dcrat | e5f8616d5ed2e6e1538b238c2ef7d13ee680406899fa14cae2ad54bede356d4a

Analysis

max time kernel
296s
max time network
313s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QuasarModded.scr
Size

1.2MB
MD5

a4804946374d70da63b45d48c0de6188
SHA1

a00c5b21387aa3b2fa9eafd8bd3d0159de32454f
SHA256

e5f8616d5ed2e6e1538b238c2ef7d13ee680406899fa14cae2ad54bede356d4a
SHA512

d3e9bff12b39e2d4602e947be84606ffbd7af2bc9b0785721d9caf679163749892b7fa2cc33c76def45b275ce2971fef1a27d0369f857c42dca2dfd666631f5c
SSDEEP

24576:u2G/nvxW3WieCaZtNvoYU367xprsfVwkR4QuYN0wnxvjd:ubA3jGA+ruVwkz6wnxvx

Score

10^/10

dcrat evasion infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	2416	schtasks.exe	102
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2416	schtasks.exe	102

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0008000000023641-15.dat	dcrat
behavioral2/memory/2124-17-0x0000000000FE0000-0x00000000010C8000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	QuasarModded.scr
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000\Control Panel\International\Geo\Nation	surrogateBrowser.exe

Executes dropped EXE 2 IoCs

pid	Process
2124	surrogateBrowser.exe
2412	dllhost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Provisioning\Cosa\MO\cc11b995f2a76d	surrogateBrowser.exe
File created	C:\Windows\PolicyDefinitions\uk-UA\StartMenuExperienceHost.exe	surrogateBrowser.exe
File created	C:\Windows\PolicyDefinitions\uk-UA\55b276f4edf653	surrogateBrowser.exe
File created	C:\Windows\Containers\serviced\wininit.exe	surrogateBrowser.exe
File created	C:\Windows\Containers\serviced\56085415360792	surrogateBrowser.exe
File created	C:\Windows\Provisioning\Cosa\MO\winlogon.exe	surrogateBrowser.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings	QuasarModded.scr
Key created	\REGISTRY\USER\S-1-5-21-661257284-3186977026-4220467887-1000_Classes\Local Settings	surrogateBrowser.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1044	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4572	schtasks.exe
4100	schtasks.exe
1316	schtasks.exe
5096	schtasks.exe
4496	schtasks.exe
4420	schtasks.exe
864	schtasks.exe
4988	schtasks.exe
4776	schtasks.exe
3600	schtasks.exe
4608	schtasks.exe
1344	schtasks.exe
3244	schtasks.exe
4628	schtasks.exe
1000	schtasks.exe
3476	schtasks.exe
4912	schtasks.exe
4140	schtasks.exe
3920	schtasks.exe
2968	schtasks.exe
3808	schtasks.exe
1148	schtasks.exe
744	schtasks.exe
4400	schtasks.exe
3116	schtasks.exe
2520	schtasks.exe
2588	schtasks.exe
2592	schtasks.exe
2456	schtasks.exe
1504	schtasks.exe
3820	schtasks.exe
224	schtasks.exe
544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2124	surrogateBrowser.exe
2124	surrogateBrowser.exe
2412	dllhost.exe
2412	dllhost.exe
2412	dllhost.exe
2412	dllhost.exe
2412	dllhost.exe
2412	dllhost.exe
2412	dllhost.exe
2412	dllhost.exe
2412	dllhost.exe
2412	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2412	dllhost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	surrogateBrowser.exe
Token: SeDebugPrivilege	2412	dllhost.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 512	4008	QuasarModded.scr	94
PID 4008 wrote to memory of 512	4008	QuasarModded.scr	94
PID 4008 wrote to memory of 512	4008	QuasarModded.scr	94
PID 4008 wrote to memory of 4708	4008	QuasarModded.scr	95
PID 4008 wrote to memory of 4708	4008	QuasarModded.scr	95
PID 4008 wrote to memory of 4708	4008	QuasarModded.scr	95
PID 4708 wrote to memory of 3732	4708	cmd.exe	139
PID 4708 wrote to memory of 3732	4708	cmd.exe	139
PID 4708 wrote to memory of 3732	4708	cmd.exe	139
PID 512 wrote to memory of 5116	512	WScript.exe	99
PID 512 wrote to memory of 5116	512	WScript.exe	99
PID 512 wrote to memory of 5116	512	WScript.exe	99
PID 5116 wrote to memory of 2124	5116	cmd.exe	101
PID 5116 wrote to memory of 2124	5116	cmd.exe	101
PID 2124 wrote to memory of 1444	2124	surrogateBrowser.exe	136
PID 2124 wrote to memory of 1444	2124	surrogateBrowser.exe	136
PID 5116 wrote to memory of 1044	5116	cmd.exe	138
PID 5116 wrote to memory of 1044	5116	cmd.exe	138
PID 5116 wrote to memory of 1044	5116	cmd.exe	138
PID 1444 wrote to memory of 3732	1444	cmd.exe	139
PID 1444 wrote to memory of 3732	1444	cmd.exe	139
PID 1444 wrote to memory of 2412	1444	cmd.exe	140
PID 1444 wrote to memory of 2412	1444	cmd.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\QuasarModded.scr
"C:\Users\Admin\AppData\Local\Temp\QuasarModded.scr" /S
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\bridgewebfontDriver\JPEKY7KdznoNKJ6HgkX9q4NreF.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\bridgewebfontDriver\Gg47yix3Ugv.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\bridgewebfontDriver\surrogateBrowser.exe
      "C:\bridgewebfontDriver\surrogateBrowser.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A9cZjy4QhO.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1444
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3732
      - C:\Users\Public\Pictures\dllhost.exe
        
        "C:\Users\Public\Pictures\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:1044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\bridgewebfontDriver\IJ5c76irDFq5p4JLIcG.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c "echo Loading Windows...."
    3⤵
    PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4208,i,13421008738336098502,1902686380018635081,262144 --variations-seed-version --mojo-platform-channel-handle=3940 /prefetch:8
1⤵
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\bridgewebfontDriver\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\bridgewebfontDriver\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\bridgewebfontDriver\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\bridgewebfontDriver\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\bridgewebfontDriver\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\bridgewebfontDriver\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\bridgewebfontDriver\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\bridgewebfontDriver\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\bridgewebfontDriver\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Containers\serviced\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Containers\serviced\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Cosa\MO\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Provisioning\Cosa\MO\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Cosa\MO\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\bridgewebfontDriver\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\bridgewebfontDriver\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\bridgewebfontDriver\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\uk-UA\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\uk-UA\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\uk-UA\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\A9cZjy4QhO.bat

Filesize
201B

MD5
20fc42b0414e9a7fb6713c296f76c9d8

SHA1
60f4abbabc5a8267299a68b28ff83a4d6f0529a6

SHA256
40b6fa2af2453add3b3870d28a7bfd6210a7cb67fec2d61e9bdfb079ab69a98a

SHA512
5fadce53f3330f3527513f879ab77d68b7207b882d7aa1592d6bab388ee9a3e3d634df7a55c6d8f2b32eca4c88615a6731914946ba2a21cbc1fc08fbacf435bf

Download Submit
C:\bridgewebfontDriver\Gg47yix3Ugv.bat

Filesize
157B

MD5
2145812a655fcd7fd26f377cca64e5ac

SHA1
12610088154f68594f5416c48cb0542a9d1b7b8d

SHA256
fb23c678fc163f761224473afc361013c1fd9d3297a5a99a252d7770b7b46be6

SHA512
a93fee719fbc9186c8ad706c05b7abddf40d8ba48aa34d8989c35a6660a4bf8d02273336c96e770bedeefe992041167e7abca2eff21a87da11fe98ff9dc268d0

Download Submit
C:\bridgewebfontDriver\IJ5c76irDFq5p4JLIcG.bat

Filesize
37B

MD5
6cd2aafebcf7db23c74ca6c73a041342

SHA1
600fc446485bfd277e415b768766bb9137fbe302

SHA256
af30295b156854859a392ca6afcdf01edb5e2df21b31c0787ab9396ddf44cb0e

SHA512
eb43e65b3f9296afd5907a95e23a86c2776da0cb7d8bdedb6c3bc30bfd37ec2a78227606d7bf4a3e05bf50248558835c9b2e77a9376b26ae36170a398a8087fa

Download Submit
C:\bridgewebfontDriver\JPEKY7KdznoNKJ6HgkX9q4NreF.vbe

Filesize
207B

MD5
abf61c238f6dd4ecb89a49801a52ce82

SHA1
1e61ebb43d17005a986cf3d7d5c93d1ccd9dc0fd

SHA256
d4955e52bc64f7bf143f0930a12f45710769c06323cc6ab1742a798b2a4362f3

SHA512
142c94171c559b936bd3f880183c7607ed4a9614b84dd6d844b692a4dd36d85a206bc780cd6c5158bc579c1cac75d57289b801b6bd4afe7c8cffb3436585b0d1

Download Submit
C:\bridgewebfontDriver\surrogateBrowser.exe

Filesize
897KB

MD5
9ec0bd3db90819b061753ad50f77741c

SHA1
b693c923ccc22944bbc1e8501e05fcc93e88b369

SHA256
80fdef187d476f0966a2565f2da801f45772c816f9c6350078a4010c87a26ef5

SHA512
93f04bbeeb4df2cca62ca5e1d2888650734e7fc54385a16537c11811085bd9520f770a38984aeeb512f65a8ec48b2285d896072b8400a5624c9c212d02f1bbad

Download Submit
memory/2124-17-0x0000000000FE0000-0x00000000010C8000-memory.dmp

Filesize
928KB

Download
memory/2124-18-0x00000000032F0000-0x00000000032FE000-memory.dmp

Filesize
56KB

Download