dcrat | 9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462

Analysis

max time kernel
138s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe
Size

1.8MB
MD5

8fe4d765052f33ee206babd50ecebff4
SHA1

626ed36cc72ed374334c868a5d2471cd1d70e9ef
SHA256

9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462
SHA512

5a41dbc6ead37caa5de7c3110378fc1357954a6b02b50eea6d82ff2685962536090e2e6e75a83ab321aa14a04a50f31c92290ace854bd45bc4c5913a1e1a7210
SSDEEP

49152:IBJS5y9ltNK+s0am17m5uSTRhNCYX1xoUQ/Ui5zbf2qmOK:ywGls0amCyN5zbf7jK

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

MsRefHost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\TextInputHost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\TextInputHost.exe\", \"C:\\Windows\\Microsoft.NET\\StartMenuExperienceHost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\TextInputHost.exe\", \"C:\\Windows\\Microsoft.NET\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\dwm.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\TextInputHost.exe\", \"C:\\Windows\\Microsoft.NET\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\dwm.exe\", \"C:\\Windows\\Registration\\CRMLog\\SppExtComObj.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\TextInputHost.exe\", \"C:\\Windows\\Microsoft.NET\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\dwm.exe\", \"C:\\Windows\\Registration\\CRMLog\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\TextInputHost.exe\", \"C:\\Windows\\Microsoft.NET\\StartMenuExperienceHost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\dwm.exe\", \"C:\\Windows\\Registration\\CRMLog\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\dwm.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\""	MsRefHost.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2960	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	2960	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	2960	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	2960	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2960	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2960	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	2960	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2960	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2960	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	2960	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	2960	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	2960	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2960	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2960	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2960	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2960	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	2960	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2960	schtasks.exe	93

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exeWScript.exeMsRefHost.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	MsRefHost.exe

Executes dropped EXE 1 IoCs

Processes:

MsRefHost.exe

pid	Process
1468	MsRefHost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MsRefHost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\Adobe\\TextInputHost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files (x86)\\Adobe\\TextInputHost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\dwm.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\dwm.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\Registration\\CRMLog\\SppExtComObj.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\Registration\\CRMLog\\SppExtComObj.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\Microsoft.NET\\StartMenuExperienceHost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\Microsoft.NET\\StartMenuExperienceHost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Recovery\\WindowsRE\\dwm.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsRefHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\""	MsRefHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsRefHost = "\"C:\\Users\\Admin\\AppData\\Roaming\\msSurrogateProvidercomponentPerf\\MsRefHost.exe\""	MsRefHost.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\enb1sa.exe	csc.exe
File created	\??\c:\Windows\System32\CSCB7606ED5BFA54835834AEEB8DB87F28E.TMP	csc.exe

Drops file in Program Files directory 4 IoCs

Processes:

MsRefHost.exe

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\it-IT\dwm.exe	MsRefHost.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\6cb0b6c459d5d3	MsRefHost.exe
File created	C:\Program Files (x86)\Adobe\TextInputHost.exe	MsRefHost.exe
File created	C:\Program Files (x86)\Adobe\22eafd247d37c3	MsRefHost.exe

Drops file in Windows directory 4 IoCs

Processes:

MsRefHost.exe

description	ioc	Process
File created	C:\Windows\Microsoft.NET\55b276f4edf653	MsRefHost.exe
File created	C:\Windows\Registration\CRMLog\SppExtComObj.exe	MsRefHost.exe
File created	C:\Windows\Registration\CRMLog\e1ef82546f0b02	MsRefHost.exe
File created	C:\Windows\Microsoft.NET\StartMenuExperienceHost.exe	MsRefHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
1108	PING.EXE

Modifies registry class 2 IoCs

Processes:

9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exeMsRefHost.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	MsRefHost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1108	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
1500	schtasks.exe
3600	schtasks.exe
4796	schtasks.exe
1192	schtasks.exe
4508	schtasks.exe
212	schtasks.exe
4540	schtasks.exe
3660	schtasks.exe
876	schtasks.exe
1056	schtasks.exe
3204	schtasks.exe
2680	schtasks.exe
1852	schtasks.exe
464	schtasks.exe
1880	schtasks.exe
1272	schtasks.exe
1796	schtasks.exe
316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MsRefHost.exe

pid	Process
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe
1468	MsRefHost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

MsRefHost.exe

description	pid	Process
Token: SeDebugPrivilege	1468	MsRefHost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exeWScript.execmd.exeMsRefHost.execsc.execmd.exe

description	pid	Process	procid_target
PID 4772 wrote to memory of 3968	4772	9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe	86
PID 4772 wrote to memory of 3968	4772	9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe	86
PID 4772 wrote to memory of 3968	4772	9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe	86
PID 3968 wrote to memory of 3532	3968	WScript.exe	88
PID 3968 wrote to memory of 3532	3968	WScript.exe	88
PID 3968 wrote to memory of 3532	3968	WScript.exe	88
PID 3532 wrote to memory of 1468	3532	cmd.exe	90
PID 3532 wrote to memory of 1468	3532	cmd.exe	90
PID 1468 wrote to memory of 1936	1468	MsRefHost.exe	97
PID 1468 wrote to memory of 1936	1468	MsRefHost.exe	97
PID 1936 wrote to memory of 3908	1936	csc.exe	99
PID 1936 wrote to memory of 3908	1936	csc.exe	99
PID 1468 wrote to memory of 3856	1468	MsRefHost.exe	116
PID 1468 wrote to memory of 3856	1468	MsRefHost.exe	116
PID 3856 wrote to memory of 4556	3856	cmd.exe	118
PID 3856 wrote to memory of 4556	3856	cmd.exe	118
PID 3856 wrote to memory of 1108	3856	cmd.exe	119
PID 3856 wrote to memory of 1108	3856	cmd.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe
"C:\Users\Admin\AppData\Local\Temp\9615f26aefd8a273a4f87f28f88306238f06960ff560b75a9c1f8cd1d7910462.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\jkOicXdQzIcV9is8cWaVy6nJ.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\wAdFTqpCaV8zL9PLLEPDNQlrlvWhrY.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3532
  - - C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe
      "C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf/MsRefHost.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ylmjyyss\ylmjyyss.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1936
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0B2.tmp" "c:\Windows\System32\CSCB7606ED5BFA54835834AEEB8DB87F28E.TMP"
        6⤵
        
        PID:3908
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\faltEFKk0g.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3856
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4556
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsRefHostM" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsRefHost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsRefHostM" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB0B2.tmp

Filesize
1KB

MD5
af8137b61b2fe18356b4599b33a7343d

SHA1
33beb60f6a86963107fe7f3d76a7b2d8bfb328fc

SHA256
8a0c81af0b540f96564b6f625ccaffba63ccfefe58e853453f44afb19013f018

SHA512
2c93d2c85c83bf0bc2453e8b93fa2cafb2dca2ff3975b47aacbd0c39eb283f48637691cc9eaf302710d0d2e84e70df0adb7426851a69312ffeca69932e3d9810

Download Submit
C:\Users\Admin\AppData\Local\Temp\faltEFKk0g.bat

Filesize
175B

MD5
1e1e9571a872886c5e121d5544ec7dca

SHA1
a15f5f54018455bfc38f345895f5fb5eede9ca62

SHA256
80b7fe14f4e62882fcd561f97b13e3a2a502ec2ba5231bd32a2f087c512e2983

SHA512
3fe38dcfeab7b6680c874b063a428b014e4b6c4f276011be3b1308d0a5af7def21c4a927176fdc210a6e5085ef4a533f78beeb018d54b0689c4cc432b0905ba3

Download Submit
C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\MsRefHost.exe

Filesize
1.9MB

MD5
8f4b5051db276e30641cd63fac01a982

SHA1
2da38a070be557014c57d314211f6236470aca37

SHA256
5864cdafd1e3c62524dd7ec715b055e11a3ace3f586d575a2c2f5f9c4f096553

SHA512
db77eb1df5aa539bb55ae9c6936c40f7e6d5b9b53e2c7e0c84c2d6df91f541cbdfef92675b45e5e7bb804b8998482970ff92f793e63ad2f9754d43bfab60bfa2

Download Submit
C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\jkOicXdQzIcV9is8cWaVy6nJ.vbe

Filesize
247B

MD5
299cb1e8030c59ea61c25d77663d93ce

SHA1
47ed6fb489f8e725a2a25ff2de2f769f8c010ca9

SHA256
c21646d405045a3684859964fb3a6bab60be39d07ef509902baa267fb3735d60

SHA512
121da7ee97dbc5ea1aed2b95acd2b9869783851bf1f267e97dd9ae25d0ad2819eccb8618108d8adb745a4baed59de9eb5da4c2c132659219f5689f03302bcb08

Download Submit
C:\Users\Admin\AppData\Roaming\msSurrogateProvidercomponentPerf\wAdFTqpCaV8zL9PLLEPDNQlrlvWhrY.bat

Filesize
111B

MD5
7570b030d6165dbe5710aea256bc5fb0

SHA1
f748ac754c02cebb69b874e6c2b7c8dd51bfa43c

SHA256
5a7151908f5167f6be21b2518d8d825dc3f13e4fcc0e1b7ea4931669d28ef3e7

SHA512
64ba0ebacbc47fa0a7dc3efd361e89d24d7df343548ad337da0d2f4333e37a5ff208fc0d6f3c197d8e944d38cd4029f13f34b01e8a2adb63baea16dcedcd3ade

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ylmjyyss\ylmjyyss.0.cs

Filesize
378B

MD5
98125938b01573bd87e3ee6526aea01d

SHA1
f5b7bff19c89d92323cc33d38774fd51f548752e

SHA256
c5c58b932b2694b27c149c00252b2385b8ae6679b0075a54f7d70f69b34e59e0

SHA512
0c5a0cb6be72794fdc4cd40b929d41a54b76964e740bb8af722e3bca324201279ae08d7c82450fee9f15bab7f5a02e1bd2f327fee0699169a42cd80bb31ae7be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ylmjyyss\ylmjyyss.cmdline

Filesize
235B

MD5
471808fe9f9cc256b48b97797ad18a94

SHA1
2c9681bacb1ee360053c27c89081bfa900598485

SHA256
d4d12d528a5088bc1c63dbc340fa815d8bd2a8f352a534723048a31ead4e1ffa

SHA512
334b8cf8acb85a417d8c10773002805c1d9211e357df80a611d18c0f746afff725f658bcaeb9cdd4a91fdd522c65fe371020c7ca413e63c900e394d1fc403224

Download Submit
\??\c:\Windows\System32\CSCB7606ED5BFA54835834AEEB8DB87F28E.TMP

Filesize
1KB

MD5
5984679060d0fc54eba47cead995f65a

SHA1
f72bbbba060ac80ac6abedc7b8679e8963f63ebf

SHA256
4104fdf5499f0aa7dd161568257acae002620ec385f2ede2072d4f550ecff433

SHA512
bc8aadfabe5dbb4e3ea5e07a5ccbddd363400005675acda3e9cb414dc75fb0ba74f41b4a6baf34d42f85a9ae0af7d2418420c78b0c643f7243fe93a49b8140b5

Download Submit
memory/1468-20-0x0000000002C00000-0x0000000002C18000-memory.dmp

Filesize
96KB

Download
memory/1468-22-0x0000000002C20000-0x0000000002C32000-memory.dmp

Filesize
72KB

Download
memory/1468-23-0x000000001C130000-0x000000001C658000-memory.dmp

Filesize
5.2MB

Download
memory/1468-25-0x00000000012F0000-0x00000000012FE000-memory.dmp

Filesize
56KB

Download
memory/1468-27-0x0000000001300000-0x000000000130C000-memory.dmp

Filesize
48KB

Download
memory/1468-18-0x000000001B560000-0x000000001B5B0000-memory.dmp

Filesize
320KB

Download
memory/1468-17-0x0000000002BE0000-0x0000000002BFC000-memory.dmp

Filesize
112KB

Download
memory/1468-15-0x00000000012A0000-0x00000000012AE000-memory.dmp

Filesize
56KB

Download
memory/1468-13-0x0000000000790000-0x0000000000984000-memory.dmp

Filesize
2.0MB

Download
memory/1468-12-0x00007FF813CE3000-0x00007FF813CE5000-memory.dmp

Filesize
8KB

Download