dcrat | a2f2e7faee09ff22d394d74ca44ec2a153199d3af3936d1841f3d57c8eae721c

Analysis

max time kernel
91s
max time network
92s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
01-12-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MsSavesSessionDll/agentreviewPerf.exe
Size

2.3MB
MD5

4e69fcf73418a08fcb8b3e7e2ecb43c4
SHA1

a3ecd09f65ca4e7821a0b7f8596edcd679573f5b
SHA256

fa78ac8f4c94923c7e53a3bf6936b46aff02f7746ee9518460c2d529ea2982d4
SHA512

a6d1a2b6363ad8a560567e6c11a48f8d1bc4cdfc36474902edf39f676440be82619aae52279121a776486d0edfe7a448f0fe9707b27ae760c1d6dd0201f6adc3
SSDEEP

49152:BwpUwcTZ0rUinysyVZl5LCCcG3RTXM34FIIPWYJxuQfUgtFneJ8BG5U:Bw1ctUyjTLC8puaX/neJ8BgU

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 57 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
5032	schtasks.exe
4896	schtasks.exe
5104	schtasks.exe
2608	schtasks.exe
1432	schtasks.exe
3712	schtasks.exe
3644	schtasks.exe
736	schtasks.exe
2788	schtasks.exe
4264	schtasks.exe
3452	schtasks.exe
436	schtasks.exe
3200	schtasks.exe
4012	schtasks.exe
3520	schtasks.exe
2584	schtasks.exe
3868	schtasks.exe
2992	schtasks.exe
4208	schtasks.exe
1956	schtasks.exe
1664	schtasks.exe
4596	schtasks.exe
3336	schtasks.exe
1072	schtasks.exe
2452	schtasks.exe
2800	schtasks.exe
2928	schtasks.exe
5084	schtasks.exe
4996	schtasks.exe
2836	schtasks.exe
3188	schtasks.exe
4992	schtasks.exe
3952	schtasks.exe
2700	schtasks.exe
1228	schtasks.exe
2000	schtasks.exe
4988	schtasks.exe
4788	schtasks.exe
1344	schtasks.exe
4508	schtasks.exe
2116	schtasks.exe
4472	schtasks.exe
1012	schtasks.exe
956	schtasks.exe
3124	schtasks.exe
5064	schtasks.exe
2540	schtasks.exe
2228	schtasks.exe
2784	schtasks.exe
1640	schtasks.exe
4016	schtasks.exe
2720	schtasks.exe
2456	schtasks.exe
4216	schtasks.exe
2416	schtasks.exe
900	schtasks.exe
460	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 19 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\twain_32\\sihost.exe\", \"C:\\Windows\\ja-JP\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\dllhost.exe\", \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\All Users\\Documents\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files\\dotnet\\swidtag\\dllhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\twain_32\\sihost.exe\", \"C:\\Windows\\ja-JP\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\dllhost.exe\", \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\All Users\\Documents\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files\\dotnet\\swidtag\\dllhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\dllhost.exe\", \"C:\\Windows\\Panther\\setup.exe\\Registry.exe\", \"C:\\Users\\Admin\\Links\\dllhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\winlogon.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\twain_32\\sihost.exe\", \"C:\\Windows\\ja-JP\\SppExtComObj.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\twain_32\\sihost.exe\", \"C:\\Windows\\ja-JP\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\dllhost.exe\", \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\All Users\\Documents\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\twain_32\\sihost.exe\", \"C:\\Windows\\ja-JP\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\dllhost.exe\", \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\All Users\\Documents\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files\\dotnet\\swidtag\\dllhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\dllhost.exe\", \"C:\\Windows\\Panther\\setup.exe\\Registry.exe\", \"C:\\Users\\Admin\\Links\\dllhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\twain_32\\sihost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\twain_32\\sihost.exe\", \"C:\\Windows\\ja-JP\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\twain_32\\sihost.exe\", \"C:\\Windows\\ja-JP\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\dllhost.exe\", \"C:\\Users\\All Users\\Idle.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\twain_32\\sihost.exe\", \"C:\\Windows\\ja-JP\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\dllhost.exe\", \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Users\\Default User\\Idle.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\twain_32\\sihost.exe\", \"C:\\Windows\\ja-JP\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\dllhost.exe\", \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\All Users\\Documents\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files\\dotnet\\swidtag\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\twain_32\\sihost.exe\", \"C:\\Windows\\ja-JP\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\dllhost.exe\", \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\All Users\\Documents\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files\\dotnet\\swidtag\\dllhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\dllhost.exe\", \"C:\\Windows\\Panther\\setup.exe\\Registry.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\twain_32\\sihost.exe\", \"C:\\Windows\\ja-JP\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\dllhost.exe\", \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\All Users\\Documents\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files\\dotnet\\swidtag\\dllhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\dllhost.exe\", \"C:\\Windows\\Panther\\setup.exe\\Registry.exe\", \"C:\\Users\\Admin\\Links\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\twain_32\\sihost.exe\", \"C:\\Windows\\ja-JP\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\dllhost.exe\", \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\All Users\\Documents\\OfficeClickToRun.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files\\dotnet\\swidtag\\dllhost.exe\", \"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\dllhost.exe\", \"C:\\Windows\\Panther\\setup.exe\\Registry.exe\", \"C:\\Users\\Admin\\Links\\dllhost.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\winlogon.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Windows\\SystemTemp\\Crashpad\\attachments\\winlogon.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\", \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Windows\\twain_32\\sihost.exe\", \"C:\\Windows\\ja-JP\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\dllhost.exe\", \"C:\\Users\\All Users\\Idle.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Users\\All Users\\Documents\\OfficeClickToRun.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	agentreviewPerf.exe

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3520	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3644	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	4624	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	4624	schtasks.exe	77

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral11/memory/4104-1-0x0000000000D60000-0x0000000000FB2000-memory.dmp	dcrat
behavioral11/files/0x001900000002ab06-20.dat	dcrat

Executes dropped EXE 1 IoCs

pid	Process
908	winlogon.exe

Adds Run key to start application 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\Links\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\Panther\\setup.exe\\Registry.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\dotnet\\swidtag\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\SystemTemp\\Crashpad\\attachments\\winlogon.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\twain_32\\sihost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Google\\Update\\Offline\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Idle.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Windows Defender\\uk-UA\\System.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Java\\jdk-1.8\\lib\\services.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\winlogon.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\All Users\\Idle.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\All Users\\Documents\\OfficeClickToRun.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\dotnet\\swidtag\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\SystemTemp\\Crashpad\\attachments\\winlogon.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\ja-JP\\SppExtComObj.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Google\\Update\\Offline\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Configuration\\winlogon.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\All Users\\Documents\\OfficeClickToRun.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Windows\\Panther\\setup.exe\\Registry.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Windows\\twain_32\\sihost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Microsoft.NET\\assembly\\GAC_64\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\ja-JP\\SppExtComObj.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Admin\\Links\\dllhost.exe\""	agentreviewPerf.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\uk-UA\27d1bcfc3c54e0	agentreviewPerf.exe
File created	C:\Program Files\Java\jdk-1.8\lib\services.exe	agentreviewPerf.exe
File created	C:\Program Files\Java\jdk-1.8\lib\c5b4cb5e9653cc	agentreviewPerf.exe
File created	C:\Program Files\dotnet\swidtag\5940a34987c991	agentreviewPerf.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\winlogon.exe	agentreviewPerf.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\cc11b995f2a76d	agentreviewPerf.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\System.exe	agentreviewPerf.exe
File created	C:\Program Files (x86)\Google\Update\Offline\dllhost.exe	agentreviewPerf.exe
File created	C:\Program Files (x86)\Google\Update\Offline\5940a34987c991	agentreviewPerf.exe
File created	C:\Program Files\dotnet\swidtag\dllhost.exe	agentreviewPerf.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\twain_32\66fc9ff0ee96c2	agentreviewPerf.exe
File created	C:\Windows\ja-JP\SppExtComObj.exe	agentreviewPerf.exe
File created	C:\Windows\ja-JP\e1ef82546f0b02	agentreviewPerf.exe
File created	C:\Windows\Panther\setup.exe\ee2ad38f3d4382	agentreviewPerf.exe
File created	C:\Windows\SystemTemp\Crashpad\attachments\cc11b995f2a76d	agentreviewPerf.exe
File created	C:\Windows\twain_32\sihost.exe	agentreviewPerf.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\5940a34987c991	agentreviewPerf.exe
File created	C:\Windows\Panther\setup.exe\Registry.exe	agentreviewPerf.exe
File created	C:\Windows\SystemTemp\Crashpad\attachments\winlogon.exe	agentreviewPerf.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\dllhost.exe	agentreviewPerf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	agentreviewPerf.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
900	schtasks.exe
5084	schtasks.exe
2540	schtasks.exe
2720	schtasks.exe
2788	schtasks.exe
1664	schtasks.exe
2800	schtasks.exe
3952	schtasks.exe
2416	schtasks.exe
4988	schtasks.exe
4788	schtasks.exe
1228	schtasks.exe
436	schtasks.exe
2456	schtasks.exe
2228	schtasks.exe
3520	schtasks.exe
2784	schtasks.exe
3200	schtasks.exe
4264	schtasks.exe
5104	schtasks.exe
1640	schtasks.exe
1956	schtasks.exe
5032	schtasks.exe
4208	schtasks.exe
3868	schtasks.exe
2452	schtasks.exe
4016	schtasks.exe
2116	schtasks.exe
4896	schtasks.exe
4996	schtasks.exe
2608	schtasks.exe
4472	schtasks.exe
1012	schtasks.exe
1432	schtasks.exe
956	schtasks.exe
4508	schtasks.exe
2928	schtasks.exe
2700	schtasks.exe
736	schtasks.exe
3124	schtasks.exe
4992	schtasks.exe
2000	schtasks.exe
4216	schtasks.exe
4596	schtasks.exe
2584	schtasks.exe
2836	schtasks.exe
3712	schtasks.exe
2992	schtasks.exe
3336	schtasks.exe
4012	schtasks.exe
1344	schtasks.exe
5064	schtasks.exe
1072	schtasks.exe
3452	schtasks.exe
3644	schtasks.exe
460	schtasks.exe
3188	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4104	agentreviewPerf.exe
4104	agentreviewPerf.exe
4104	agentreviewPerf.exe
4104	agentreviewPerf.exe
4104	agentreviewPerf.exe
4104	agentreviewPerf.exe
4104	agentreviewPerf.exe
4104	agentreviewPerf.exe
4104	agentreviewPerf.exe
4104	agentreviewPerf.exe
4104	agentreviewPerf.exe
908	winlogon.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4104	agentreviewPerf.exe
Token: SeDebugPrivilege	908	winlogon.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 1708	4104	agentreviewPerf.exe	135
PID 4104 wrote to memory of 1708	4104	agentreviewPerf.exe	135
PID 1708 wrote to memory of 1980	1708	cmd.exe	137
PID 1708 wrote to memory of 1980	1708	cmd.exe	137
PID 1708 wrote to memory of 908	1708	cmd.exe	138
PID 1708 wrote to memory of 908	1708	cmd.exe	138

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MsSavesSessionDll\agentreviewPerf.exe
"C:\Users\Admin\AppData\Local\Temp\MsSavesSessionDll\agentreviewPerf.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\buBnF4eawh.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1980
- - C:\Program Files (x86)\WindowsPowerShell\Configuration\winlogon.exe
    "C:\Program Files (x86)\WindowsPowerShell\Configuration\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk-1.8\lib\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\lib\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk-1.8\lib\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\twain_32\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\twain_32\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\SppExtComObj.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Windows\ja-JP\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\Offline\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\Offline\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\Documents\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Documents\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\swidtag\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\dotnet\swidtag\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\swidtag\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\Panther\setup.exe\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\setup.exe\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Links\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Links\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemTemp\Crashpad\attachments\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SystemTemp\Crashpad\attachments\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemTemp\Crashpad\attachments\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
2.3MB

MD5
4e69fcf73418a08fcb8b3e7e2ecb43c4

SHA1
a3ecd09f65ca4e7821a0b7f8596edcd679573f5b

SHA256
fa78ac8f4c94923c7e53a3bf6936b46aff02f7746ee9518460c2d529ea2982d4

SHA512
a6d1a2b6363ad8a560567e6c11a48f8d1bc4cdfc36474902edf39f676440be82619aae52279121a776486d0edfe7a448f0fe9707b27ae760c1d6dd0201f6adc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\buBnF4eawh.bat

Filesize
232B

MD5
5223869d4699937baf2846c24bd13069

SHA1
a0268f7fb36a46101fea2cd53a3ee26e65d68663

SHA256
c90e3ff3376827c816293e08262bcaf5b00a447dfc4c6b813f971070bc3a5217

SHA512
65020d229471241dbdde64223e0e320256d8fe44db5fe2afd6937f8978280cc3c6e5a0f022fff4870a9a64405d2c3e56f2883850598b9b844646516cc41d9ad4

Download Submit
memory/908-62-0x00000000013F0000-0x0000000001402000-memory.dmp

Filesize
72KB

Download
memory/908-61-0x000000001D200000-0x000000001D256000-memory.dmp

Filesize
344KB

Download
memory/4104-4-0x000000001BBA0000-0x000000001BBF0000-memory.dmp

Filesize
320KB

Download
memory/4104-5-0x000000001BB50000-0x000000001BB66000-memory.dmp

Filesize
88KB

Download
memory/4104-6-0x000000001C300000-0x000000001C356000-memory.dmp

Filesize
344KB

Download
memory/4104-7-0x000000001BB70000-0x000000001BB82000-memory.dmp

Filesize
72KB

Download
memory/4104-8-0x000000001C880000-0x000000001CDA8000-memory.dmp

Filesize
5.2MB

Download
memory/4104-9-0x000000001C350000-0x000000001C35E000-memory.dmp

Filesize
56KB

Download
memory/4104-11-0x000000001C370000-0x000000001C378000-memory.dmp

Filesize
32KB

Download
memory/4104-10-0x000000001C360000-0x000000001C368000-memory.dmp

Filesize
32KB

Download
memory/4104-0-0x00007FFDC8C33000-0x00007FFDC8C35000-memory.dmp

Filesize
8KB

Download
memory/4104-56-0x00007FFDC8C30000-0x00007FFDC96F2000-memory.dmp

Filesize
10.8MB

Download
memory/4104-3-0x0000000003360000-0x000000000337C000-memory.dmp

Filesize
112KB

Download
memory/4104-2-0x00007FFDC8C30000-0x00007FFDC96F2000-memory.dmp

Filesize
10.8MB

Download
memory/4104-1-0x0000000000D60000-0x0000000000FB2000-memory.dmp

Filesize
2.3MB

Download