to memory of 1360	956	WScript.exe	cmd.exe
PID 1360 wrote to memory of 288	1360	cmd.exe	bridgesession.exe
PID 1360 wrote to memory of 288	1360	cmd.exe	bridgesession.exe
PID 1360 wrote to memory of 288	1360	cmd.exe	bridgesession.exe
PID 1360 wrote to memory of 288	1360	cmd.exe	bridgesession.exe
PID 288 wrote to memory of 1492	288	bridgesession.exe	cmd.exe
PID 288 wrote to memory of 1492	288	bridgesession.exe	cmd.exe
PID 288 wrote to memory of 1492	288	bridgesession.exe	cmd.exe
PID 1492 wrote to memory of 2020	1492	cmd.exe	w32tm.exe
PID 1492 wrote to memory of 2020	1492	cmd.exe	w32tm.exe
PID 1492 wrote to memory of 2020	1492	cmd.exe	w32tm.exe
PID 1360 wrote to memory of 1000	1360	cmd.exe	reg.exe
PID 1360 wrote to memory of 1000	1360	cmd.exe	reg.exe
PID 1360 wrote to memory of 1000	1360	cmd.exe	reg.exe
PID 1360 wrote to memory of 1000	1360	cmd.exe	reg.exe
PID 1492 wrote to memory of 1480	1492	cmd.exe	Idle.exe
PID 1492 wrote to memory of 1480	1492	cmd.exe	Idle.exe
PID 1492 wrote to memory of 1480	1492	cmd.exe	Idle.exe
PID 1480 wrote to memory of 972	1480	Idle.exe	WScript.exe
PID 1480 wrote to memory of 972	1480	Idle.exe	WScript.exe
PID 1480 wrote to memory of 972	1480	Idle.exe	WScript.exe
PID 1480 wrote to memory of 2032	1480	Idle.exe	WScript.exe
PID 1480 wrote to memory of 2032	1480	Idle.exe	WScript.exe
PID 1480 wrote to memory of 2032	1480	Idle.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\96ddb4fa1a296cccac8a22faa8773f1343e2ced466b47.exe
"C:\Users\Admin\AppData\Local\Temp\96ddb4fa1a296cccac8a22faa8773f1343e2ced466b47.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\componentweb\KzCiAFWiG.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\componentweb\lTeat4KS.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Roaming\componentweb\bridgesession.exe
"C:\Users\Admin\AppData\Roaming\componentweb\bridgesession.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pX4FL42xAJ.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:2020

C:\Windows\Temp\Crashpad\Idle.exe
"C:\Windows\Temp\Crashpad\Idle.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d8983f3-32de-4aa0-8119-6a60ca02d176.vbs"
7⤵
PID:972

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5697a2d-b384-41a2-8ca3-34138885ca99.vbs"
7⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:1000

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\componentweb\file.vbs"
2⤵
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\060fe882-0475-11ed-b0e6-cc3dddd0fcef\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\060fe882-0475-11ed-b0e6-cc3dddd0fcef\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\060fe882-0475-11ed-b0e6-cc3dddd0fcef\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\Crashpad\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5d8983f3-32de-4aa0-8119-6a60ca02d176.vbs

Filesize
709B

MD5
b74fcad452a6a7b46727bc2b0db9d930

SHA1
845f43b72c08829f39e7fbf371776a2a57b32e95

SHA256
e354b0a9029b8c1d3783dfa2b89256436d24934ea95fc91061c02e818662a7c7

SHA512
85135e10221a617a61e840cd579b11082460f033d22be8674f0b79b8a13b8985929e2fc80d2569606290c393800871c123e34115cfec876044fd1f4c55649fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5697a2d-b384-41a2-8ca3-34138885ca99.vbs

Filesize
485B

MD5
383be18c473763a8d75536b39ecb4814

SHA1
5b35ae2d3443568e538f33e26fcbaa4bc387deed

SHA256
9aabd7901d3ab701a2b60a6ee48c416e3ea67fc0a0ae6acba6f9e24044203495

SHA512
1c087ae0f21e401d19dd60e6b5b6f94a9157cccb5c06f1cb53a07a904c6458f91463a2bd02e5cbf82bc123964646bd93f1dc3907ee87e698a20bde3bb4607c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pX4FL42xAJ.bat

Filesize
198B

MD5
e81ccb34a48eb774d3def5616a25513a

SHA1
6ce0a967fa0743f6b47e7b543cd7338033b450ea

SHA256
ebf0f12df43db2038b5f7dca288da7a68093946d73d5ffce99b69e3bc246f374

SHA512
e1763cb90ad320228b555cbe77727461fbbd8b216bcc4647b8c825e92e06694f29ab485b10a2d14c4533bc301d3828b189f0a725030a54a9c8a8fad35c1715d1

Download Submit
C:\Users\Admin\AppData\Roaming\componentweb\KzCiAFWiG.vbe

Filesize
205B

MD5
97477f4fd52d9b2ffb51319a264de713

SHA1
64eca106fa0f8923dfc304e78fe32dd1cbdd393b

SHA256
dbea180023ec71eaa16ed1faa254b26688625ba4d48eb93343fb8dab5a7bf185

SHA512
c02d978cf103d812e95a6038d8c3bd0b3bfb07aa29f2405ca88052d28ee3d69bb85e522b156e47fb124a5f9ff7a29fe1b86405231a9c87f88b3ca80fc702429e

Download Submit
C:\Users\Admin\AppData\Roaming\componentweb\bridgesession.exe

Filesize
1.7MB

MD5
4f080110c40748cabc62f247b3104cca

SHA1
e28c68aa6e57975a28945ed21bb6bd623379b2a0

SHA256
ec741c36f90173822380788d1ea972c37162c51e24235eec9dc87ce2ae033f9d

SHA512
d1388af36633ecb6a0a0f4e17b9efe68acb965dd448da0810528311f564385c2258e602864cd005161464dbd2fd8e43bf1a018fa941e20bf5c167648eba50143

Download Submit
C:\Users\Admin\AppData\Roaming\componentweb\bridgesession.exe

Filesize
1.7MB

MD5
4f080110c40748cabc62f247b3104cca

SHA1
e28c68aa6e57975a28945ed21bb6bd623379b2a0

SHA256
ec741c36f90173822380788d1ea972c37162c51e24235eec9dc87ce2ae033f9d

SHA512
d1388af36633ecb6a0a0f4e17b9efe68acb965dd448da0810528311f564385c2258e602864cd005161464dbd2fd8e43bf1a018fa941e20bf5c167648eba50143

Download Submit
C:\Users\Admin\AppData\Roaming\componentweb\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Users\Admin\AppData\Roaming\componentweb\lTeat4KS.bat

Filesize
154B

MD5
e06419a009888884daaca1708dc8f782

SHA1
8d1ceb2ce38fd84fdd998f129de0494303a42609

SHA256
a98e96aaf61ff999b1ea39ae83f1f160a8f0af067247f9e6c0790afcc705585a

SHA512
2b69ac436ddc4eaba2ae53d1713361c2b52c29e991e1a47996a249a66fb56dcab560db79b7722c96f676f6b7a46db85026d2a754f6bad7990e5c4d8ed21ca6f6

Download Submit
C:\Windows\Temp\Crashpad\Idle.exe

Filesize
1.7MB

MD5
4f080110c40748cabc62f247b3104cca

SHA1
e28c68aa6e57975a28945ed21bb6bd623379b2a0

SHA256
ec741c36f90173822380788d1ea972c37162c51e24235eec9dc87ce2ae033f9d

SHA512
d1388af36633ecb6a0a0f4e17b9efe68acb965dd448da0810528311f564385c2258e602864cd005161464dbd2fd8e43bf1a018fa941e20bf5c167648eba50143

Download Submit
C:\Windows\Temp\Crashpad\Idle.exe

Filesize
1.7MB

MD5
4f080110c40748cabc62f247b3104cca

SHA1
e28c68aa6e57975a28945ed21bb6bd623379b2a0

SHA256
ec741c36f90173822380788d1ea972c37162c51e24235eec9dc87ce2ae033f9d

SHA512
d1388af36633ecb6a0a0f4e17b9efe68acb965dd448da0810528311f564385c2258e602864cd005161464dbd2fd8e43bf1a018fa941e20bf5c167648eba50143

Download Submit
\Users\Admin\AppData\Roaming\componentweb\bridgesession.exe

Filesize
1.7MB

MD5
4f080110c40748cabc62f247b3104cca

SHA1
e28c68aa6e57975a28945ed21bb6bd623379b2a0

SHA256
ec741c36f90173822380788d1ea972c37162c51e24235eec9dc87ce2ae033f9d

SHA512
d1388af36633ecb6a0a0f4e17b9efe68acb965dd448da0810528311f564385c2258e602864cd005161464dbd2fd8e43bf1a018fa941e20bf5c167648eba50143

Download Submit
\Users\Admin\AppData\Roaming\componentweb\bridgesession.exe

Filesize
1.7MB

MD5
4f080110c40748cabc62f247b3104cca

SHA1
e28c68aa6e57975a28945ed21bb6bd623379b2a0

SHA256
ec741c36f90173822380788d1ea972c37162c51e24235eec9dc87ce2ae033f9d

SHA512
d1388af36633ecb6a0a0f4e17b9efe68acb965dd448da0810528311f564385c2258e602864cd005161464dbd2fd8e43bf1a018fa941e20bf5c167648eba50143

Download Submit
memory/288-74-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/288-68-0x0000000000210000-0x00000000003BE000-memory.dmp

Filesize
1.7MB

Download
memory/288-70-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/288-71-0x00000000001F0000-0x0000000000206000-memory.dmp

Filesize
88KB

Download
memory/288-72-0x0000000000440000-0x0000000000450000-memory.dmp

Filesize
64KB

Download
memory/288-73-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/288-66-0x0000000000000000-mapping.dmp

Download
memory/288-75-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/288-76-0x0000000000690000-0x000000000069E000-memory.dmp

Filesize
56KB

Download
memory/288-77-0x0000000000930000-0x0000000000938000-memory.dmp

Filesize
32KB

Download
memory/288-78-0x0000000000940000-0x000000000094C000-memory.dmp

Filesize
48KB

Download
memory/288-79-0x000000001A810000-0x000000001A81C000-memory.dmp

Filesize
48KB

Download
memory/288-69-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/956-55-0x0000000000000000-mapping.dmp

Download
memory/972-89-0x0000000000000000-mapping.dmp

Download
memory/988-56-0x0000000000000000-mapping.dmp

Download
memory/1000-83-0x0000000000000000-mapping.dmp

Download
memory/1360-62-0x0000000000000000-mapping.dmp

Download
memory/1480-85-0x0000000000000000-mapping.dmp

Download
memory/1480-87-0x0000000000B40000-0x0000000000CEE000-memory.dmp

Filesize
1.7MB

Download
memory/1480-88-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1492-80-0x0000000000000000-mapping.dmp

Download
memory/1976-54-0x0000000076901000-0x0000000076903000-memory.dmp

Filesize
8KB

Download
memory/2020-82-0x0000000000000000-mapping.dmp

Download
memory/2032-90-0x0000000000000000-mapping.dmp

Download