dcrat | 0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1.exe
Size

1.7MB
MD5

e28689bf7ea24c8051fd6e910fd259d4
SHA1

fd55b3eb6123754cdb8dcc1d42f8d9aefa429758
SHA256

0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1
SHA512

32d8d58c0c9178980c6ca8e202cbaa51cba951a4bcee19bf0022d657dbf50012d12e52f77b8f6c0c69a34f0c2ffce883fd9a629f9b3b026ce9039bac73e015aa
SSDEEP

24576:U2G/nvxW3Ww0tpaKkjLB0zOyM6/aAUIFGAqo2mSNgaMhYYSJvL87:UbA308Kk+ze2GAdSNzYSNLQ

Score

10^/10

dcrat execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat 33 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
1820	schtasks.exe
1180	schtasks.exe
1500	schtasks.exe
2472	schtasks.exe
1804	schtasks.exe
2856	schtasks.exe
2172	schtasks.exe
2536	schtasks.exe
1144	schtasks.exe
1652	schtasks.exe
1452	schtasks.exe
1184	schtasks.exe
600	schtasks.exe
632	schtasks.exe
2736	schtasks.exe
2224	schtasks.exe
1928	schtasks.exe
1632	schtasks.exe
2452	schtasks.exe
2220	schtasks.exe
1868	schtasks.exe
1032	schtasks.exe
852	schtasks.exe
2308	schtasks.exe
2564	schtasks.exe
2704	schtasks.exe
2292	schtasks.exe
2164	schtasks.exe
2808	schtasks.exe
1548	schtasks.exe
2284	schtasks.exe
700	schtasks.exe
572	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 11 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\services.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\sppsvc.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\lsm.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\services.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\sppsvc.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\lsm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\sppsvc.exe\", \"C:\\Users\\Admin\\Contacts\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\sppsvc.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\WSS\\winlogon.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\services.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\sppsvc.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\lsm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\sppsvc.exe\", \"C:\\Users\\Admin\\Contacts\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\sppsvc.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\WSS\\winlogon.exe\", \"C:\\Users\\Default\\lsass.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\services.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\sppsvc.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\lsm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\sppsvc.exe\", \"C:\\Users\\Admin\\Contacts\\csrss.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\services.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\sppsvc.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\lsm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\sppsvc.exe\", \"C:\\Users\\Admin\\Contacts\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\sppsvc.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\services.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\sppsvc.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\lsm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\sppsvc.exe\", \"C:\\Users\\Admin\\Contacts\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\sppsvc.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\services.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\sppsvc.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\lsm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\sppsvc.exe\", \"C:\\Users\\Admin\\Contacts\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\sppsvc.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\dwm.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\services.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\sppsvc.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\lsm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\sppsvc.exe\", \"C:\\Users\\Admin\\Contacts\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\sppsvc.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\dwm.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\WSS\\winlogon.exe\", \"C:\\Users\\Default\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\explorer.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\services.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\services.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\sppsvc.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Recent\\services.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\sppsvc.exe\", \"C:\\Surrogateprovidercomponentsessionmonitor\\lsm.exe\", \"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\sppsvc.exe\""	browserwinsvc.exe

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2608	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2608	schtasks.exe	32

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000014a9a-9.dat	dcrat
behavioral1/memory/2656-13-0x0000000000140000-0x00000000002A2000-memory.dmp	dcrat
behavioral1/memory/2988-59-0x00000000001A0000-0x0000000000302000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
448	powershell.exe
1708	powershell.exe
2088	powershell.exe
2412	powershell.exe
1388	powershell.exe
2984	powershell.exe
1100	powershell.exe
776	powershell.exe
996	powershell.exe
1572	powershell.exe
1836	powershell.exe
1392	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2656	browserwinsvc.exe
2988	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2588	cmd.exe
2588	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\explorer.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\Recent\\services.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Defender\\fr-FR\\sppsvc.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Surrogateprovidercomponentsessionmonitor\\lsm.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Contacts\\csrss.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\sppsvc.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\WSS\\winlogon.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\sppsvc.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\sppsvc.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Surrogateprovidercomponentsessionmonitor\\dwm.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\lsass.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\lsass.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Defender\\fr-FR\\sppsvc.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Surrogateprovidercomponentsessionmonitor\\lsm.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Contacts\\csrss.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\taskhost.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Surrogateprovidercomponentsessionmonitor\\dwm.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\Recent\\services.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\77984722-d108-11ee-bdd4-c695cbc44580\\sppsvc.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Microsoft Office\\Templates\\1033\\Access\\WSS\\winlogon.exe\""	browserwinsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Microsoft Office\\Document Themes 14\\explorer.exe\""	browserwinsvc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\fr-FR\sppsvc.exe	browserwinsvc.exe
File created	C:\Program Files\Windows Defender\fr-FR\0a1fd5f707cd16	browserwinsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe	browserwinsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\0a1fd5f707cd16	browserwinsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\winlogon.exe	browserwinsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\cc11b995f2a76d	browserwinsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\explorer.exe	browserwinsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\7a0fd90576e088	browserwinsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2452	schtasks.exe
2808	schtasks.exe
2536	schtasks.exe
1868	schtasks.exe
1820	schtasks.exe
1928	schtasks.exe
1452	schtasks.exe
2284	schtasks.exe
2164	schtasks.exe
2564	schtasks.exe
1548	schtasks.exe
1652	schtasks.exe
1184	schtasks.exe
2292	schtasks.exe
700	schtasks.exe
1632	schtasks.exe
2220	schtasks.exe
1180	schtasks.exe
632	schtasks.exe
2736	schtasks.exe
600	schtasks.exe
572	schtasks.exe
852	schtasks.exe
1500	schtasks.exe
2472	schtasks.exe
1804	schtasks.exe
2856	schtasks.exe
1032	schtasks.exe
1144	schtasks.exe
2704	schtasks.exe
2224	schtasks.exe
2172	schtasks.exe
2308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2656	browserwinsvc.exe
2656	browserwinsvc.exe
2656	browserwinsvc.exe
2656	browserwinsvc.exe
776	powershell.exe
1388	powershell.exe
1100	powershell.exe
996	powershell.exe
448	powershell.exe
2412	powershell.exe
2088	powershell.exe
1572	powershell.exe
1708	powershell.exe
1392	powershell.exe
2984	powershell.exe
1836	powershell.exe
2988	taskhost.exe
2988	taskhost.exe
2988	taskhost.exe
2988	taskhost.exe
2988	taskhost.exe
2988	taskhost.exe
2988	taskhost.exe
2988	taskhost.exe
2988	taskhost.exe
2988	taskhost.exe
2988	taskhost.exe
2988	taskhost.exe
2988	taskhost.exe
2988	taskhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2988	taskhost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2656	browserwinsvc.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	2988	taskhost.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2012	2372	0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1.exe	28
PID 2372 wrote to memory of 2012	2372	0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1.exe	28
PID 2372 wrote to memory of 2012	2372	0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1.exe	28
PID 2372 wrote to memory of 2012	2372	0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1.exe	28
PID 2012 wrote to memory of 2588	2012	WScript.exe	29
PID 2012 wrote to memory of 2588	2012	WScript.exe	29
PID 2012 wrote to memory of 2588	2012	WScript.exe	29
PID 2012 wrote to memory of 2588	2012	WScript.exe	29
PID 2588 wrote to memory of 2656	2588	cmd.exe	31
PID 2588 wrote to memory of 2656	2588	cmd.exe	31
PID 2588 wrote to memory of 2656	2588	cmd.exe	31
PID 2588 wrote to memory of 2656	2588	cmd.exe	31
PID 2656 wrote to memory of 1100	2656	browserwinsvc.exe	66
PID 2656 wrote to memory of 1100	2656	browserwinsvc.exe	66
PID 2656 wrote to memory of 1100	2656	browserwinsvc.exe	66
PID 2656 wrote to memory of 1388	2656	browserwinsvc.exe	67
PID 2656 wrote to memory of 1388	2656	browserwinsvc.exe	67
PID 2656 wrote to memory of 1388	2656	browserwinsvc.exe	67
PID 2656 wrote to memory of 996	2656	browserwinsvc.exe	68
PID 2656 wrote to memory of 996	2656	browserwinsvc.exe	68
PID 2656 wrote to memory of 996	2656	browserwinsvc.exe	68
PID 2656 wrote to memory of 776	2656	browserwinsvc.exe	69
PID 2656 wrote to memory of 776	2656	browserwinsvc.exe	69
PID 2656 wrote to memory of 776	2656	browserwinsvc.exe	69
PID 2656 wrote to memory of 448	2656	browserwinsvc.exe	71
PID 2656 wrote to memory of 448	2656	browserwinsvc.exe	71
PID 2656 wrote to memory of 448	2656	browserwinsvc.exe	71
PID 2656 wrote to memory of 2412	2656	browserwinsvc.exe	74
PID 2656 wrote to memory of 2412	2656	browserwinsvc.exe	74
PID 2656 wrote to memory of 2412	2656	browserwinsvc.exe	74
PID 2656 wrote to memory of 2088	2656	browserwinsvc.exe	76
PID 2656 wrote to memory of 2088	2656	browserwinsvc.exe	76
PID 2656 wrote to memory of 2088	2656	browserwinsvc.exe	76
PID 2656 wrote to memory of 1708	2656	browserwinsvc.exe	77
PID 2656 wrote to memory of 1708	2656	browserwinsvc.exe	77
PID 2656 wrote to memory of 1708	2656	browserwinsvc.exe	77
PID 2656 wrote to memory of 2984	2656	browserwinsvc.exe	78
PID 2656 wrote to memory of 2984	2656	browserwinsvc.exe	78
PID 2656 wrote to memory of 2984	2656	browserwinsvc.exe	78
PID 2656 wrote to memory of 1572	2656	browserwinsvc.exe	79
PID 2656 wrote to memory of 1572	2656	browserwinsvc.exe	79
PID 2656 wrote to memory of 1572	2656	browserwinsvc.exe	79
PID 2656 wrote to memory of 1392	2656	browserwinsvc.exe	81
PID 2656 wrote to memory of 1392	2656	browserwinsvc.exe	81
PID 2656 wrote to memory of 1392	2656	browserwinsvc.exe	81
PID 2656 wrote to memory of 1836	2656	browserwinsvc.exe	82
PID 2656 wrote to memory of 1836	2656	browserwinsvc.exe	82
PID 2656 wrote to memory of 1836	2656	browserwinsvc.exe	82
PID 2656 wrote to memory of 2988	2656	browserwinsvc.exe	89
PID 2656 wrote to memory of 2988	2656	browserwinsvc.exe	89
PID 2656 wrote to memory of 2988	2656	browserwinsvc.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1.exe
"C:\Users\Admin\AppData\Local\Temp\0404ab7a5119b3223c76c18d653bac4e70c7226aabdbbc945cea2672b8867ab1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Surrogateprovidercomponentsessionmonitor\v9suh58e6JIt2jtxqqX6.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Surrogateprovidercomponentsessionmonitor\IZ3MUeW4JZESEvbk.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe
      "C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Contacts\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Document Themes 14\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
    - - C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\taskhost.exe
        
        "C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\taskhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Recent\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\fr-FR\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Surrogateprovidercomponentsessionmonitor\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Surrogateprovidercomponentsessionmonitor\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Surrogateprovidercomponentsessionmonitor\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Contacts\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Contacts\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\77984722-d108-11ee-bdd4-c695cbc44580\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Surrogateprovidercomponentsessionmonitor\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Surrogateprovidercomponentsessionmonitor\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Surrogateprovidercomponentsessionmonitor\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Surrogateprovidercomponentsessionmonitor\IZ3MUeW4JZESEvbk.bat

Filesize
63B

MD5
6de687cf7ca366429c953cb49905b70a

SHA1
58e2c1823c038d8da8a2f042672027184066279e

SHA256
80d02a1cb8e68ffbc609a6c4914600604153ce929d46994200f837d354a5a611

SHA512
6bfa7a07d6adf167458cece0ba3a110479ee7677feb58c0ae9ba5c8913bcdda13664060ce0261abc1668c18831d5c73f6bc570be8595323d46704b810fc024ef

Download Submit
C:\Surrogateprovidercomponentsessionmonitor\v9suh58e6JIt2jtxqqX6.vbe

Filesize
233B

MD5
a43d6dd506db81004ed806f215426812

SHA1
64393ef16431d921a0b0a4c2e827c4cb31001706

SHA256
146e72957d4b362943fef3010cf3fffa001bdebd71700cdd5086ab89a7991e8d

SHA512
042210ce96a57a688c25ea82fa3caa5ce44fab23d5edc01ee4df478b7a607da3b4c04336c5e695555eb1930b9f310841fe752b87448c02c2da3a4e63de127818

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1b856eb20236fc7dc001dc8bb234bf69

SHA1
7e1bcf4f16bac5b323116606d0b47cbbf33347a4

SHA256
d15baa1da58a285378c7d795756fe700e346dcc348ebd0b70f58cc77fb8e7297

SHA512
74669612e1cd198a598f318084347f2cb0bc1ca8cdf7a3fe6a05295d81e61d58e11f4f0a8ad237a032110148662edca992db067aeece1e7ee1ff2befab6e17cb

Download Submit
\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe

Filesize
1.4MB

MD5
841209ab771bde66b25dfd03ff84c68a

SHA1
3c23b1e5d84698723316059a0458350c0a67fb91

SHA256
d77d1a3421e4e6b898ef496c5c95159d03da7e29e6000a0d057f6da63ddac0c4

SHA512
99039987c13b7092ef15fabc7f2a49ea08b41882c41bb27fa776cd13d3cefc7a104e6777530151fbf43e232eba127b29dc6bc5ac9c51f86320800f868a59d160

Download Submit
memory/776-60-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/1388-75-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2656-16-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/2656-17-0x0000000000B60000-0x0000000000B76000-memory.dmp

Filesize
88KB

Download
memory/2656-18-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/2656-19-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/2656-20-0x0000000002140000-0x000000000214C000-memory.dmp

Filesize
48KB

Download
memory/2656-15-0x00000000009B0000-0x00000000009CC000-memory.dmp

Filesize
112KB

Download
memory/2656-14-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/2656-13-0x0000000000140000-0x00000000002A2000-memory.dmp

Filesize
1.4MB

Download
memory/2988-59-0x00000000001A0000-0x0000000000302000-memory.dmp

Filesize
1.4MB

Download