dcrat | 7b1c20701d541771b5819005700826712f27970a335dda7cf150e2564802d515

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2023 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2ea8c0f0b809338bc212b9dce4169c6.exe
Size

1.8MB
MD5

a2ea8c0f0b809338bc212b9dce4169c6
SHA1

2055d655fdc1da4d9090871b90a12a7d6f749d7d
SHA256

7b1c20701d541771b5819005700826712f27970a335dda7cf150e2564802d515
SHA512

e6fed299bc4590e94b9ec25c7ba16ee974b738961c8899ff670e7a5c6560361038ad5e970ddd207c90316455363d943a95b8afc5416b8dfcd755fc133f49e60e
SSDEEP

24576:26DZpO9y7b5UC4iSiLryeCB7sDmJEtQNUdvnCYjOjO45CT8xBVZHUnc9v8E99JG1:NDDHVHQNM1rcBUczNGHV

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 14 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Music\\SearchApp.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Music\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\odt\\SppExtComObj.exe\", \"C:\\Windows\\SKB\\LanguageModels\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\sihost.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\sppsvc.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Music\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\odt\\SppExtComObj.exe\", \"C:\\Windows\\SKB\\LanguageModels\\SppExtComObj.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Music\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\conhost.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Music\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\odt\\SppExtComObj.exe\", \"C:\\Windows\\SKB\\LanguageModels\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\sihost.exe\", \"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\SppExtComObj.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Music\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\odt\\SppExtComObj.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Music\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\odt\\SppExtComObj.exe\", \"C:\\Windows\\SKB\\LanguageModels\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\RuntimeBroker.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Music\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\odt\\SppExtComObj.exe\", \"C:\\Windows\\SKB\\LanguageModels\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\SearchApp.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Music\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\odt\\SppExtComObj.exe\", \"C:\\Windows\\SKB\\LanguageModels\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\sihost.exe\", \"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\", \"C:\\Users\\Admin\\Music\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\odt\\SppExtComObj.exe\", \"C:\\Windows\\SKB\\LanguageModels\\SppExtComObj.exe\", \"C:\\Program Files\\7-Zip\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\Configuration\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\sihost.exe\", \"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	dllhost.exe

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	1172	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	1172	schtasks.exe

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Jjaxjjjbnfhspjlmroqdcratbuild (4).exe	dcrat
C:\Users\Admin\AppData\Local\Temp\Jjaxjjjbnfhspjlmroqdcratbuild (4).exe	dcrat
C:\Users\Admin\AppData\Local\Temp\Jjaxjjjbnfhspjlmroqdcratbuild (4).exe	dcrat
behavioral2/memory/4036-147-0x0000000000400000-0x0000000000456000-memory.dmp	dcrat
C:\Users\Admin\AppData\Roaming\Adobe\dllhost.exe	dcrat
C:\Users\Admin\AppData\Roaming\Adobe\dllhost.exe	dcrat
behavioral2/memory/1224-164-0x0000000000FE0000-0x0000000001036000-memory.dmp	dcrat
C:\Windows\Prefetch\ReadyBoot\sppsvc.exe	dcrat
C:\Program Files\WindowsPowerShell\Configuration\SearchApp.exe	dcrat
C:\Program Files\WindowsPowerShell\Configuration\SearchApp.exe	dcrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a2ea8c0f0b809338bc212b9dce4169c6.exeJjaxjjjbnfhspjlmroqdcratbuild (4).exeWScript.exedllhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	a2ea8c0f0b809338bc212b9dce4169c6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Jjaxjjjbnfhspjlmroqdcratbuild (4).exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	dllhost.exe

Executes dropped EXE 3 IoCs

Processes:

Jjaxjjjbnfhspjlmroqdcratbuild (4).exedllhost.exeSearchApp.exe

pid process

116 Jjaxjjjbnfhspjlmroqdcratbuild (4).exe
1224 dllhost.exe
3740 SearchApp.exe

pid	process
116	Jjaxjjjbnfhspjlmroqdcratbuild (4).exe
1224	dllhost.exe
3740	SearchApp.exe

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Prefetch\\ReadyBoot\\sppsvc.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Prefetch\\ReadyBoot\\sppsvc.exe\""	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\7-Zip\\RuntimeBroker.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\7-Zip\\RuntimeBroker.exe\""	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\conhost.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\Admin\\Music\\SearchApp.exe\""	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\Admin\\Music\\SearchApp.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\odt\\SppExtComObj.exe\""	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\sihost.exe\""	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\SppExtComObj.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OfficeClickToRun.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\en-US\\conhost.exe\""	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\odt\\SppExtComObj.exe\""	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\SKB\\LanguageModels\\SppExtComObj.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\SKB\\LanguageModels\\SppExtComObj.exe\""	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\SearchApp.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files (x86)\\Windows Media Player\\Media Renderer\\sihost.exe\""	dllhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Common Files\\Java\\Java Update\\SppExtComObj.exe\""	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files\\WindowsPowerShell\\Configuration\\SearchApp.exe\""	dllhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

a2ea8c0f0b809338bc212b9dce4169c6.exe

description pid process target process

PID 2264 set thread context of 4036 2264 a2ea8c0f0b809338bc212b9dce4169c6.exe a2ea8c0f0b809338bc212b9dce4169c6.exe

description	pid	process	target process
PID 2264 set thread context of 4036	2264	a2ea8c0f0b809338bc212b9dce4169c6.exe	a2ea8c0f0b809338bc212b9dce4169c6.exe

Drops file in Program Files directory 13 IoCs

Processes:

dllhost.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\OfficeClickToRun.exe	dllhost.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe	dllhost.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\088424020bedd6	dllhost.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\sihost.exe	dllhost.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\66fc9ff0ee96c2	dllhost.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\SppExtComObj.exe	dllhost.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe	dllhost.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\e6c9b481da804f	dllhost.exe
File created	C:\Program Files\7-Zip\RuntimeBroker.exe	dllhost.exe
File created	C:\Program Files\7-Zip\9e8d7a4ca61bd9	dllhost.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\SearchApp.exe	dllhost.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\38384e6a620884	dllhost.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\e1ef82546f0b02	dllhost.exe

Drops file in Windows directory 4 IoCs

Processes:

dllhost.exe

description	ioc	process
File created	C:\Windows\SKB\LanguageModels\SppExtComObj.exe	dllhost.exe
File created	C:\Windows\SKB\LanguageModels\e1ef82546f0b02	dllhost.exe
File created	C:\Windows\Prefetch\ReadyBoot\sppsvc.exe	dllhost.exe
File created	C:\Windows\Prefetch\ReadyBoot\0a1fd5f707cd16	dllhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1912	schtasks.exe
3000	schtasks.exe
3444	schtasks.exe
1028	schtasks.exe
3272	schtasks.exe
2864	schtasks.exe
5000	schtasks.exe
4948	schtasks.exe
2152	schtasks.exe
2204	schtasks.exe
2876	schtasks.exe
3984	schtasks.exe
4164	schtasks.exe
3440	schtasks.exe
2976	schtasks.exe
4016	schtasks.exe
3892	schtasks.exe
1268	schtasks.exe
2324	schtasks.exe
3264	schtasks.exe
2500	schtasks.exe
4080	schtasks.exe
756	schtasks.exe
512	schtasks.exe
2772	schtasks.exe
2776	schtasks.exe
1320	schtasks.exe
5016	schtasks.exe
480	schtasks.exe
4864	schtasks.exe
4672	schtasks.exe
4312	schtasks.exe
3600	schtasks.exe
1476	schtasks.exe
5020	schtasks.exe
4272	schtasks.exe
772	schtasks.exe
2188	schtasks.exe
440	schtasks.exe
3772	schtasks.exe
1676	schtasks.exe
3348	schtasks.exe

Modifies registry class 1 IoCs

Processes:

Jjaxjjjbnfhspjlmroqdcratbuild (4).exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	Jjaxjjjbnfhspjlmroqdcratbuild (4).exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

a2ea8c0f0b809338bc212b9dce4169c6.exedllhost.exeSearchApp.exe

pid	process
4036	a2ea8c0f0b809338bc212b9dce4169c6.exe
4036	a2ea8c0f0b809338bc212b9dce4169c6.exe
4036	a2ea8c0f0b809338bc212b9dce4169c6.exe
4036	a2ea8c0f0b809338bc212b9dce4169c6.exe
4036	a2ea8c0f0b809338bc212b9dce4169c6.exe
4036	a2ea8c0f0b809338bc212b9dce4169c6.exe
4036	a2ea8c0f0b809338bc212b9dce4169c6.exe
4036	a2ea8c0f0b809338bc212b9dce4169c6.exe
4036	a2ea8c0f0b809338bc212b9dce4169c6.exe
1224	dllhost.exe
1224	dllhost.exe
1224	dllhost.exe
1224	dllhost.exe
1224	dllhost.exe
1224	dllhost.exe
1224	dllhost.exe
3740	SearchApp.exe
3740	SearchApp.exe
3740	SearchApp.exe
3740	SearchApp.exe
3740	SearchApp.exe
3740	SearchApp.exe
3740	SearchApp.exe
3740	SearchApp.exe
3740	SearchApp.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

a2ea8c0f0b809338bc212b9dce4169c6.exeSearchApp.exe

pid process

4036 a2ea8c0f0b809338bc212b9dce4169c6.exe
3740 SearchApp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a2ea8c0f0b809338bc212b9dce4169c6.exea2ea8c0f0b809338bc212b9dce4169c6.exedllhost.exeSearchApp.exe

description	pid	process
Token: SeDebugPrivilege	2264	a2ea8c0f0b809338bc212b9dce4169c6.exe
Token: SeDebugPrivilege	4036	a2ea8c0f0b809338bc212b9dce4169c6.exe
Token: SeDebugPrivilege	1224	dllhost.exe
Token: SeDebugPrivilege	3740	SearchApp.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

a2ea8c0f0b809338bc212b9dce4169c6.exeJjaxjjjbnfhspjlmroqdcratbuild (4).exeWScript.execmd.exedllhost.exe

description	pid	process	target process
PID 2264 wrote to memory of 116	2264	a2ea8c0f0b809338bc212b9dce4169c6.exe	Jjaxjjjbnfhspjlmroqdcratbuild (4).exe
PID 2264 wrote to memory of 116	2264	a2ea8c0f0b809338bc212b9dce4169c6.exe	Jjaxjjjbnfhspjlmroqdcratbuild (4).exe
PID 2264 wrote to memory of 116	2264	a2ea8c0f0b809338bc212b9dce4169c6.exe	Jjaxjjjbnfhspjlmroqdcratbuild (4).exe
PID 2264 wrote to memory of 4036	2264	a2ea8c0f0b809338bc212b9dce4169c6.exe	a2ea8c0f0b809338bc212b9dce4169c6.exe
PID 2264 wrote to memory of 4036	2264	a2ea8c0f0b809338bc212b9dce4169c6.exe	a2ea8c0f0b809338bc212b9dce4169c6.exe
PID 2264 wrote to memory of 4036	2264	a2ea8c0f0b809338bc212b9dce4169c6.exe	a2ea8c0f0b809338bc212b9dce4169c6.exe
PID 2264 wrote to memory of 4036	2264	a2ea8c0f0b809338bc212b9dce4169c6.exe	a2ea8c0f0b809338bc212b9dce4169c6.exe
PID 2264 wrote to memory of 4036	2264	a2ea8c0f0b809338bc212b9dce4169c6.exe	a2ea8c0f0b809338bc212b9dce4169c6.exe
PID 2264 wrote to memory of 4036	2264	a2ea8c0f0b809338bc212b9dce4169c6.exe	a2ea8c0f0b809338bc212b9dce4169c6.exe
PID 2264 wrote to memory of 4036	2264	a2ea8c0f0b809338bc212b9dce4169c6.exe	a2ea8c0f0b809338bc212b9dce4169c6.exe
PID 2264 wrote to memory of 4036	2264	a2ea8c0f0b809338bc212b9dce4169c6.exe	a2ea8c0f0b809338bc212b9dce4169c6.exe
PID 116 wrote to memory of 3368	116	Jjaxjjjbnfhspjlmroqdcratbuild (4).exe	WScript.exe
PID 116 wrote to memory of 3368	116	Jjaxjjjbnfhspjlmroqdcratbuild (4).exe	WScript.exe
PID 116 wrote to memory of 3368	116	Jjaxjjjbnfhspjlmroqdcratbuild (4).exe	WScript.exe
PID 3368 wrote to memory of 4424	3368	WScript.exe	cmd.exe
PID 3368 wrote to memory of 4424	3368	WScript.exe	cmd.exe
PID 3368 wrote to memory of 4424	3368	WScript.exe	cmd.exe
PID 4424 wrote to memory of 1224	4424	cmd.exe	dllhost.exe
PID 4424 wrote to memory of 1224	4424	cmd.exe	dllhost.exe
PID 1224 wrote to memory of 3740	1224	dllhost.exe	SearchApp.exe
PID 1224 wrote to memory of 3740	1224	dllhost.exe	SearchApp.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a2ea8c0f0b809338bc212b9dce4169c6.exe
"C:\Users\Admin\AppData\Local\Temp\a2ea8c0f0b809338bc212b9dce4169c6.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Local\Temp\Jjaxjjjbnfhspjlmroqdcratbuild (4).exe
"C:\Users\Admin\AppData\Local\Temp\Jjaxjjjbnfhspjlmroqdcratbuild (4).exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\52gkn9uQF.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\yejrXrInbKlCAF.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Roaming\Adobe\dllhost.exe
"C:\Users\Admin\AppData\Roaming\\Adobe\dllhost.exe"
5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Program Files\WindowsPowerShell\Configuration\SearchApp.exe
"C:\Program Files\WindowsPowerShell\Configuration\SearchApp.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Users\Admin\AppData\Local\Temp\a2ea8c0f0b809338bc212b9dce4169c6.exe
C:\Users\Admin\AppData\Local\Temp\a2ea8c0f0b809338bc212b9dce4169c6.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\ReadyBoot\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\Music\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\odt\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\odt\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\SKB\LanguageModels\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Windows\SKB\LanguageModels\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\7-Zip\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Configuration\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Configuration\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WindowsPowerShell\Configuration\SearchApp.exe
Filesize
315KB

MD5
3d4f1aeaa622ea7e8b48ee771fcdd7a8

SHA1
72fc8a599685a0c8c65cebd5082e8f430ca150f8

SHA256
8174f504f7182aadc73523cea6ecd0c3ad4710d3d42d5021d9bb6f0891886cb6

SHA512
b714e3b35d2e00de506ca0a37d00f20efd9ddce199f5824450e0f35b969432aa0b35f03873d0094dad286d38a5bffbd869e6f4e336ce7e04e06e2516c8f004b8

Download Submit
C:\Program Files\WindowsPowerShell\Configuration\SearchApp.exe
Filesize
315KB

MD5
3d4f1aeaa622ea7e8b48ee771fcdd7a8

SHA1
72fc8a599685a0c8c65cebd5082e8f430ca150f8

SHA256
8174f504f7182aadc73523cea6ecd0c3ad4710d3d42d5021d9bb6f0891886cb6

SHA512
b714e3b35d2e00de506ca0a37d00f20efd9ddce199f5824450e0f35b969432aa0b35f03873d0094dad286d38a5bffbd869e6f4e336ce7e04e06e2516c8f004b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jjaxjjjbnfhspjlmroqdcratbuild (4).exe
Filesize
625KB

MD5
9d9b928d96d953d897a2188a966b80ff

SHA1
31a78db2671a87af5ead30b11229f62854189cd0

SHA256
04228c9adeaa607dd537c69a15e2a176c85b731856a0243ae92c0d70c35c00c1

SHA512
ae73d3345b626f0e48edf7a6a666bd16a6bd617a28c61acdb1e4a247084642462b5e393c26cbc7a2e009ecc1a85c46281051e4c6262f62fec0f5a81e1cfcdc65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jjaxjjjbnfhspjlmroqdcratbuild (4).exe
Filesize
625KB

MD5
9d9b928d96d953d897a2188a966b80ff

SHA1
31a78db2671a87af5ead30b11229f62854189cd0

SHA256
04228c9adeaa607dd537c69a15e2a176c85b731856a0243ae92c0d70c35c00c1

SHA512
ae73d3345b626f0e48edf7a6a666bd16a6bd617a28c61acdb1e4a247084642462b5e393c26cbc7a2e009ecc1a85c46281051e4c6262f62fec0f5a81e1cfcdc65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jjaxjjjbnfhspjlmroqdcratbuild (4).exe
Filesize
625KB

MD5
9d9b928d96d953d897a2188a966b80ff

SHA1
31a78db2671a87af5ead30b11229f62854189cd0

SHA256
04228c9adeaa607dd537c69a15e2a176c85b731856a0243ae92c0d70c35c00c1

SHA512
ae73d3345b626f0e48edf7a6a666bd16a6bd617a28c61acdb1e4a247084642462b5e393c26cbc7a2e009ecc1a85c46281051e4c6262f62fec0f5a81e1cfcdc65

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\52gkn9uQF.vbe
Filesize
205B

MD5
241811b50c4ce030ecd48ebd49cd4a98

SHA1
4187db39f29719cb76395fb6d9ea2db872ac21bd

SHA256
d8835725b67daf4d34a4f49d8cdf3e6f5ca091372a38044960d3117248bae032

SHA512
9d4db48d1b2c2cdb079cdcd618da3edbba85c984f25f23d8cfdf9be0091b945c29b0e895530f6b292fd825a6023bc357716ffbf9cabb62997a6709a1e6f2c707

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\dllhost.exe
Filesize
315KB

MD5
3d4f1aeaa622ea7e8b48ee771fcdd7a8

SHA1
72fc8a599685a0c8c65cebd5082e8f430ca150f8

SHA256
8174f504f7182aadc73523cea6ecd0c3ad4710d3d42d5021d9bb6f0891886cb6

SHA512
b714e3b35d2e00de506ca0a37d00f20efd9ddce199f5824450e0f35b969432aa0b35f03873d0094dad286d38a5bffbd869e6f4e336ce7e04e06e2516c8f004b8

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\dllhost.exe
Filesize
315KB

MD5
3d4f1aeaa622ea7e8b48ee771fcdd7a8

SHA1
72fc8a599685a0c8c65cebd5082e8f430ca150f8

SHA256
8174f504f7182aadc73523cea6ecd0c3ad4710d3d42d5021d9bb6f0891886cb6

SHA512
b714e3b35d2e00de506ca0a37d00f20efd9ddce199f5824450e0f35b969432aa0b35f03873d0094dad286d38a5bffbd869e6f4e336ce7e04e06e2516c8f004b8

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\yejrXrInbKlCAF.bat
Filesize
30B

MD5
8a2510fd7b4b55da07578e53e62df857

SHA1
c2a3092371375e47e1d80531b09a5552faa9156c

SHA256
47eab317103b819eebe671607203c05d3bdf2531323515122a233f34099eb8f3

SHA512
573d8fed7c15abf74ada2c08f0a649167a1cdf57431e8d111de8ddb41eec88acee38cf869ef895dc9116bc49902b47815a4dde76935a5b02d67911470254a572

Download Submit
C:\Windows\Prefetch\ReadyBoot\sppsvc.exe
Filesize
315KB

MD5
3d4f1aeaa622ea7e8b48ee771fcdd7a8

SHA1
72fc8a599685a0c8c65cebd5082e8f430ca150f8

SHA256
8174f504f7182aadc73523cea6ecd0c3ad4710d3d42d5021d9bb6f0891886cb6

SHA512
b714e3b35d2e00de506ca0a37d00f20efd9ddce199f5824450e0f35b969432aa0b35f03873d0094dad286d38a5bffbd869e6f4e336ce7e04e06e2516c8f004b8

Download Submit
memory/1224-167-0x00000000031F0000-0x0000000003200000-memory.dmp

Filesize
64KB

Download
memory/1224-164-0x0000000000FE0000-0x0000000001036000-memory.dmp

Filesize
344KB

Download
memory/2264-135-0x0000000004F60000-0x0000000004FF2000-memory.dmp

Filesize
584KB

Download
memory/2264-138-0x0000000005410000-0x0000000005432000-memory.dmp

Filesize
136KB

Download
memory/2264-137-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/2264-133-0x00000000004A0000-0x000000000066E000-memory.dmp

Filesize
1.8MB

Download
memory/2264-136-0x0000000004EE0000-0x0000000004EEA000-memory.dmp

Filesize
40KB

Download
memory/2264-134-0x0000000005470000-0x0000000005A14000-memory.dmp

Filesize
5.6MB

Download
memory/3740-205-0x00000000009C0000-0x00000000009D0000-memory.dmp

Filesize
64KB

Download
memory/3740-206-0x00000000009C0000-0x00000000009D0000-memory.dmp

Filesize
64KB

Download
memory/4036-159-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/4036-147-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4036-158-0x0000000006D50000-0x0000000006DB6000-memory.dmp

Filesize
408KB

Download
memory/4036-149-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download