Analysis
-
max time kernel
118s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19-07-2024 10:13
Behavioral task
behavioral1
Sample
SandeLLoCHECKER_Installer (2).exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
SandeLLoCHECKER_Installer (2).exe
Resource
win10v2004-20240709-en
General
-
Target
SandeLLoCHECKER_Installer (2).exe
-
Size
1.5MB
-
MD5
4c52459e292810c1197ed6f2e6486375
-
SHA1
12f8ef89e298d758b61b8104aca610ddce9b5b4e
-
SHA256
513bdf8d578fc535a41943fb900c32dc29de645bb9327ab3497b13632e04c6fc
-
SHA512
47bf5deb7661948f84aa8319921ab19dd70e4751475d1682578960d30420c14842f3784f1e416472c252efd3411278711d85ec103664601062606da5a18debe7
-
SSDEEP
24576:62G/nvxW3WvwD4cm7HZi6ABOSJcv9c3B8Z3Mnge2RxpA2UQXN58xTY6+2e:6bA3JDDmk6ocv9c3PiixiU+Z
Malware Config
Signatures
-
DcRat 51 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 768 schtasks.exe 2708 schtasks.exe 1116 schtasks.exe 1764 schtasks.exe 1488 schtasks.exe 1640 schtasks.exe 448 schtasks.exe 2968 schtasks.exe 2128 schtasks.exe 2368 schtasks.exe 1172 schtasks.exe 2616 schtasks.exe 2760 schtasks.exe 2996 schtasks.exe 712 schtasks.exe 1336 schtasks.exe 1540 schtasks.exe 2776 schtasks.exe 2880 schtasks.exe 2788 schtasks.exe 2728 schtasks.exe 1796 schtasks.exe 2032 schtasks.exe 1968 schtasks.exe 2804 schtasks.exe 2912 schtasks.exe 2540 schtasks.exe 1280 schtasks.exe 2840 schtasks.exe 2872 schtasks.exe 2764 schtasks.exe 2064 schtasks.exe 2556 schtasks.exe 1848 schtasks.exe 888 schtasks.exe 956 schtasks.exe 2216 schtasks.exe 2376 schtasks.exe 468 schtasks.exe 2724 schtasks.exe 2304 schtasks.exe 3000 schtasks.exe 2488 schtasks.exe 1688 schtasks.exe 1748 schtasks.exe 1940 schtasks.exe 572 schtasks.exe 696 schtasks.exe 2132 schtasks.exe 1812 schtasks.exe 1960 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 17 IoCs
Processes:
surrogateweb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\5ba42562-3a8b-11ef-9d17-d685e2345d05\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\5ba42562-3a8b-11ef-9d17-d685e2345d05\\dllhost.exe\", \"C:\\Program Files\\DVD Maker\\Idle.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\5ba42562-3a8b-11ef-9d17-d685e2345d05\\dllhost.exe\", \"C:\\Program Files\\DVD Maker\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Admin\\dllhost.exe\", \"C:\\Windows\\Speech\\Engines\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\lsass.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\5ba42562-3a8b-11ef-9d17-d685e2345d05\\dllhost.exe\", \"C:\\Program Files\\DVD Maker\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Admin\\dllhost.exe\", \"C:\\Windows\\Speech\\Engines\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\lsass.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\Idle.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Windows\\ehome\\MCX\\X02\\surrogateweb.exe\", \"C:\\chainproviderBrowsersvc\\wininit.exe\", \"C:\\Program Files\\Microsoft Games\\SpiderSolitaire\\fr-FR\\lsm.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\5ba42562-3a8b-11ef-9d17-d685e2345d05\\dllhost.exe\", \"C:\\Program Files\\DVD Maker\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Admin\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\5ba42562-3a8b-11ef-9d17-d685e2345d05\\dllhost.exe\", \"C:\\Program Files\\DVD Maker\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Admin\\dllhost.exe\", \"C:\\Windows\\Speech\\Engines\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\5ba42562-3a8b-11ef-9d17-d685e2345d05\\dllhost.exe\", \"C:\\Program Files\\DVD Maker\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Admin\\dllhost.exe\", \"C:\\Windows\\Speech\\Engines\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\lsass.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\Idle.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Windows\\ehome\\MCX\\X02\\surrogateweb.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\5ba42562-3a8b-11ef-9d17-d685e2345d05\\dllhost.exe\", \"C:\\Program Files\\DVD Maker\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Admin\\dllhost.exe\", \"C:\\Windows\\Speech\\Engines\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\lsass.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\Idle.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Windows\\ehome\\MCX\\X02\\surrogateweb.exe\", \"C:\\chainproviderBrowsersvc\\wininit.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\5ba42562-3a8b-11ef-9d17-d685e2345d05\\dllhost.exe\", \"C:\\Program Files\\DVD Maker\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Admin\\dllhost.exe\", \"C:\\Windows\\Speech\\Engines\\lsm.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\5ba42562-3a8b-11ef-9d17-d685e2345d05\\dllhost.exe\", \"C:\\Program Files\\DVD Maker\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Admin\\dllhost.exe\", \"C:\\Windows\\Speech\\Engines\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\lsass.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\Idle.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\5ba42562-3a8b-11ef-9d17-d685e2345d05\\dllhost.exe\", \"C:\\Program Files\\DVD Maker\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Admin\\dllhost.exe\", \"C:\\Windows\\Speech\\Engines\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\lsass.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\Idle.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Windows\\ehome\\MCX\\X02\\surrogateweb.exe\", \"C:\\chainproviderBrowsersvc\\wininit.exe\", \"C:\\Program Files\\Microsoft Games\\SpiderSolitaire\\fr-FR\\lsm.exe\", \"C:\\chainproviderBrowsersvc\\conhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\5ba42562-3a8b-11ef-9d17-d685e2345d05\\dllhost.exe\", \"C:\\Program Files\\DVD Maker\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Admin\\dllhost.exe\", \"C:\\Windows\\Speech\\Engines\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\lsass.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\Idle.exe\", \"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\", \"C:\\Windows\\ehome\\MCX\\X02\\surrogateweb.exe\", \"C:\\chainproviderBrowsersvc\\wininit.exe\", \"C:\\Program Files\\Microsoft Games\\SpiderSolitaire\\fr-FR\\lsm.exe\", \"C:\\chainproviderBrowsersvc\\conhost.exe\", \"C:\\Windows\\ModemLogs\\System.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Users\\Default User\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\5ba42562-3a8b-11ef-9d17-d685e2345d05\\dllhost.exe\", \"C:\\Program Files\\DVD Maker\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\", \"C:\\MSOCache\\All Users\\csrss.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Recovery\\5ba42562-3a8b-11ef-9d17-d685e2345d05\\dllhost.exe\", \"C:\\Program Files\\DVD Maker\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\", \"C:\\Users\\Admin\\dllhost.exe\", \"C:\\Windows\\Speech\\Engines\\lsm.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\Program Files (x86)\\Microsoft Synchronization Services\\lsass.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\Idle.exe\"" surrogateweb.exe -
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2708 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2760 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2764 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2064 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2488 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2996 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 712 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1172 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1940 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2804 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 448 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 956 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 696 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1336 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1116 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 468 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2128 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2264 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 2264 schtasks.exe -
Processes:
resource yara_rule C:\chainproviderBrowsersvc\surrogateweb.exe dcrat behavioral1/memory/2332-13-0x00000000001D0000-0x0000000000302000-memory.dmp dcrat behavioral1/memory/2416-58-0x0000000000250000-0x0000000000382000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
surrogateweb.execonhost.exepid process 2332 surrogateweb.exe 2416 conhost.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 1912 cmd.exe 1912 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 34 IoCs
Processes:
surrogateweb.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\lsass.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\DVD Maker\\Idle.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Videos\\Sample Videos\\csrss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\5ba42562-3a8b-11ef-9d17-d685e2345d05\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\DVD Maker\\Idle.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\explorer.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\Idle.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\surrogateweb = "\"C:\\Windows\\ehome\\MCX\\X02\\surrogateweb.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\lsm.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\surrogateweb = "\"C:\\Windows\\ehome\\MCX\\X02\\surrogateweb.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\chainproviderBrowsersvc\\wininit.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\VideoLAN\\VLC\\skins\\fonts\\Idle.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Microsoft Games\\SpiderSolitaire\\fr-FR\\lsm.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\ModemLogs\\System.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Speech\\Engines\\lsm.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\Speech\\Engines\\lsm.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\chainproviderBrowsersvc\\conhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\ModemLogs\\System.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\csrss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\chainproviderBrowsersvc\\conhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\Microsoft Games\\SpiderSolitaire\\fr-FR\\lsm.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\5ba42562-3a8b-11ef-9d17-d685e2345d05\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Microsoft Synchronization Services\\lsass.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\csrss.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\lsass.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\chainproviderBrowsersvc\\wininit.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\"" surrogateweb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\dllhost.exe\"" surrogateweb.exe -
Drops file in Program Files directory 8 IoCs
Processes:
surrogateweb.exedescription ioc process File created C:\Program Files\VideoLAN\VLC\skins\fonts\Idle.exe surrogateweb.exe File created C:\Program Files\VideoLAN\VLC\skins\fonts\6ccacd8608530f surrogateweb.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\lsm.exe surrogateweb.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\101b941d020240 surrogateweb.exe File created C:\Program Files\DVD Maker\Idle.exe surrogateweb.exe File created C:\Program Files\DVD Maker\6ccacd8608530f surrogateweb.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe surrogateweb.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\6203df4a6bafc7 surrogateweb.exe -
Drops file in Windows directory 6 IoCs
Processes:
surrogateweb.exedescription ioc process File created C:\Windows\Speech\Engines\lsm.exe surrogateweb.exe File created C:\Windows\Speech\Engines\101b941d020240 surrogateweb.exe File created C:\Windows\ehome\MCX\X02\surrogateweb.exe surrogateweb.exe File created C:\Windows\ehome\MCX\X02\bfcecf37da4ee6 surrogateweb.exe File created C:\Windows\ModemLogs\System.exe surrogateweb.exe File created C:\Windows\ModemLogs\27d1bcfc3c54e0 surrogateweb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2760 schtasks.exe 2488 schtasks.exe 2032 schtasks.exe 2708 schtasks.exe 712 schtasks.exe 1336 schtasks.exe 1968 schtasks.exe 2304 schtasks.exe 956 schtasks.exe 2064 schtasks.exe 2840 schtasks.exe 2132 schtasks.exe 2368 schtasks.exe 1812 schtasks.exe 1280 schtasks.exe 1640 schtasks.exe 1960 schtasks.exe 2616 schtasks.exe 1488 schtasks.exe 468 schtasks.exe 2540 schtasks.exe 3000 schtasks.exe 1748 schtasks.exe 1940 schtasks.exe 2968 schtasks.exe 696 schtasks.exe 2216 schtasks.exe 1116 schtasks.exe 1540 schtasks.exe 2776 schtasks.exe 2788 schtasks.exe 1848 schtasks.exe 1688 schtasks.exe 2724 schtasks.exe 1172 schtasks.exe 572 schtasks.exe 448 schtasks.exe 2764 schtasks.exe 2804 schtasks.exe 2872 schtasks.exe 2728 schtasks.exe 2128 schtasks.exe 768 schtasks.exe 2376 schtasks.exe 888 schtasks.exe 2556 schtasks.exe 2912 schtasks.exe 1764 schtasks.exe 1796 schtasks.exe 2996 schtasks.exe 2880 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
surrogateweb.execonhost.exepid process 2332 surrogateweb.exe 2332 surrogateweb.exe 2332 surrogateweb.exe 2332 surrogateweb.exe 2332 surrogateweb.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe 2416 conhost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
surrogateweb.execonhost.exedescription pid process Token: SeDebugPrivilege 2332 surrogateweb.exe Token: SeDebugPrivilege 2416 conhost.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
SandeLLoCHECKER_Installer (2).exeWScript.execmd.exesurrogateweb.execmd.exedescription pid process target process PID 3052 wrote to memory of 2276 3052 SandeLLoCHECKER_Installer (2).exe WScript.exe PID 3052 wrote to memory of 2276 3052 SandeLLoCHECKER_Installer (2).exe WScript.exe PID 3052 wrote to memory of 2276 3052 SandeLLoCHECKER_Installer (2).exe WScript.exe PID 3052 wrote to memory of 2276 3052 SandeLLoCHECKER_Installer (2).exe WScript.exe PID 2276 wrote to memory of 1912 2276 WScript.exe cmd.exe PID 2276 wrote to memory of 1912 2276 WScript.exe cmd.exe PID 2276 wrote to memory of 1912 2276 WScript.exe cmd.exe PID 2276 wrote to memory of 1912 2276 WScript.exe cmd.exe PID 1912 wrote to memory of 2332 1912 cmd.exe surrogateweb.exe PID 1912 wrote to memory of 2332 1912 cmd.exe surrogateweb.exe PID 1912 wrote to memory of 2332 1912 cmd.exe surrogateweb.exe PID 1912 wrote to memory of 2332 1912 cmd.exe surrogateweb.exe PID 2332 wrote to memory of 1652 2332 surrogateweb.exe cmd.exe PID 2332 wrote to memory of 1652 2332 surrogateweb.exe cmd.exe PID 2332 wrote to memory of 1652 2332 surrogateweb.exe cmd.exe PID 1652 wrote to memory of 1916 1652 cmd.exe w32tm.exe PID 1652 wrote to memory of 1916 1652 cmd.exe w32tm.exe PID 1652 wrote to memory of 1916 1652 cmd.exe w32tm.exe PID 1652 wrote to memory of 2416 1652 cmd.exe conhost.exe PID 1652 wrote to memory of 2416 1652 cmd.exe conhost.exe PID 1652 wrote to memory of 2416 1652 cmd.exe conhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe"C:\Users\Admin\AppData\Local\Temp\SandeLLoCHECKER_Installer (2).exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\chainproviderBrowsersvc\1byCZNucUjtCyYTxjpkyduFHkoB.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\chainproviderBrowsersvc\1L1To0L.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\chainproviderBrowsersvc\surrogateweb.exe"C:\chainproviderBrowsersvc\surrogateweb.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7aTboc7LuI.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:1916
-
C:\chainproviderBrowsersvc\conhost.exe"C:\chainproviderBrowsersvc\conhost.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech\Engines\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech\Engines\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\Sample Videos\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "surrogatewebs" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\MCX\X02\surrogateweb.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "surrogateweb" /sc ONLOGON /tr "'C:\Windows\ehome\MCX\X02\surrogateweb.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "surrogatewebs" /sc MINUTE /mo 5 /tr "'C:\Windows\ehome\MCX\X02\surrogateweb.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\chainproviderBrowsersvc\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\chainproviderBrowsersvc\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\chainproviderBrowsersvc\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\chainproviderBrowsersvc\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\chainproviderBrowsersvc\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\chainproviderBrowsersvc\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
203B
MD53ee8c3e21db9d6ea4d14e289e9f55321
SHA1365601376f1b9e96290000e45929171c254e3120
SHA256d4d3eb9de79fe888b2c10789edb4a94979c73002c5b4ecec3ca63b41e113384b
SHA512814c4458a6cb68f2ad6115d538aa8afa7893867b01e9dd873dac7fd5e3a8dee08f767d8beaffb548bb15a996fa4ba68a10f9cf51c718675028b7ca251ee74669
-
Filesize
45B
MD53c8ed674ffedfe6b8d0c064cab60006d
SHA17080e2cf3d63412726841df13a193e1e56576d7f
SHA2560a743db445078b3285505edde00ff06568dc9276d50450cb23e93dc2d13ff1fc
SHA51226678921909b08733f2bf1e921109775b5b4d45b3be2fa7169b3a413ebe78853023a4927f2f26fc63b78a6d6dc21ed603edce39ee8cb7a703bd247a8d6aad7da
-
Filesize
207B
MD5899f8aaacb8d91de21a507edf16520e2
SHA12e81832c3da7c117b96e87a3891ca41aba7b819d
SHA2563a8e29e95179d9794c2e3367cb170717682087650ee33b70905c4deb7fbab762
SHA5127d19a730e8dcc78e265b19fb9c901ccd8456bbaf6d8702c25377f86fe8427c82a918b1a96a50b83ddc6363a169739106bc2e4218097d31cad8e0c0a139bf9f3e
-
Filesize
1.2MB
MD5263dca09ac216848fa0ce9aea1f1aa04
SHA1da162b0daf02ee8cf89a011f4a2876efb4694552
SHA2562bb6c2c2394ec60767a70db1d9098af76e1142de9e9ad9e94c52207c121088a8
SHA5123d7fd55d1dd95d998b14985aa9bdc6e3d152b6f9e7b52153bdedddd21514805fb3dd339cf6e712a428c329744c263cb945037c82f19c111d6ddbdc7e8d96359d