dcrat | af58caae16d4efcf211bdc1ab7830e6c27d5bce03e6fd2fd7c59901f40c75ce2

General

Target

1.exe
Size

2.6MB
MD5

d33fd82b32895cb0552b9c6dad9b3435
SHA1

a3117af86755a70fbaebdb2c8d27ac06e9dd777f
SHA256

af58caae16d4efcf211bdc1ab7830e6c27d5bce03e6fd2fd7c59901f40c75ce2
SHA512

fa72d7aebdf5e6b5e5d855a1f169854f82227490b18b573934f17a40ff5592a6a5d9364f2d9dc0da0200fdc1433fc104ada83bf75233860d51fc30af76ef248f
SSDEEP

49152:UbA30NVKXoZA5f48GoTA2fIirWmSIECusCjsAOoP2BTl4yJEmt:UbRVigA5w8Gx26XwCcztJEmt

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.execomponentperf.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
908	schtasks.exe
2100	schtasks.exe
1996	schtasks.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\6ccacd8608530f	componentperf.exe
2192	schtasks.exe
2828	schtasks.exe
2772	schtasks.exe
1756	schtasks.exe
2388	schtasks.exe
2984	schtasks.exe
2152	schtasks.exe
2396	schtasks.exe
2408	schtasks.exe
1376	schtasks.exe
2796	schtasks.exe
1996	schtasks.exe
1660	schtasks.exe
1392	schtasks.exe
1748	schtasks.exe
2156	schtasks.exe
1952	schtasks.exe
2472	schtasks.exe
784	schtasks.exe
2312	schtasks.exe
1048	schtasks.exe
1604	schtasks.exe
564	schtasks.exe
2960	schtasks.exe
2140	schtasks.exe
2316	schtasks.exe
2788	schtasks.exe
2164	schtasks.exe
2544	schtasks.exe
2784	schtasks.exe
480	schtasks.exe
1868	schtasks.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\6cb0b6c459d5d3	componentperf.exe
2376	schtasks.exe
2468	schtasks.exe
2888	schtasks.exe
1780	schtasks.exe
1108	schtasks.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\6ccacd8608530f	componentperf.exe
1576	schtasks.exe
596	schtasks.exe
1140	schtasks.exe
796	schtasks.exe
1384	schtasks.exe
1752	schtasks.exe
1268	schtasks.exe
File created	C:\Program Files\Uninstall Information\6203df4a6bafc7	componentperf.exe
1820	schtasks.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\f3b6ecef712a24	componentperf.exe
1944	schtasks.exe
2300	schtasks.exe
1856	schtasks.exe
File created	C:\Program Files\MSBuild\Microsoft\101b941d020240	componentperf.exe
2304	schtasks.exe
2380	schtasks.exe
1492	schtasks.exe
860	schtasks.exe
608	schtasks.exe
964	schtasks.exe
328	schtasks.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	3060	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	3060	schtasks.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\surrogateBrowser\componentperf.exe	dcrat
behavioral1/memory/2860-13-0x0000000000D70000-0x0000000000FCE000-memory.dmp	dcrat
behavioral1/memory/2672-61-0x0000000000F30000-0x000000000118E000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

componentperf.execomponentperf.exe

pid process

2860 componentperf.exe
2672 componentperf.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2552 cmd.exe
2552 cmd.exe

pid	process
2552	cmd.exe
2552	cmd.exe

Drops file in Program Files directory 21 IoCs

Processes:

componentperf.execomponentperf.exe

description	ioc	process
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\6ccacd8608530f	componentperf.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\dwm.exe	componentperf.exe
File created	C:\Program Files (x86)\Google\Temp\lsm.exe	componentperf.exe
File created	C:\Program Files (x86)\Windows Portable Devices\services.exe	componentperf.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe	componentperf.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\6ccacd8608530f	componentperf.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\f3b6ecef712a24	componentperf.exe
File created	C:\Program Files\Uninstall Information\lsass.exe	componentperf.exe
File created	C:\Program Files\MSBuild\Microsoft\lsm.exe	componentperf.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\it-IT\Idle.exe	componentperf.exe
File created	C:\Program Files (x86)\Google\Temp\101b941d020240	componentperf.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe	componentperf.exe
File created	C:\Program Files\MSBuild\Microsoft\101b941d020240	componentperf.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\spoolsv.exe	componentperf.exe
File created	C:\Program Files\Uninstall Information\6203df4a6bafc7	componentperf.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\winlogon.exe	componentperf.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\cc11b995f2a76d	componentperf.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\6cb0b6c459d5d3	componentperf.exe
File created	C:\Program Files (x86)\Windows Portable Devices\c5b4cb5e9653cc	componentperf.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\lsm.exe	componentperf.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6ccacd8608530f	componentperf.exe

Drops file in Windows directory 7 IoCs

Processes:

componentperf.execomponentperf.exe

description	ioc	process
File created	C:\Windows\tracing\24dbde2999530e	componentperf.exe
File created	C:\Windows\diagnostics\system\Networking\it-IT\dwm.exe	componentperf.exe
File created	C:\Windows\Offline Web Pages\OSPPSVC.exe	componentperf.exe
File created	C:\Windows\Offline Web Pages\1610b97d3ab4a7	componentperf.exe
File created	C:\Windows\es-ES\csrss.exe	componentperf.exe
File created	C:\Windows\es-ES\886983d96e3d3e	componentperf.exe
File created	C:\Windows\tracing\WmiPrvSE.exe	componentperf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3028	schtasks.exe
908	schtasks.exe
1140	schtasks.exe
264	schtasks.exe
2452	schtasks.exe
1108	schtasks.exe
2204	schtasks.exe
1944	schtasks.exe
2472	schtasks.exe
2340	schtasks.exe
2780	schtasks.exe
1048	schtasks.exe
1752	schtasks.exe
1376	schtasks.exe
2180	schtasks.exe
1660	schtasks.exe
2164	schtasks.exe
596	schtasks.exe
2544	schtasks.exe
1728	schtasks.exe
2384	schtasks.exe
288	schtasks.exe
2192	schtasks.exe
1856	schtasks.exe
1268	schtasks.exe
328	schtasks.exe
1492	schtasks.exe
2916	schtasks.exe
2488	schtasks.exe
2472	schtasks.exe
2920	schtasks.exe
2324	schtasks.exe
1576	schtasks.exe
2828	schtasks.exe
1748	schtasks.exe
2156	schtasks.exe
1684	schtasks.exe
1868	schtasks.exe
2424	schtasks.exe
2960	schtasks.exe
480	schtasks.exe
2372	schtasks.exe
2100	schtasks.exe
564	schtasks.exe
2380	schtasks.exe
2376	schtasks.exe
2120	schtasks.exe
2152	schtasks.exe
1980	schtasks.exe
1756	schtasks.exe
2732	schtasks.exe
608	schtasks.exe
2984	schtasks.exe
796	schtasks.exe
2796	schtasks.exe
2116	schtasks.exe
2396	schtasks.exe
2980	schtasks.exe
1996	schtasks.exe
1820	schtasks.exe
2100	schtasks.exe
2468	schtasks.exe
2692	schtasks.exe
2020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

componentperf.execomponentperf.exe

pid	process
2860	componentperf.exe
2860	componentperf.exe
2860	componentperf.exe
2860	componentperf.exe
2860	componentperf.exe
2860	componentperf.exe
2860	componentperf.exe
2860	componentperf.exe
2860	componentperf.exe
2672	componentperf.exe
2672	componentperf.exe
2672	componentperf.exe
2672	componentperf.exe
2672	componentperf.exe
2672	componentperf.exe
2672	componentperf.exe
2672	componentperf.exe
2672	componentperf.exe
2672	componentperf.exe
2672	componentperf.exe
2672	componentperf.exe
2672	componentperf.exe
2672	componentperf.exe
2672	componentperf.exe
2672	componentperf.exe
2672	componentperf.exe
2672	componentperf.exe
2672	componentperf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

componentperf.execomponentperf.exe

description pid process

Token: SeDebugPrivilege 2860 componentperf.exe
Token: SeDebugPrivilege 2672 componentperf.exe

description	pid	process
Token: SeDebugPrivilege	2860	componentperf.exe
Token: SeDebugPrivilege	2672	componentperf.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

1.exeWScript.execmd.execomponentperf.execmd.execomponentperf.execmd.exe

description	pid	process	target process
PID 1620 wrote to memory of 2844	1620	1.exe	WScript.exe
PID 1620 wrote to memory of 2844	1620	1.exe	WScript.exe
PID 1620 wrote to memory of 2844	1620	1.exe	WScript.exe
PID 1620 wrote to memory of 2844	1620	1.exe	WScript.exe
PID 2844 wrote to memory of 2552	2844	WScript.exe	cmd.exe
PID 2844 wrote to memory of 2552	2844	WScript.exe	cmd.exe
PID 2844 wrote to memory of 2552	2844	WScript.exe	cmd.exe
PID 2844 wrote to memory of 2552	2844	WScript.exe	cmd.exe
PID 2552 wrote to memory of 2860	2552	cmd.exe	componentperf.exe
PID 2552 wrote to memory of 2860	2552	cmd.exe	componentperf.exe
PID 2552 wrote to memory of 2860	2552	cmd.exe	componentperf.exe
PID 2552 wrote to memory of 2860	2552	cmd.exe	componentperf.exe
PID 2860 wrote to memory of 2832	2860	componentperf.exe	cmd.exe
PID 2860 wrote to memory of 2832	2860	componentperf.exe	cmd.exe
PID 2860 wrote to memory of 2832	2860	componentperf.exe	cmd.exe
PID 2832 wrote to memory of 2968	2832	cmd.exe	w32tm.exe
PID 2832 wrote to memory of 2968	2832	cmd.exe	w32tm.exe
PID 2832 wrote to memory of 2968	2832	cmd.exe	w32tm.exe
PID 2832 wrote to memory of 2672	2832	cmd.exe	componentperf.exe
PID 2832 wrote to memory of 2672	2832	cmd.exe	componentperf.exe
PID 2832 wrote to memory of 2672	2832	cmd.exe	componentperf.exe
PID 2672 wrote to memory of 1604	2672	componentperf.exe	cmd.exe
PID 2672 wrote to memory of 1604	2672	componentperf.exe	cmd.exe
PID 2672 wrote to memory of 1604	2672	componentperf.exe	cmd.exe
PID 1604 wrote to memory of 2968	1604	cmd.exe	w32tm.exe
PID 1604 wrote to memory of 2968	1604	cmd.exe	w32tm.exe
PID 1604 wrote to memory of 2968	1604	cmd.exe	w32tm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\surrogateBrowser\jugsRTlixTNpJQR.vbe"
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\surrogateBrowser\6sJKwNteCedZSQrFBGYlXz0mxM.bat" "
3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552

C:\surrogateBrowser\componentperf.exe
"C:\surrogateBrowser\componentperf.exe"
4⤵
- DcRat
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7WMJXQ8ssA.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:2968

C:\surrogateBrowser\componentperf.exe
"C:\surrogateBrowser\componentperf.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KCsXICm1Rg.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\surrogateBrowser\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\surrogateBrowser\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\surrogateBrowser\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\surrogateBrowser\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\surrogateBrowser\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\surrogateBrowser\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Minesweeper\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Minesweeper\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentperfc" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\componentperf.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentperf" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\componentperf.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentperfc" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\componentperf.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Temp\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\surrogateBrowser\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\surrogateBrowser\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\surrogateBrowser\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Downloads\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\surrogateBrowser\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\surrogateBrowser\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\surrogateBrowser\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /f
1⤵
- DcRat
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- DcRat
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\OSPPSVC.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\surrogateBrowser\taskhost.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\surrogateBrowser\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\surrogateBrowser\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\csrss.exe'" /f
1⤵
- DcRat
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /f
1⤵
- DcRat
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\WmiPrvSE.exe'" /f
1⤵
- DcRat
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\tracing\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\surrogateBrowser\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\surrogateBrowser\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\surrogateBrowser\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7WMJXQ8ssA.bat

Filesize
202B

MD5
2a85177459d286725266d9c39ce36083

SHA1
0b0a9be47c8d12c473e0af90aaed5a615dabc4a4

SHA256
e9354df5070e6fe6f6cce1cad9f394ef859ca2c347be988e65276fa680e481d2

SHA512
4dd16b30137d0a9acd15d2f063c7bf444b46bddde1c6757315533eca0f55499d9f522086e973a74849724299e55dca2ad18b43dbaa3a81861dd7ef629f94f214

Download Submit
C:\Users\Admin\AppData\Local\Temp\KCsXICm1Rg.bat

Filesize
196B

MD5
f0f2e37f30b842e54af16a9c8fc6fba2

SHA1
31d3c425f854a52d854010dca1ca369b5f3c53c5

SHA256
16dc31e48a6350f994f545aaa441c9e102eef94c2134e8d34fd04ad9669dcc7a

SHA512
14f74776d7ccf0ab41bfa95e5e10a58ccd465c0c4bc2e6cd2ebcc1f6596aa4ffce2ec5a443fc415f3ffd699af81bf93889a4a27e6a1803990bc1313e6a2335ed

Download Submit
C:\surrogateBrowser\24dbde2999530e

Filesize
396B

MD5
40c5f076108ce24f4bc51d4955ec8066

SHA1
49fcc0ae23ac828963c565ca93135d720d79effa

SHA256
62b98ed18c286a9dcdd21f6bc7ed605288c2a3b0e616b27fa34dfbaad22bc256

SHA512
54d06cdd709e5a0af2298e6429f28fa7568346b313093ba9d0193c4b57d06b34a4baa599f4fd9fd44907a3b2a9a8033a5f1642bd1586cebb7561bd579cec1e91

Download Submit
C:\surrogateBrowser\6203df4a6bafc7

Filesize
33B

MD5
9238d7efaf9062c1b7595906ff258998

SHA1
97a095160a1ec852413911960ff627926cfc8046

SHA256
2839991deccafddc857c18809599e9c27f689c81e5e9b6a0075eaca2f6e58dd3

SHA512
46ccffae8683be6b4308d7eb97080fd6f78dc2235e49a86dece0e9ebf75e2902a5ece3379d6133f8dbf292651b977045ed6f988d618d16914496636a196d174d

Download Submit
C:\surrogateBrowser\6sJKwNteCedZSQrFBGYlXz0mxM.bat

Filesize
39B

MD5
cc69ff276bc01cf713869de612989b6e

SHA1
68bf9bcbd1b73b192291e35cb5fc1398362c97b1

SHA256
bc399373baab928a60d2b9e99ef09c1bf87d6978ed27b80aedb83d355d38aa67

SHA512
f6e304dbec4185ff84309d2138f8823c02e8690074fdbfd560d7559b05916d6ab5c820344a5a5006d55236fa19d3338b2ee6d01cbe831ed170fd4bed22772a1c

Download Submit
C:\surrogateBrowser\jugsRTlixTNpJQR.vbe

Filesize
219B

MD5
4ebf70867f59482e34dd049a8603e143

SHA1
7d4b332dfabe271c829705fcf7fa57c77a183796

SHA256
651bcddc048bd1d961d2ff6b546865aa3a8d803cca93952d88aae2888f3f2a68

SHA512
b14cd8f60b3be1b9617b7392f060a361fe7aa62d1a986f91251412a426f3cbe2cab79ac37aa3e8570b5ba64204c8b6ef61f2b60091eb6dcc6a1491025e5d1712

Download Submit
C:\surrogateBrowser\lsass.exe

Filesize
2.3MB

MD5
e72ad63667c6e3b80fdfa5888daae983

SHA1
ba1eb9b19438107e7c4840410839096f5f52c3ac

SHA256
ba8caaf0ea05dfa525249f585936f0e022abc044e7e3af9857e57320e5e344e4

SHA512
82da755bb485bb755507292f864a004c46f59e9149926604597b27a450fa6994c6d57b713bed1918fdba9c78f673ba72f3249ba5abbec1611c9b7c53b501b6bc

Download Submit
\surrogateBrowser\componentperf.exe

Filesize
2.3MB

MD5
a7ed45551bd75d6efe5cb73025e5bf21

SHA1
009127e9825d0be8ac1566015f27d34cd9b52cd2

SHA256
815d0a143ee08216f0fcefa36c494f4bf3ba35c518f94046e649dc2fe55c8b84

SHA512
7853470fb2752d0a6795723d979aa39ac2438a01eb32543fe8cc976658480e5441cd6e64b7f2b97b3f483311e6db206a88c8c2c0a5c944d536d4e938e6f0d3c8

Download Submit
memory/2672-61-0x0000000000F30000-0x000000000118E000-memory.dmp

Filesize
2.4MB

Download
memory/2860-18-0x0000000000BB0000-0x0000000000C06000-memory.dmp

Filesize
344KB

Download
memory/2860-20-0x0000000000C10000-0x0000000000C18000-memory.dmp

Filesize
32KB

Download
memory/2860-21-0x0000000000C20000-0x0000000000C2A000-memory.dmp

Filesize
40KB

Download
memory/2860-22-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/2860-19-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/2860-17-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/2860-16-0x0000000000B90000-0x0000000000BA6000-memory.dmp

Filesize
88KB

Download
memory/2860-15-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/2860-14-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2860-13-0x0000000000D70000-0x0000000000FCE000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads