dcrat | 9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8FE4D765052F33EE206BABD50ECEBFF4.exe
Size

1.8MB
MD5

8fe4d765052f33ee206babd50ecebff4
SHA1

626ed36cc72ed374334c868a5d2471cd1d70e9ef
SHA256

9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462
SHA512

5a41dbc6ead37caa5de7c3110378fc1357954a6b02b50eea6d82ff2685962536090e2e6e75a83ab321aa14a04a50f31c92290ace854bd45bc4c5913a1e1a7210
SSDEEP

49152:IBJS5y9ltNK+s0am17m5uSTRhNCYX1xoUQ/Ui5zbf2qmOK:ywGls0amCyN5zbf7jK

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk-1.8\\jre\\bin\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\wininit.exe\", \"C:\\Program Files\\Common Files\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk-1.8\\jre\\bin\\SppExtComObj.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk-1.8\\jre\\bin\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\wininit.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk-1.8\\jre\\bin\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\wininit.exe\", \"C:\\Program Files\\Common Files\\Idle.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk-1.8\\jre\\bin\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\wininit.exe\", \"C:\\Program Files\\Common Files\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jdk-1.8\\jre\\bin\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\wininit.exe\", \"C:\\Program Files\\Common Files\\Idle.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	MsRefHost.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	2548	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	2548	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	2548	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	2548	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	2548	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	2548	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2548	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2548	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2548	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2548	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2548	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	2548	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	2548	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2548	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2548	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	2548	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2548	schtasks.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	2548	schtasks.exe	94

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	8FE4D765052F33EE206BABD50ECEBFF4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	MsRefHost.exe

Executes dropped EXE 2 IoCs

pid	Process
2396	MsRefHost.exe
3504	Idle.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Java\\jdk-1.8\\jre\\bin\\SppExtComObj.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files\\Java\\jdk-1.8\\jre\\bin\\SppExtComObj.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\wininit.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Common Files\\Idle.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsRefHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate_bk\\wininit.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Common Files\\Idle.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsRefHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\""	MsRefHost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC6A2DB2FABCCF44C6B0B5C2CA929267D1.TMP	csc.exe
File created	\??\c:\Windows\System32\ovufcs.exe	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\bin\SppExtComObj.exe	MsRefHost.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\e1ef82546f0b02	MsRefHost.exe
File created	C:\Program Files\Common Files\Idle.exe	MsRefHost.exe
File created	C:\Program Files\Common Files\6ccacd8608530f	MsRefHost.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\wininit.exe	MsRefHost.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\56085415360792	MsRefHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8FE4D765052F33EE206BABD50ECEBFF4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
764	PING.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	8FE4D765052F33EE206BABD50ECEBFF4.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	MsRefHost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
764	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3408	schtasks.exe
1516	schtasks.exe
2536	schtasks.exe
4940	schtasks.exe
4744	schtasks.exe
5100	schtasks.exe
1988	schtasks.exe
2320	schtasks.exe
2664	schtasks.exe
1720	schtasks.exe
4128	schtasks.exe
3144	schtasks.exe
3912	schtasks.exe
2916	schtasks.exe
5016	schtasks.exe
3396	schtasks.exe
3544	schtasks.exe
2104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe
2396	MsRefHost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	MsRefHost.exe
Token: SeDebugPrivilege	3504	Idle.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 64	764	8FE4D765052F33EE206BABD50ECEBFF4.exe	84
PID 764 wrote to memory of 64	764	8FE4D765052F33EE206BABD50ECEBFF4.exe	84
PID 764 wrote to memory of 64	764	8FE4D765052F33EE206BABD50ECEBFF4.exe	84
PID 64 wrote to memory of 3316	64	WScript.exe	90
PID 64 wrote to memory of 3316	64	WScript.exe	90
PID 64 wrote to memory of 3316	64	WScript.exe	90
PID 3316 wrote to memory of 2396	3316	cmd.exe	92
PID 3316 wrote to memory of 2396	3316	cmd.exe	92
PID 2396 wrote to memory of 4316	2396	MsRefHost.exe	99
PID 2396 wrote to memory of 4316	2396	MsRefHost.exe	99
PID 4316 wrote to memory of 2436	4316	csc.exe	101
PID 4316 wrote to memory of 2436	4316	csc.exe	101
PID 2396 wrote to memory of 4420	2396	MsRefHost.exe	117
PID 2396 wrote to memory of 4420	2396	MsRefHost.exe	117
PID 4420 wrote to memory of 1608	4420	cmd.exe	120
PID 4420 wrote to memory of 1608	4420	cmd.exe	120
PID 4420 wrote to memory of 764	4420	cmd.exe	121
PID 4420 wrote to memory of 764	4420	cmd.exe	121
PID 4420 wrote to memory of 3504	4420	cmd.exe	124
PID 4420 wrote to memory of 3504	4420	cmd.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8FE4D765052F33EE206BABD50ECEBFF4.exe
"C:\Users\Admin\AppData\Local\Temp\8FE4D765052F33EE206BABD50ECEBFF4.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:764
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\jkOicXdQzIcV9is8cWaVy6nJ.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\wAdFTqpCaV8zL9PLLEPDNQlrlvWhrY.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3316
  - - C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe
      "C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf/MsRefHost.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cgvcqqs1\cgvcqqs1.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4316
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBAA5.tmp" "c:\Windows\System32\CSC6A2DB2FABCCF44C6B0B5C2CA929267D1.TMP"
        6⤵
        
        PID:2436
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qV0yvi7Q70.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4420
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1608
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:764
      - C:\Program Files\Common Files\Idle.exe
        
        "C:\Program Files\Common Files\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk-1.8\jre\bin\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\jre\bin\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk-1.8\jre\bin\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsRefHostM" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsRefHost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsRefHostM" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBAA5.tmp

Filesize
1KB

MD5
52ed454e787d6f982eea640b12277a3e

SHA1
d68c23d7c0a08fe3dd206efe7ef975da640533ed

SHA256
8887a1db47cdbbf10b3682d907c755336528dde8eaaaa184b6110dbc6bbdb7ac

SHA512
93441059b85215acab2a0d05590ba075788949b487204bfc102f9470e36a63caf00e1f6fa25bdae84b97f71e2a52a1b0ce3a8da69312374184f09af6af54a528

Download Submit
C:\Users\Admin\AppData\Local\Temp\qV0yvi7Q70.bat

Filesize
166B

MD5
af1a40f5018e80dbb10ab98f9191b24c

SHA1
8c3320a0c031f33968bbb0a2a8da989a3fd70b11

SHA256
7688aa5d572e62047dc34ac7aefe2a938c861e457e271c92618f50e7d96dce1c

SHA512
8d8c35f758bf102a4e954c669d6f8f1f397c182681fc0c1a205837de2867e9e0e6b4b4f61f009997331789da2c88a904101f9b7b6a7f5d7cc0f03293aae4d063

Download Submit
C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe

Filesize
1.9MB

MD5
8f4b5051db276e30641cd63fac01a982

SHA1
2da38a070be557014c57d314211f6236470aca37

SHA256
5864cdafd1e3c62524dd7ec715b055e11a3ace3f586d575a2c2f5f9c4f096553

SHA512
db77eb1df5aa539bb55ae9c6936c40f7e6d5b9b53e2c7e0c84c2d6df91f541cbdfef92675b45e5e7bb804b8998482970ff92f793e63ad2f9754d43bfab60bfa2

Download Submit
C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\jkOicXdQzIcV9is8cWaVy6nJ.vbe

Filesize
247B

MD5
299cb1e8030c59ea61c25d77663d93ce

SHA1
47ed6fb489f8e725a2a25ff2de2f769f8c010ca9

SHA256
c21646d405045a3684859964fb3a6bab60be39d07ef509902baa267fb3735d60

SHA512
121da7ee97dbc5ea1aed2b95acd2b9869783851bf1f267e97dd9ae25d0ad2819eccb8618108d8adb745a4baed59de9eb5da4c2c132659219f5689f03302bcb08

Download Submit
C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\wAdFTqpCaV8zL9PLLEPDNQlrlvWhrY.bat

Filesize
111B

MD5
7570b030d6165dbe5710aea256bc5fb0

SHA1
f748ac754c02cebb69b874e6c2b7c8dd51bfa43c

SHA256
5a7151908f5167f6be21b2518d8d825dc3f13e4fcc0e1b7ea4931669d28ef3e7

SHA512
64ba0ebacbc47fa0a7dc3efd361e89d24d7df343548ad337da0d2f4333e37a5ff208fc0d6f3c197d8e944d38cd4029f13f34b01e8a2adb63baea16dcedcd3ade

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cgvcqqs1\cgvcqqs1.0.cs

Filesize
386B

MD5
b118dc69a5dedd1f9af6910b25ae2da3

SHA1
6e35fa38e4d72df7f21b3ce122f8f52670579637

SHA256
20f470a53fb4b61ff9dbb462e3a0e05227867973a29f4ac5dc29ef43f894d8e3

SHA512
7e2792eeac4184746287362d47d02487bbd0a97e41fa808f51ea32f32e32fec99b0d3ab7b234317389661aa57a7aff0894641177205e059e61a2cd14cc9f4848

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cgvcqqs1\cgvcqqs1.cmdline

Filesize
235B

MD5
839b3337c9726bf6431108107563353d

SHA1
7fa4b3502dc40e7f45d210d3f212601f9892efe9

SHA256
11c6daa21904088a08ec999eb034d425d9269de5d65f27c1cd169e0a9e515fb0

SHA512
ae5594ef1eaca0cb4daba1dfd9599f38678ec75cc0b95bb4a0175cba01be3ecfbaee2fe8fa4a35dee7786a62d84c04c34de3b17c0586896d8b2df01becfebdb8

Download Submit
\??\c:\Windows\System32\CSC6A2DB2FABCCF44C6B0B5C2CA929267D1.TMP

Filesize
1KB

MD5
1c519e4618f2b468d0f490d4a716da11

SHA1
1a693d0046e48fa813e4fa3bb94ccd20d43e3106

SHA256
4dbf16e3b3bb06c98eeaf27d0a25d9f34ee0ceac51e6365218ef7cd09edb3438

SHA512
99f293878a08b56db6ff2297f243f5f5b85864e6925a1d6af61a65369f7eb323ae1b75fe5f1465fac0b982ac9f49b9e0a295b5dac947da40f61991c4411233fd

Download Submit
memory/2396-20-0x000000001B5A0000-0x000000001B5B8000-memory.dmp

Filesize
96KB

Download
memory/2396-22-0x000000001B9F0000-0x000000001BA02000-memory.dmp

Filesize
72KB

Download
memory/2396-23-0x000000001C1C0000-0x000000001C6E8000-memory.dmp

Filesize
5.2MB

Download
memory/2396-25-0x0000000002B30000-0x0000000002B3E000-memory.dmp

Filesize
56KB

Download
memory/2396-27-0x000000001B560000-0x000000001B56C000-memory.dmp

Filesize
48KB

Download
memory/2396-18-0x000000001BA40000-0x000000001BA90000-memory.dmp

Filesize
320KB

Download
memory/2396-17-0x000000001B580000-0x000000001B59C000-memory.dmp

Filesize
112KB

Download
memory/2396-15-0x0000000002B20000-0x0000000002B2E000-memory.dmp

Filesize
56KB

Download
memory/2396-13-0x0000000000750000-0x0000000000944000-memory.dmp

Filesize
2.0MB

Download
memory/2396-12-0x00007FFEE5FE3000-0x00007FFEE5FE5000-memory.dmp

Filesize
8KB

Download
memory/3504-66-0x000000001D3F0000-0x000000001D505000-memory.dmp

Filesize
1.1MB

Download