dcrat | 326975832674627265c01a626a19ae8ff0a30fd7b7db9e17c098329730286f88

Analysis

max time kernel
131s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2024, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2059b153136de16e58e27a8549dac1b5.exe
Size

1.1MB
MD5

2059b153136de16e58e27a8549dac1b5
SHA1

47f7fdbee2c963e63b52cac18bc5b9bed9b7c10c
SHA256

326975832674627265c01a626a19ae8ff0a30fd7b7db9e17c098329730286f88
SHA512

4c2fea8436618c98cae0de3f1cc99dd26de6f84472eba496e49328f9354d3d10adbbb58b6867e35a1047deadd2bf4a9622c7328b7ffc7d1a280bc590015fa50e
SSDEEP

12288:URZ+IoG/n9IQxW3OBseUUT+tcYbDEq7n2lBvR0dWfExtTWmOfcziDi+CUF9q:u2G/nvxW3WieCDHWBvNCtbskUF9q

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	184	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	1676	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	1676	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0006000000023217-9.dat	dcrat
behavioral2/memory/3036-12-0x0000000000190000-0x0000000000266000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	2059b153136de16e58e27a8549dac1b5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	runtimesvc.exe

Executes dropped EXE 2 IoCs

pid	Process
3036	runtimesvc.exe
4416	TextInputHost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\fontdrvhost.exe	runtimesvc.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\5b884080fd4f94	runtimesvc.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\f3b6ecef712a24	runtimesvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	runtimesvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e	runtimesvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe	runtimesvc.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe	runtimesvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\55b276f4edf653	runtimesvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\fontdrvhost.exe	runtimesvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\5b884080fd4f94	runtimesvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\Idle.exe	runtimesvc.exe
File created	C:\Windows\L2Schemas\6ccacd8608530f	runtimesvc.exe
File created	C:\Windows\LanguageOverlayCache\runtimesvc.exe	runtimesvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5044	schtasks.exe
2320	schtasks.exe
812	schtasks.exe
4664	schtasks.exe
2808	schtasks.exe
4272	schtasks.exe
1404	schtasks.exe
3488	schtasks.exe
5088	schtasks.exe
4536	schtasks.exe
4392	schtasks.exe
4216	schtasks.exe
4180	schtasks.exe
912	schtasks.exe
1308	schtasks.exe
516	schtasks.exe
2648	schtasks.exe
4544	schtasks.exe
1192	schtasks.exe
2940	schtasks.exe
376	schtasks.exe
2156	schtasks.exe
3012	schtasks.exe
4920	schtasks.exe
5108	schtasks.exe
3500	schtasks.exe
4532	schtasks.exe
1840	schtasks.exe
3076	schtasks.exe
4864	schtasks.exe
316	schtasks.exe
4320	schtasks.exe
1856	schtasks.exe
2436	schtasks.exe
5032	schtasks.exe
2376	schtasks.exe
184	schtasks.exe
2852	schtasks.exe
4192	schtasks.exe
4740	schtasks.exe
4140	schtasks.exe
324	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	2059b153136de16e58e27a8549dac1b5.exe
Key created	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\Local Settings	runtimesvc.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3036	runtimesvc.exe
3036	runtimesvc.exe
3036	runtimesvc.exe
3036	runtimesvc.exe
4416	TextInputHost.exe
4416	TextInputHost.exe
4416	TextInputHost.exe
4416	TextInputHost.exe
4416	TextInputHost.exe
4416	TextInputHost.exe
4416	TextInputHost.exe
4416	TextInputHost.exe
4416	TextInputHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4416	TextInputHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	runtimesvc.exe
Token: SeDebugPrivilege	4416	TextInputHost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 3420	1996	2059b153136de16e58e27a8549dac1b5.exe	84
PID 1996 wrote to memory of 3420	1996	2059b153136de16e58e27a8549dac1b5.exe	84
PID 1996 wrote to memory of 3420	1996	2059b153136de16e58e27a8549dac1b5.exe	84
PID 3420 wrote to memory of 4008	3420	WScript.exe	85
PID 3420 wrote to memory of 4008	3420	WScript.exe	85
PID 3420 wrote to memory of 4008	3420	WScript.exe	85
PID 4008 wrote to memory of 3036	4008	cmd.exe	87
PID 4008 wrote to memory of 3036	4008	cmd.exe	87
PID 3036 wrote to memory of 3556	3036	runtimesvc.exe	131
PID 3036 wrote to memory of 3556	3036	runtimesvc.exe	131
PID 3556 wrote to memory of 2328	3556	cmd.exe	133
PID 3556 wrote to memory of 2328	3556	cmd.exe	133
PID 3556 wrote to memory of 4416	3556	cmd.exe	138
PID 3556 wrote to memory of 4416	3556	cmd.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2059b153136de16e58e27a8549dac1b5.exe
"C:\Users\Admin\AppData\Local\Temp\2059b153136de16e58e27a8549dac1b5.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\hypersurrogatesavesIntonet\nNwgCkzp4Tu.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\hypersurrogatesavesIntonet\XzEJPxdTk.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\hypersurrogatesavesIntonet\runtimesvc.exe
      "C:\hypersurrogatesavesIntonet\runtimesvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rckyE5oxVC.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3556
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2328
      - C:\Users\Admin\Saved Games\TextInputHost.exe
        
        "C:\Users\Admin\Saved Games\TextInputHost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\L2Schemas\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\hypersurrogatesavesIntonet\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\hypersurrogatesavesIntonet\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\hypersurrogatesavesIntonet\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\hypersurrogatesavesIntonet\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\hypersurrogatesavesIntonet\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\hypersurrogatesavesIntonet\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Saved Games\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\hypersurrogatesavesIntonet\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\hypersurrogatesavesIntonet\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\hypersurrogatesavesIntonet\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rckyE5oxVC.bat

Filesize
209B

MD5
c455bc53b8bde15af0e3df8ca91396b9

SHA1
bd7d92912a5cf130ecadd5f9be975242614c3537

SHA256
a8c7c85177641d636f07040fc85911f7a3790cbf3cd91f68d9fa74eae33e6f8e

SHA512
8fe20ca57ffe18d7f2edfe02eede2d1e81595408b2bee7f55fe20f304ebd362011c0430dc041341fbf2105d6844da9bc58bfeb1fea15a39263dc449aa9cc522d

Download Submit
C:\hypersurrogatesavesIntonet\XzEJPxdTk.bat

Filesize
46B

MD5
ccbd5a0fde012049bf4e8b28566ca30e

SHA1
8df48a4a6319201e65fcc50925d0eb9f505fa949

SHA256
dd75a7f5f37127d0dfbfb6fac014b6345e318ec09197b42a32930fe902a38bcd

SHA512
ee34c5e259c8593eee2730d5f2e263fde14f70c47404b7743fea15ced052817f98daea57e1bd46f6fd2a98f4a12f02a85f39402d112d46053d77692732510baf

Download Submit
C:\hypersurrogatesavesIntonet\nNwgCkzp4Tu.vbe

Filesize
212B

MD5
8671b76c7387f72afcf00a18a32c3cbd

SHA1
6e4d2251cfca5b7673e0419703aaef91c4329210

SHA256
b5d7aa554ff2815f7b664ec2b777944acef1438987876cb55183378059e18a32

SHA512
0c096f044ce9bc7f75a691ce5b51f30ed8fbf1d559ae5ce5c30a08d9f1a9060cefd56029829c82fbc7c0a296dddb41f02dd912aae3e38e0615e273bf601a3b48

Download Submit
C:\hypersurrogatesavesIntonet\runtimesvc.exe

Filesize
827KB

MD5
ed66730e6ae871c628540ae1d707ffa4

SHA1
724a5d4a86e5af83df6c309fa4a5908a115f149d

SHA256
17431781b4d634c1a6f0e6265fdafcdf9eb122ad54f39a35a65ad0aca9a90767

SHA512
3260f29bd032a76fd4e36be67dafc0edaa57f4d39afbd673611064180b3340870757c867bc010531e98f39c384af5fdb1fe3bb4cd872918e8ca5bc11408bddb7

Download Submit
memory/3036-12-0x0000000000190000-0x0000000000266000-memory.dmp

Filesize
856KB

Download
memory/3036-13-0x00007FFA4A450000-0x00007FFA4AF11000-memory.dmp

Filesize
10.8MB

Download
memory/3036-14-0x0000000000CA0000-0x0000000000CB0000-memory.dmp

Filesize
64KB

Download
memory/3036-48-0x00007FFA4A450000-0x00007FFA4AF11000-memory.dmp

Filesize
10.8MB

Download
memory/4416-53-0x00007FFA4A100000-0x00007FFA4ABC1000-memory.dmp

Filesize
10.8MB

Download
memory/4416-54-0x000000001B2A0000-0x000000001B2B0000-memory.dmp

Filesize
64KB

Download
memory/4416-55-0x00007FFA4A100000-0x00007FFA4ABC1000-memory.dmp

Filesize
10.8MB

Download
memory/4416-56-0x000000001B2A0000-0x000000001B2B0000-memory.dmp

Filesize
64KB

Download