dcrat | 9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462

Analysis

max time kernel
117s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8FE4D765052F33EE206BABD50ECEBFF4.exe
Size

1.8MB
MD5

8fe4d765052f33ee206babd50ecebff4
SHA1

626ed36cc72ed374334c868a5d2471cd1d70e9ef
SHA256

9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462
SHA512

5a41dbc6ead37caa5de7c3110378fc1357954a6b02b50eea6d82ff2685962536090e2e6e75a83ab321aa14a04a50f31c92290ace854bd45bc4c5913a1e1a7210
SSDEEP

49152:IBJS5y9ltNK+s0am17m5uSTRhNCYX1xoUQ/Ui5zbf2qmOK:ywGls0amCyN5zbf7jK

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\dwm.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\dwm.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Users\\All Users\\winlogon.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\dwm.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Users\\All Users\\winlogon.exe\", \"C:\\Users\\Default User\\winlogon.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\dwm.exe\", \"C:\\Windows\\ja-JP\\dllhost.exe\", \"C:\\Users\\All Users\\winlogon.exe\", \"C:\\Users\\Default User\\winlogon.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\WmiPrvSE.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\WmiPrvSE.exe\", \"C:\\Program Files\\Internet Explorer\\dwm.exe\""	MsRefHost.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2772	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2772	schtasks.exe	35

Executes dropped EXE 2 IoCs

pid	Process
2800	MsRefHost.exe
1720	MsRefHost.exe

Loads dropped DLL 2 IoCs

pid	Process
2108	cmd.exe
2108	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MsRefHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsRefHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\WmiPrvSE.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Internet Explorer\\dwm.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files\\Internet Explorer\\dwm.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\ja-JP\\dllhost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\Default User\\winlogon.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\WmiPrvSE.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\ja-JP\\dllhost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\winlogon.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Users\\All Users\\winlogon.exe\""	MsRefHost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC615D6025B551407E94D24227C62FAFE.TMP	csc.exe
File created	\??\c:\Windows\System32\qrosn9.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\dwm.exe	MsRefHost.exe
File created	C:\Program Files\Internet Explorer\6cb0b6c459d5d3	MsRefHost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\dllhost.exe	MsRefHost.exe
File created	C:\Windows\ja-JP\5940a34987c991	MsRefHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8FE4D765052F33EE206BABD50ECEBFF4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2616	schtasks.exe
2980	schtasks.exe
3016	schtasks.exe
1808	schtasks.exe
2676	schtasks.exe
2944	schtasks.exe
2972	schtasks.exe
2348	schtasks.exe
2192	schtasks.exe
956	schtasks.exe
2656	schtasks.exe
2996	schtasks.exe
1872	schtasks.exe
1152	schtasks.exe
3036	schtasks.exe
2392	schtasks.exe
2076	schtasks.exe
3004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe
2800	MsRefHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	MsRefHost.exe
Token: SeDebugPrivilege	1720	MsRefHost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1884	1956	8FE4D765052F33EE206BABD50ECEBFF4.exe	31
PID 1956 wrote to memory of 1884	1956	8FE4D765052F33EE206BABD50ECEBFF4.exe	31
PID 1956 wrote to memory of 1884	1956	8FE4D765052F33EE206BABD50ECEBFF4.exe	31
PID 1956 wrote to memory of 1884	1956	8FE4D765052F33EE206BABD50ECEBFF4.exe	31
PID 1884 wrote to memory of 2108	1884	WScript.exe	32
PID 1884 wrote to memory of 2108	1884	WScript.exe	32
PID 1884 wrote to memory of 2108	1884	WScript.exe	32
PID 1884 wrote to memory of 2108	1884	WScript.exe	32
PID 2108 wrote to memory of 2800	2108	cmd.exe	34
PID 2108 wrote to memory of 2800	2108	cmd.exe	34
PID 2108 wrote to memory of 2800	2108	cmd.exe	34
PID 2108 wrote to memory of 2800	2108	cmd.exe	34
PID 2800 wrote to memory of 2308	2800	MsRefHost.exe	39
PID 2800 wrote to memory of 2308	2800	MsRefHost.exe	39
PID 2800 wrote to memory of 2308	2800	MsRefHost.exe	39
PID 2308 wrote to memory of 1684	2308	csc.exe	41
PID 2308 wrote to memory of 1684	2308	csc.exe	41
PID 2308 wrote to memory of 1684	2308	csc.exe	41
PID 2800 wrote to memory of 2784	2800	MsRefHost.exe	57
PID 2800 wrote to memory of 2784	2800	MsRefHost.exe	57
PID 2800 wrote to memory of 2784	2800	MsRefHost.exe	57
PID 2784 wrote to memory of 1920	2784	cmd.exe	59
PID 2784 wrote to memory of 1920	2784	cmd.exe	59
PID 2784 wrote to memory of 1920	2784	cmd.exe	59
PID 2784 wrote to memory of 952	2784	cmd.exe	60
PID 2784 wrote to memory of 952	2784	cmd.exe	60
PID 2784 wrote to memory of 952	2784	cmd.exe	60
PID 2784 wrote to memory of 1720	2784	cmd.exe	61
PID 2784 wrote to memory of 1720	2784	cmd.exe	61
PID 2784 wrote to memory of 1720	2784	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8FE4D765052F33EE206BABD50ECEBFF4.exe
"C:\Users\Admin\AppData\Local\Temp\8FE4D765052F33EE206BABD50ECEBFF4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\jkOicXdQzIcV9is8cWaVy6nJ.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\wAdFTqpCaV8zL9PLLEPDNQlrlvWhrY.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe
      "C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf/MsRefHost.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gnbjojvo\gnbjojvo.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2308
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2E0.tmp" "c:\Windows\System32\CSC615D6025B551407E94D24227C62FAFE.TMP"
        6⤵
        
        PID:1684
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WZqCqcFRCm.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2784
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1920
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:952
      - C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe
        
        "C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsRefHostM" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsRefHost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsRefHostM" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESE2E0.tmp

Filesize
1KB

MD5
1e477811e2e59d219efbcb1accbd8169

SHA1
58be586f61b1d2a283b02835c3dbef84bad1d125

SHA256
4827d9a25fe96efc74a37cc69403a728aae664427425fc60e9d9f6d815d2dbaf

SHA512
2eb6d1d62d1612bbbc4b9a86453349134dd5c80b159899d2abd31cc60ef08c6c3f835d98ef05d72dc8086db3b5b463257f20834eee52a15e0e738a0d3c2f64d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZqCqcFRCm.bat

Filesize
253B

MD5
1d904a128cf4c95cb777271e14c94643

SHA1
cfd3a9ffff0c722ec80cb376ae2db0adcde6db9a

SHA256
31419f462d0d5079793ee1630675f65e064d040b0aab125026cc20450716384c

SHA512
c499cc13b4b015c7630e28cb886a3c75f79b4c96339de677ceed46669cfff2c1df4ebba9d1a9105d2092970068285dddf313b8b309632ada1c026c1790b0d67d

Download Submit
C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\jkOicXdQzIcV9is8cWaVy6nJ.vbe

Filesize
247B

MD5
299cb1e8030c59ea61c25d77663d93ce

SHA1
47ed6fb489f8e725a2a25ff2de2f769f8c010ca9

SHA256
c21646d405045a3684859964fb3a6bab60be39d07ef509902baa267fb3735d60

SHA512
121da7ee97dbc5ea1aed2b95acd2b9869783851bf1f267e97dd9ae25d0ad2819eccb8618108d8adb745a4baed59de9eb5da4c2c132659219f5689f03302bcb08

Download Submit
C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\wAdFTqpCaV8zL9PLLEPDNQlrlvWhrY.bat

Filesize
111B

MD5
7570b030d6165dbe5710aea256bc5fb0

SHA1
f748ac754c02cebb69b874e6c2b7c8dd51bfa43c

SHA256
5a7151908f5167f6be21b2518d8d825dc3f13e4fcc0e1b7ea4931669d28ef3e7

SHA512
64ba0ebacbc47fa0a7dc3efd361e89d24d7df343548ad337da0d2f4333e37a5ff208fc0d6f3c197d8e944d38cd4029f13f34b01e8a2adb63baea16dcedcd3ade

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gnbjojvo\gnbjojvo.0.cs

Filesize
393B

MD5
12eea2842a51d23188fa2b8bba74c3ce

SHA1
234b5891ff4e85587ec955b08f5963aae3b178e8

SHA256
7eef6fac5b6c94c3916b5103d9fdf71e6fff059e9a052db27f8c6de1b9a85752

SHA512
b39385ddc902ce8cfb5d3262ef4edb78d3ef38a1eb2faea0b32ca15bf9337ca139e8dcc7491cc98b43fe3b4c5e9c9c90491002be28d8349bda241256c074272c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gnbjojvo\gnbjojvo.cmdline

Filesize
235B

MD5
cf27cda926e27e5fd0788cec1f35764f

SHA1
6547b8cfc7af21a451e29fec3eed474075681c91

SHA256
ca91632da5b9c89888146e76cdc1d082c0f3c03899fb77cc605f88aad3126200

SHA512
f29b0989f5bbb5810b084466b6c649169a35bd2f6faa12350594e8f7d5e8d12a9230b1983ccd5711722d83ab1c1d747a1ee61eb9ab9f71954f3b6131041db9b4

Download Submit
\??\c:\Windows\System32\CSC615D6025B551407E94D24227C62FAFE.TMP

Filesize
1KB

MD5
332eb1c3dc41d312a6495d9ea0a81166

SHA1
1d5c1b68be781b14620d9e98183506f8651f4afd

SHA256
bab20fa8251fcee3c944e76bdc082850ae4a32fd2eff761fec3bc445f58d11f2

SHA512
2c5ae1de2d4cb7f1e1540b455f7876eb1f494cda57bfb8e78a81aa01f3f453c5488b986cd170d6dc96bf684874c54257bfd0335a78764cc3fa43fe310a0cf440

Download Submit
\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe

Filesize
1.9MB

MD5
8f4b5051db276e30641cd63fac01a982

SHA1
2da38a070be557014c57d314211f6236470aca37

SHA256
5864cdafd1e3c62524dd7ec715b055e11a3ace3f586d575a2c2f5f9c4f096553

SHA512
db77eb1df5aa539bb55ae9c6936c40f7e6d5b9b53e2c7e0c84c2d6df91f541cbdfef92675b45e5e7bb804b8998482970ff92f793e63ad2f9754d43bfab60bfa2

Download Submit
memory/1720-55-0x00000000002D0000-0x00000000004C4000-memory.dmp

Filesize
2.0MB

Download
memory/2800-15-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/2800-25-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2800-23-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/2800-21-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/2800-19-0x00000000004F0000-0x0000000000508000-memory.dmp

Filesize
96KB

Download
memory/2800-17-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2800-13-0x0000000000A80000-0x0000000000C74000-memory.dmp

Filesize
2.0MB

Download