dcrat | 567e51d04882051f17bd3731d594f8b4170034d07fb1e86bc9efb2f3c6c4fcae

Analysis

max time kernel
91s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2022 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe
Size

2.0MB
MD5

8468c0223b7665174d19866d33ae9731
SHA1

b261b25063f61b7194310d62912596df732ebbb7
SHA256

915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83
SHA512

77397cc18ba208256e9fc4ebd182a197f6fc2f71e17ae737b0ab3bfa8c09d3da6a3ae30076a1bfaea9bd4889402f5e897f3b751cf86e8e12fd59f85f48613eb6
SSDEEP

49152:ubA3j3+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvK:ubdTHUxUoh1IF9gl2x

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3492	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3512	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	4380	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	4380	schtasks.exe	29

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/files/0x0006000000022e1b-137.dat	dcrat
behavioral2/files/0x0006000000022e1b-138.dat	dcrat
behavioral2/memory/3856-139-0x0000000000960000-0x0000000000B20000-memory.dmp	dcrat

Drops file in Drivers directory 1 IoCs

Processes:

SurrogateDll.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	SurrogateDll.exe

Executes dropped EXE 1 IoCs

Processes:

SurrogateDll.exe

pid	Process
3856	SurrogateDll.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exeWScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in Program Files directory 25 IoCs

Processes:

SurrogateDll.exe

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\5940a34987c991	SurrogateDll.exe
File created	C:\Program Files\Windows NT\Accessories\5b884080fd4f94	SurrogateDll.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\csrss.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX9F40.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXAAEF.tmp	SurrogateDll.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\886983d96e3d3e	SurrogateDll.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCX98D2.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\RCX9960.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCXAB9C.tmp	SurrogateDll.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\f3b6ecef712a24	SurrogateDll.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX9ED1.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXAF67.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\RCXB575.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fontdrvhost.exe	SurrogateDll.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\csrss.exe	SurrogateDll.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c991	SurrogateDll.exe
File created	C:\Program Files\Windows NT\Accessories\fontdrvhost.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXAED9.tmp	SurrogateDll.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe	SurrogateDll.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\RCXB507.tmp	SurrogateDll.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe	SurrogateDll.exe

Drops file in Windows directory 8 IoCs

Processes:

SurrogateDll.exe

description	ioc	Process
File created	C:\Windows\fr-FR\System.exe	SurrogateDll.exe
File created	C:\Windows\fr-FR\27d1bcfc3c54e0	SurrogateDll.exe
File created	C:\Windows\ServiceState\EventLog\Data\services.exe	SurrogateDll.exe
File opened for modification	C:\Windows\fr-FR\RCXA7E0.tmp	SurrogateDll.exe
File opened for modification	C:\Windows\fr-FR\RCXA85E.tmp	SurrogateDll.exe
File opened for modification	C:\Windows\fr-FR\System.exe	SurrogateDll.exe
File created	C:\Windows\Boot\Misc\PCAT\csrss.exe	SurrogateDll.exe
File created	C:\Windows\rescache\_merged\System.exe	SurrogateDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1340	3856	WerFault.exe	82

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	Process
3384	schtasks.exe
3492	schtasks.exe
2500	schtasks.exe
2668	schtasks.exe
4188	schtasks.exe
1740	schtasks.exe
1780	schtasks.exe
2360	schtasks.exe
1920	schtasks.exe
3476	schtasks.exe
3292	schtasks.exe
3924	schtasks.exe
2036	schtasks.exe
3720	schtasks.exe
4788	schtasks.exe
1964	schtasks.exe
116	schtasks.exe
5004	schtasks.exe
1972	schtasks.exe
3508	schtasks.exe
2092	schtasks.exe
3164	schtasks.exe
3656	schtasks.exe
4124	schtasks.exe
3700	schtasks.exe
3828	schtasks.exe
3564	schtasks.exe
3640	schtasks.exe
2144	schtasks.exe
620	schtasks.exe
4828	schtasks.exe
1520	schtasks.exe
1352	schtasks.exe
4316	schtasks.exe
2028	schtasks.exe
4044	schtasks.exe
2324	schtasks.exe
3512	schtasks.exe
3604	schtasks.exe

Modifies registry class 1 IoCs

Processes:

915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SurrogateDll.exepowershell.exepowershell.exepowershell.exe

pid	Process
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
3856	SurrogateDll.exe
2704	powershell.exe
2344	powershell.exe
1760	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

SurrogateDll.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	3856	SurrogateDll.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exeWScript.execmd.exeSurrogateDll.exe

description	pid	Process	procid_target
PID 2608 wrote to memory of 536	2608	915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe	79
PID 2608 wrote to memory of 536	2608	915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe	79
PID 2608 wrote to memory of 536	2608	915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe	79
PID 536 wrote to memory of 816	536	WScript.exe	80
PID 536 wrote to memory of 816	536	WScript.exe	80
PID 536 wrote to memory of 816	536	WScript.exe	80
PID 816 wrote to memory of 3856	816	cmd.exe	82
PID 816 wrote to memory of 3856	816	cmd.exe	82
PID 3856 wrote to memory of 3932	3856	SurrogateDll.exe	131
PID 3856 wrote to memory of 3932	3856	SurrogateDll.exe	131
PID 3856 wrote to memory of 2704	3856	SurrogateDll.exe	132
PID 3856 wrote to memory of 2704	3856	SurrogateDll.exe	132
PID 3856 wrote to memory of 2344	3856	SurrogateDll.exe	133
PID 3856 wrote to memory of 2344	3856	SurrogateDll.exe	133
PID 3856 wrote to memory of 1760	3856	SurrogateDll.exe	134
PID 3856 wrote to memory of 1760	3856	SurrogateDll.exe	134

C:\Users\Admin\AppData\Local\Temp\915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe
"C:\Users\Admin\AppData\Local\Temp\915f9f512ca5182e905b1ae904c984b30f5039884d1835d91248b0e6b19f0f83.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\agentBrowsersavesRefBroker\uC6xwKvnImSiiPHU7zpWHQ8u.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\agentBrowsersavesRefBroker\r205Pw8aNtR7tAq13alM.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\agentBrowsersavesRefBroker\SurrogateDll.exe
      "C:\agentBrowsersavesRefBroker\SurrogateDll.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3856
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 3856 -s 1176
        5⤵
        Program crash
        
        PID:1340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/agentBrowsersavesRefBroker/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        5⤵
        
        PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\agentBrowsersavesRefBroker\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\agentBrowsersavesRefBroker\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\agentBrowsersavesRefBroker\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3856 -ip 3856
1⤵
PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
fa982bede3552e226a6950a59fa9862b

SHA1
f0c2ca51c5c5a82028fff8757690594bde320ab7

SHA256
f4adc7f379298f2480544b0baae139e98fd93da4b0a8e12b47d35ef101671b72

SHA512
7c8afa2e1bbdcd36eaf2239ddce8dc46cd695a99b0c9b0b69030f6bc83d3b5a1133e609df4e7d19965b2543ed7ffd1ce29b11af1cb25b3e4b87520f82534c34d

Download Submit
C:\agentBrowsersavesRefBroker\SurrogateDll.exe

Filesize
1.7MB

MD5
fa982bede3552e226a6950a59fa9862b

SHA1
f0c2ca51c5c5a82028fff8757690594bde320ab7

SHA256
f4adc7f379298f2480544b0baae139e98fd93da4b0a8e12b47d35ef101671b72

SHA512
7c8afa2e1bbdcd36eaf2239ddce8dc46cd695a99b0c9b0b69030f6bc83d3b5a1133e609df4e7d19965b2543ed7ffd1ce29b11af1cb25b3e4b87520f82534c34d

Download Submit
C:\agentBrowsersavesRefBroker\r205Pw8aNtR7tAq13alM.bat

Filesize
48B

MD5
5bb1a4946c35c47dd502dfbcd6d3a3d7

SHA1
1e1e42c5996031e92e8314c45201ccbf1fa23607

SHA256
30921e7d9a89121e8d56de5182e7e487f8e02293e82e82c2c04a6a537150ef06

SHA512
87a63b9f407a21db0cc2d80e3b639833e5e9f790790a9fc69a65788b193af80e19717ac4dc449190cc69817b161aabaf4a9c338e8936c6907adf5c432f7156e1

Download Submit
C:\agentBrowsersavesRefBroker\uC6xwKvnImSiiPHU7zpWHQ8u.vbe

Filesize
223B

MD5
9403175bdfbadf333200b08d0f9a97e4

SHA1
c3383de367a292b0b2d12659468b7aa53985171d

SHA256
3185c369451bdae7ed017894d541c6957d5b583b4a31a8efd288cfe4ff457f87

SHA512
65ca9bdc7f0c2d9ddae0c2f6253386587f5e41fd0a1353a11c43c7352d6b218ad3b87160b536839f10bd2a6cd78d89053e77e3686284a5e66d7dd3ffd2176002

Download Submit
memory/536-132-0x0000000000000000-mapping.dmp

Download
memory/816-135-0x0000000000000000-mapping.dmp

Download
memory/1760-159-0x00007FFC18070000-0x00007FFC18B31000-memory.dmp

Filesize
10.8MB

Download
memory/1760-166-0x00007FFC18070000-0x00007FFC18B31000-memory.dmp

Filesize
10.8MB

Download
memory/1760-152-0x0000000000000000-mapping.dmp

Download
memory/2344-157-0x00000253B97E0000-0x00000253B9802000-memory.dmp

Filesize
136KB

Download
memory/2344-167-0x00007FFC18070000-0x00007FFC18B31000-memory.dmp

Filesize
10.8MB

Download
memory/2344-161-0x00007FFC18070000-0x00007FFC18B31000-memory.dmp

Filesize
10.8MB

Download
memory/2344-151-0x0000000000000000-mapping.dmp

Download
memory/2704-168-0x00007FFC18070000-0x00007FFC18B31000-memory.dmp

Filesize
10.8MB

Download
memory/2704-158-0x00007FFC18070000-0x00007FFC18B31000-memory.dmp

Filesize
10.8MB

Download
memory/2704-150-0x0000000000000000-mapping.dmp

Download
memory/3856-156-0x000000001DD37000-0x000000001DD3C000-memory.dmp

Filesize
20KB

Download
memory/3856-139-0x0000000000960000-0x0000000000B20000-memory.dmp

Filesize
1.8MB

Download
memory/3856-155-0x000000001DD34000-0x000000001DD37000-memory.dmp

Filesize
12KB

Download
memory/3856-144-0x000000001DD30000-0x000000001DD34000-memory.dmp

Filesize
16KB

Download
memory/3856-153-0x00007FFC18070000-0x00007FFC18B31000-memory.dmp

Filesize
10.8MB

Download
memory/3856-136-0x0000000000000000-mapping.dmp

Download
memory/3856-143-0x0000000002B69000-0x0000000002B6F000-memory.dmp

Filesize
24KB

Download
memory/3856-145-0x000000001DD34000-0x000000001DD37000-memory.dmp

Filesize
12KB

Download
memory/3856-148-0x0000000002B69000-0x0000000002B6F000-memory.dmp

Filesize
24KB

Download
memory/3856-142-0x000000001CD70000-0x000000001D298000-memory.dmp

Filesize
5.2MB

Download
memory/3856-141-0x000000001C7F0000-0x000000001C840000-memory.dmp

Filesize
320KB

Download
memory/3856-140-0x00007FFC18070000-0x00007FFC18B31000-memory.dmp

Filesize
10.8MB

Download
memory/3856-147-0x000000001DD37000-0x000000001DD3C000-memory.dmp

Filesize
20KB

Download
memory/3856-154-0x000000001DD30000-0x000000001DD34000-memory.dmp

Filesize
16KB

Download
memory/3856-146-0x00007FFC18070000-0x00007FFC18B31000-memory.dmp

Filesize
10.8MB

Download
memory/3932-170-0x00007FFC18070000-0x00007FFC18B31000-memory.dmp

Filesize
10.8MB

Download
memory/3932-160-0x00007FFC18070000-0x00007FFC18B31000-memory.dmp

Filesize
10.8MB

Download
memory/3932-149-0x0000000000000000-mapping.dmp

Download