dcrat | 9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462

Analysis

max time kernel
139s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe
Size

1.8MB
MD5

8fe4d765052f33ee206babd50ecebff4
SHA1

626ed36cc72ed374334c868a5d2471cd1d70e9ef
SHA256

9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462
SHA512

5a41dbc6ead37caa5de7c3110378fc1357954a6b02b50eea6d82ff2685962536090e2e6e75a83ab321aa14a04a50f31c92290ace854bd45bc4c5913a1e1a7210
SSDEEP

49152:IBJS5y9ltNK+s0am17m5uSTRhNCYX1xoUQ/Ui5zbf2qmOK:ywGls0amCyN5zbf7jK

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

MsRefHost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\twain_32\\spoolsv.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\twain_32\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\twain_32\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe\\Updater6\\dwm.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\twain_32\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe\\Updater6\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\smss.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\twain_32\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe\\Updater6\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\smss.exe\", \"C:\\Windows\\AppPatch\\lsm.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\twain_32\\spoolsv.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\Program Files (x86)\\Common Files\\Adobe\\Updater6\\dwm.exe\", \"C:\\Program Files (x86)\\Windows Mail\\smss.exe\", \"C:\\Windows\\AppPatch\\lsm.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\""	MsRefHost.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	304	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	304	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	304	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	304	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	304	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	304	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	304	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	304	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	304	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	304	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	304	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	304	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	304	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	304	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	304	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	304	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	304	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	304	schtasks.exe	34

Executes dropped EXE 2 IoCs

Processes:

MsRefHost.exelsm.exe

pid	Process
2756	MsRefHost.exe
2156	lsm.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
2264	cmd.exe
2264	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MsRefHost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\twain_32\\spoolsv.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\twain_32\\spoolsv.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Common Files\\Adobe\\Updater6\\dwm.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Common Files\\Adobe\\Updater6\\dwm.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Mail\\smss.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\AppPatch\\lsm.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsRefHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\dllhost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Mail\\smss.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Windows\\AppPatch\\lsm.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MsRefHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\""	MsRefHost.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\CSCFFE8514418A941428D388C7C581F33F4.TMP	csc.exe
File created	\??\c:\Windows\System32\byyuy-.exe	csc.exe

Drops file in Program Files directory 4 IoCs

Processes:

MsRefHost.exe

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\dwm.exe	MsRefHost.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\6cb0b6c459d5d3	MsRefHost.exe
File created	C:\Program Files (x86)\Windows Mail\smss.exe	MsRefHost.exe
File created	C:\Program Files (x86)\Windows Mail\69ddcba757bf72	MsRefHost.exe

Drops file in Windows directory 5 IoCs

Processes:

MsRefHost.exe

description	ioc	Process
File created	C:\Windows\twain_32\f3b6ecef712a24	MsRefHost.exe
File created	C:\Windows\AppPatch\lsm.exe	MsRefHost.exe
File opened for modification	C:\Windows\AppPatch\lsm.exe	MsRefHost.exe
File created	C:\Windows\AppPatch\101b941d020240	MsRefHost.exe
File created	C:\Windows\twain_32\spoolsv.exe	MsRefHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
3008	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
3008	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
1348	schtasks.exe
2804	schtasks.exe
1408	schtasks.exe
2512	schtasks.exe
2936	schtasks.exe
2620	schtasks.exe
2728	schtasks.exe
584	schtasks.exe
2928	schtasks.exe
1664	schtasks.exe
2120	schtasks.exe
2592	schtasks.exe
2800	schtasks.exe
2708	schtasks.exe
2256	schtasks.exe
2228	schtasks.exe
872	schtasks.exe
1364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MsRefHost.exe

pid	Process
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe
2756	MsRefHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

lsm.exe

pid	Process
2156	lsm.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MsRefHost.exelsm.exe

description	pid	Process
Token: SeDebugPrivilege	2756	MsRefHost.exe
Token: SeDebugPrivilege	2156	lsm.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exeWScript.execmd.exeMsRefHost.execsc.execmd.exe

description	pid	Process	procid_target
PID 3048 wrote to memory of 1280	3048	9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe	30
PID 3048 wrote to memory of 1280	3048	9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe	30
PID 3048 wrote to memory of 1280	3048	9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe	30
PID 3048 wrote to memory of 1280	3048	9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe	30
PID 1280 wrote to memory of 2264	1280	WScript.exe	31
PID 1280 wrote to memory of 2264	1280	WScript.exe	31
PID 1280 wrote to memory of 2264	1280	WScript.exe	31
PID 1280 wrote to memory of 2264	1280	WScript.exe	31
PID 2264 wrote to memory of 2756	2264	cmd.exe	33
PID 2264 wrote to memory of 2756	2264	cmd.exe	33
PID 2264 wrote to memory of 2756	2264	cmd.exe	33
PID 2264 wrote to memory of 2756	2264	cmd.exe	33
PID 2756 wrote to memory of 2216	2756	MsRefHost.exe	38
PID 2756 wrote to memory of 2216	2756	MsRefHost.exe	38
PID 2756 wrote to memory of 2216	2756	MsRefHost.exe	38
PID 2216 wrote to memory of 1756	2216	csc.exe	40
PID 2216 wrote to memory of 1756	2216	csc.exe	40
PID 2216 wrote to memory of 1756	2216	csc.exe	40
PID 2756 wrote to memory of 444	2756	MsRefHost.exe	56
PID 2756 wrote to memory of 444	2756	MsRefHost.exe	56
PID 2756 wrote to memory of 444	2756	MsRefHost.exe	56
PID 444 wrote to memory of 2192	444	cmd.exe	58
PID 444 wrote to memory of 2192	444	cmd.exe	58
PID 444 wrote to memory of 2192	444	cmd.exe	58
PID 444 wrote to memory of 3008	444	cmd.exe	59
PID 444 wrote to memory of 3008	444	cmd.exe	59
PID 444 wrote to memory of 3008	444	cmd.exe	59
PID 444 wrote to memory of 2156	444	cmd.exe	61
PID 444 wrote to memory of 2156	444	cmd.exe	61
PID 444 wrote to memory of 2156	444	cmd.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe
"C:\Users\Admin\AppData\Local\Temp\9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\jkOicXdQzIcV9is8cWaVy6nJ.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\wAdFTqpCaV8zL9PLLEPDNQlrlvWhrY.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe
      "C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf/MsRefHost.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hqw3gz3v\hqw3gz3v.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB53B.tmp" "c:\Windows\System32\CSCFFE8514418A941428D388C7C581F33F4.TMP"
        6⤵
        
        PID:1756
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IXy2TTfhvS.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:444
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2192
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3008
      - C:\Windows\AppPatch\lsm.exe
        
        "C:\Windows\AppPatch\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Adobe\Updater6\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\AppPatch\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\AppPatch\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsRefHostM" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsRefHost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsRefHostM" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXy2TTfhvS.bat

Filesize
155B

MD5
0c0311df2352b6051208493ea4400f82

SHA1
90c0699d5bc76a84d8cec1b00a29f799fd088359

SHA256
1c116b0d65a1bbab1d1b47a4258f5f2acfe2ed2858863366034407f2cbdde19b

SHA512
9eff4ac0e4acfcf1f4e0b6939bfa0d0d3d7b6436996c535f1843872e4e62f0088e5f7fa38ae8abe1cb211ef8fff37012f3b06748c686183e9afad1fa03f9002f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB53B.tmp

Filesize
1KB

MD5
f8b6cdd67b138bf1e42266f1aa8f4df7

SHA1
afb288e6a182917481baa6c287f6e2999cfdbd90

SHA256
f39d7b3390c75c684e6b7d09bc8d880cfc88d87998b61b3682a774c70f073cbc

SHA512
0e55078d5931566d2d61e365247a63d32fbb09422f9f9f57506b08013261edc3f828e3cdc45aeffd4ff82e7158e108a742e15c280388f57919979d8a661e9192

Download Submit
C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe

Filesize
1.9MB

MD5
8f4b5051db276e30641cd63fac01a982

SHA1
2da38a070be557014c57d314211f6236470aca37

SHA256
5864cdafd1e3c62524dd7ec715b055e11a3ace3f586d575a2c2f5f9c4f096553

SHA512
db77eb1df5aa539bb55ae9c6936c40f7e6d5b9b53e2c7e0c84c2d6df91f541cbdfef92675b45e5e7bb804b8998482970ff92f793e63ad2f9754d43bfab60bfa2

Download Submit
C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\jkOicXdQzIcV9is8cWaVy6nJ.vbe

Filesize
247B

MD5
299cb1e8030c59ea61c25d77663d93ce

SHA1
47ed6fb489f8e725a2a25ff2de2f769f8c010ca9

SHA256
c21646d405045a3684859964fb3a6bab60be39d07ef509902baa267fb3735d60

SHA512
121da7ee97dbc5ea1aed2b95acd2b9869783851bf1f267e97dd9ae25d0ad2819eccb8618108d8adb745a4baed59de9eb5da4c2c132659219f5689f03302bcb08

Download Submit
C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\wAdFTqpCaV8zL9PLLEPDNQlrlvWhrY.bat

Filesize
111B

MD5
7570b030d6165dbe5710aea256bc5fb0

SHA1
f748ac754c02cebb69b874e6c2b7c8dd51bfa43c

SHA256
5a7151908f5167f6be21b2518d8d825dc3f13e4fcc0e1b7ea4931669d28ef3e7

SHA512
64ba0ebacbc47fa0a7dc3efd361e89d24d7df343548ad337da0d2f4333e37a5ff208fc0d6f3c197d8e944d38cd4029f13f34b01e8a2adb63baea16dcedcd3ade

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hqw3gz3v\hqw3gz3v.0.cs

Filesize
363B

MD5
a96c3961ec2c2e996a73dabbcc96b58a

SHA1
6cc93a758493c1624f7f5cfc1e8af7c4a4d3536c

SHA256
40a8afd86301fe68d0c5864514cc5f19eb1124d4e3bcdf1a5d0c273251625f31

SHA512
4ac998815413039cf4737ee1860956240f7031ba7b64ea42e521723a8e0c445386920be4776c4fd3d7c4c2af9a572d0278865f9ee51df3d84146c3512b2a19e4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hqw3gz3v\hqw3gz3v.cmdline

Filesize
235B

MD5
2cad435f4ddf0f6c7b235729f2eb6e09

SHA1
fc811b64c3d624329fc1b480c962cc65468d3f15

SHA256
c54ff13458ca2443456cb634dae07ee92a2500c5fe7e808d82eb895dd3364945

SHA512
c584a5c81263610f41ef77a90d64c0c731fded9d2acc17fb706fcac1e7453d9283a63a7ebbeaff2fd8eff2577774458205b6be3da4667fa93c93a044d35286f0

Download Submit
\??\c:\Windows\System32\CSCFFE8514418A941428D388C7C581F33F4.TMP

Filesize
1KB

MD5
078586b266e519b5c113064d7a0bf45c

SHA1
a9395c0ef35add5c75591ebb94c85c1f33f408bf

SHA256
ccf292ff9f142b204ad4f4481a044ba8f9ab274305dcb604bf0b8ae91819ab1e

SHA512
5b8eb6aad62657309088c4668d633c2aa6324d4824ec32c3c5e133df0a5493a4342c980e077ba565f3aab29c58f95c8db7195415a1e554384405c1457730f959

Download Submit
memory/2156-56-0x00000000002B0000-0x00000000004A4000-memory.dmp

Filesize
2.0MB

Download
memory/2756-15-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/2756-25-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/2756-23-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2756-21-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/2756-19-0x00000000005E0000-0x00000000005F8000-memory.dmp

Filesize
96KB

Download
memory/2756-17-0x00000000003B0000-0x00000000003CC000-memory.dmp

Filesize
112KB

Download
memory/2756-13-0x00000000000B0000-0x00000000002A4000-memory.dmp

Filesize
2.0MB

Download