dcrat | a2f2e7faee09ff22d394d74ca44ec2a153199d3af3936d1841f3d57c8eae721c

Analysis

max time kernel
135s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MsSavesSessionDll/agentreviewPerf.exe
Size

2.3MB
MD5

4e69fcf73418a08fcb8b3e7e2ecb43c4
SHA1

a3ecd09f65ca4e7821a0b7f8596edcd679573f5b
SHA256

fa78ac8f4c94923c7e53a3bf6936b46aff02f7746ee9518460c2d529ea2982d4
SHA512

a6d1a2b6363ad8a560567e6c11a48f8d1bc4cdfc36474902edf39f676440be82619aae52279121a776486d0edfe7a448f0fe9707b27ae760c1d6dd0201f6adc3
SSDEEP

49152:BwpUwcTZ0rUinysyVZl5LCCcG3RTXM34FIIPWYJxuQfUgtFneJ8BG5U:Bw1ctUyjTLC8puaX/neJ8BgU

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 42 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
2608	schtasks.exe
1948	schtasks.exe
2000	schtasks.exe
2688	schtasks.exe
1220	schtasks.exe
212	schtasks.exe
2612	schtasks.exe
1524	schtasks.exe
4532	schtasks.exe
1188	schtasks.exe
1472	schtasks.exe
5076	schtasks.exe
372	schtasks.exe
1392	schtasks.exe
3208	schtasks.exe
2756	schtasks.exe
3580	schtasks.exe
2444	schtasks.exe
3064	schtasks.exe
1760	schtasks.exe
4768	schtasks.exe
1092	schtasks.exe
2820	schtasks.exe
2568	schtasks.exe
864	schtasks.exe
4948	schtasks.exe
1196	schtasks.exe
2760	schtasks.exe
2436	schtasks.exe
2412	schtasks.exe
3128	schtasks.exe
592	schtasks.exe
4848	schtasks.exe
3812	schtasks.exe
1988	schtasks.exe
2056	schtasks.exe
2592	schtasks.exe
1652	schtasks.exe
1872	schtasks.exe
1240	schtasks.exe
5080	schtasks.exe
1984	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 14 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Registry.exe\", \"C:\\Windows\\ShellComponents\\MusNotification.exe\", \"C:\\Users\\All Users\\Microsoft OneDrive\\wininit.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\winlogon.exe\", \"C:\\Users\\Public\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\shared\\sihost.exe\", \"C:\\Program Files\\Microsoft Office 15\\backgroundTaskHost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Registry.exe\", \"C:\\Windows\\ShellComponents\\MusNotification.exe\", \"C:\\Users\\All Users\\Microsoft OneDrive\\wininit.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Registry.exe\", \"C:\\Windows\\ShellComponents\\MusNotification.exe\", \"C:\\Users\\All Users\\Microsoft OneDrive\\wininit.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\winlogon.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Registry.exe\", \"C:\\Windows\\ShellComponents\\MusNotification.exe\", \"C:\\Users\\All Users\\Microsoft OneDrive\\wininit.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\winlogon.exe\", \"C:\\Users\\Public\\taskhostw.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Registry.exe\", \"C:\\Windows\\ShellComponents\\MusNotification.exe\", \"C:\\Users\\All Users\\Microsoft OneDrive\\wininit.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\winlogon.exe\", \"C:\\Users\\Public\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\fontdrvhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Registry.exe\", \"C:\\Windows\\ShellComponents\\MusNotification.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Registry.exe\", \"C:\\Windows\\ShellComponents\\MusNotification.exe\", \"C:\\Users\\All Users\\Microsoft OneDrive\\wininit.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\winlogon.exe\", \"C:\\Users\\Public\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\shared\\sihost.exe\", \"C:\\Program Files\\Microsoft Office 15\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\", \"C:\\Windows\\Tasks\\agentreviewPerf.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Registry.exe\", \"C:\\Windows\\ShellComponents\\MusNotification.exe\", \"C:\\Users\\All Users\\Microsoft OneDrive\\wininit.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\winlogon.exe\", \"C:\\Users\\Public\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Registry.exe\", \"C:\\Windows\\ShellComponents\\MusNotification.exe\", \"C:\\Users\\All Users\\Microsoft OneDrive\\wininit.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\winlogon.exe\", \"C:\\Users\\Public\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\shared\\sihost.exe\", \"C:\\Program Files\\Microsoft Office 15\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Registry.exe\", \"C:\\Windows\\ShellComponents\\MusNotification.exe\", \"C:\\Users\\All Users\\Microsoft OneDrive\\wininit.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\winlogon.exe\", \"C:\\Users\\Public\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\shared\\sihost.exe\", \"C:\\Program Files\\Microsoft Office 15\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\", \"C:\\Windows\\Tasks\\agentreviewPerf.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Registry.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Registry.exe\", \"C:\\Windows\\ShellComponents\\MusNotification.exe\", \"C:\\Users\\All Users\\Microsoft OneDrive\\wininit.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\winlogon.exe\", \"C:\\Users\\Public\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\shared\\sihost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Registry.exe\", \"C:\\Windows\\ShellComponents\\MusNotification.exe\", \"C:\\Users\\All Users\\Microsoft OneDrive\\wininit.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\winlogon.exe\", \"C:\\Users\\Public\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\shared\\sihost.exe\", \"C:\\Program Files\\Microsoft Office 15\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Registry.exe\", \"C:\\Windows\\ShellComponents\\MusNotification.exe\", \"C:\\Users\\All Users\\Microsoft OneDrive\\wininit.exe\", \"C:\\Program Files\\Microsoft Office\\PackageManifests\\winlogon.exe\", \"C:\\Users\\Public\\taskhostw.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\fontdrvhost.exe\", \"C:\\Program Files\\dotnet\\shared\\sihost.exe\", \"C:\\Program Files\\Microsoft Office 15\\backgroundTaskHost.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\", \"C:\\Windows\\Tasks\\agentreviewPerf.exe\", \"C:\\Recovery\\WindowsRE\\sysmon.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\unsecapp.exe\""	agentreviewPerf.exe

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	1728	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	1728	schtasks.exe	85

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral6/memory/4972-1-0x0000000000840000-0x0000000000A92000-memory.dmp	dcrat
behavioral6/files/0x000e000000023ba3-20.dat	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	agentreviewPerf.exe

Executes dropped EXE 1 IoCs

pid	Process
736	unsecapp.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\Public\\taskhostw.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\dotnet\\shared\\sihost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\winlogon.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Users\\Public\\taskhostw.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\fontdrvhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Windows\\ShellComponents\\MusNotification.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\winlogon.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Recovery\\WindowsRE\\sysmon.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\unsecapp.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MusNotification = "\"C:\\Windows\\ShellComponents\\MusNotification.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Microsoft OneDrive\\wininit.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\agentreviewPerf = "\"C:\\Windows\\Tasks\\agentreviewPerf.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\agentreviewPerf = "\"C:\\Windows\\Tasks\\agentreviewPerf.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Program Files\\dotnet\\shared\\sihost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Microsoft Office 15\\backgroundTaskHost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\dllhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Microsoft OneDrive\\wininit.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\fontdrvhost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\Microsoft Office 15\\backgroundTaskHost.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Recovery\\WindowsRE\\sysmon.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\unsecapp.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Default\\Registry.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Default\\Registry.exe\""	agentreviewPerf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	agentreviewPerf.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe	agentreviewPerf.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\5940a34987c991	agentreviewPerf.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe	agentreviewPerf.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\29c1c3cc0f7685	agentreviewPerf.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\5b884080fd4f94	agentreviewPerf.exe
File created	C:\Program Files\dotnet\shared\66fc9ff0ee96c2	agentreviewPerf.exe
File created	C:\Program Files\Microsoft Office 15\backgroundTaskHost.exe	agentreviewPerf.exe
File created	C:\Program Files\dotnet\shared\sihost.exe	agentreviewPerf.exe
File created	C:\Program Files\Microsoft Office 15\eddb19405b7ce1	agentreviewPerf.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\winlogon.exe	agentreviewPerf.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\cc11b995f2a76d	agentreviewPerf.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe	agentreviewPerf.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ShellComponents\MusNotification.exe	agentreviewPerf.exe
File created	C:\Windows\ShellComponents\aa97147c4c782d	agentreviewPerf.exe
File created	C:\Windows\Tasks\agentreviewPerf.exe	agentreviewPerf.exe
File created	C:\Windows\Tasks\12c1d5d6343a58	agentreviewPerf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	agentreviewPerf.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1984	schtasks.exe
1092	schtasks.exe
2436	schtasks.exe
2820	schtasks.exe
1220	schtasks.exe
2592	schtasks.exe
1760	schtasks.exe
2688	schtasks.exe
3208	schtasks.exe
4948	schtasks.exe
2412	schtasks.exe
592	schtasks.exe
4848	schtasks.exe
372	schtasks.exe
1652	schtasks.exe
2444	schtasks.exe
1988	schtasks.exe
3580	schtasks.exe
1188	schtasks.exe
212	schtasks.exe
3064	schtasks.exe
3128	schtasks.exe
2056	schtasks.exe
1196	schtasks.exe
5080	schtasks.exe
4768	schtasks.exe
2612	schtasks.exe
1524	schtasks.exe
1948	schtasks.exe
2760	schtasks.exe
864	schtasks.exe
5076	schtasks.exe
1240	schtasks.exe
3812	schtasks.exe
2000	schtasks.exe
1872	schtasks.exe
1472	schtasks.exe
2608	schtasks.exe
2568	schtasks.exe
2756	schtasks.exe
4532	schtasks.exe
1392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4972	agentreviewPerf.exe
4972	agentreviewPerf.exe
4972	agentreviewPerf.exe
4972	agentreviewPerf.exe
4972	agentreviewPerf.exe
4972	agentreviewPerf.exe
4972	agentreviewPerf.exe
4972	agentreviewPerf.exe
4972	agentreviewPerf.exe
4972	agentreviewPerf.exe
4972	agentreviewPerf.exe
4972	agentreviewPerf.exe
736	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	agentreviewPerf.exe
Token: SeDebugPrivilege	736	unsecapp.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 2208	4972	agentreviewPerf.exe	128
PID 4972 wrote to memory of 2208	4972	agentreviewPerf.exe	128
PID 2208 wrote to memory of 4648	2208	cmd.exe	130
PID 2208 wrote to memory of 4648	2208	cmd.exe	130
PID 2208 wrote to memory of 736	2208	cmd.exe	131
PID 2208 wrote to memory of 736	2208	cmd.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\MsSavesSessionDll\agentreviewPerf.exe
"C:\Users\Admin\AppData\Local\Temp\MsSavesSessionDll\agentreviewPerf.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PaQw2pT4yH.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4648
- - C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe
    "C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 10 /tr "'C:\Windows\ShellComponents\MusNotification.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Windows\ShellComponents\MusNotification.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellComponents\MusNotification.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft OneDrive\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft OneDrive\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\PackageManifests\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\PackageManifests\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Users\Public\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Public\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files\dotnet\shared\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\dotnet\shared\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\dotnet\shared\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\backgroundTaskHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentreviewPerfa" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\agentreviewPerf.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentreviewPerf" /sc ONLOGON /tr "'C:\Windows\Tasks\agentreviewPerf.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentreviewPerfa" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\agentreviewPerf.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\unsecapp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PaQw2pT4yH.bat

Filesize
231B

MD5
12bbb79bc087b105cfa33018adb6fbbd

SHA1
66a70a72e2b1505e8c2308c76e506358ef8e6954

SHA256
b0d060b2df1fe3f5d44ca3465cb575b641dd07261353fa0d587b4f68e3d54ab9

SHA512
85ad8022b75ebd55d9d9c548d0da705e92ebbe9d528c681d150aa4ce92628fa1ea3c9f5e6a3d78a4cb49ab32d1886fbd8169d59667f11d5898e793c16db48794

Download Submit
C:\Users\Public\taskhostw.exe

Filesize
2.3MB

MD5
4e69fcf73418a08fcb8b3e7e2ecb43c4

SHA1
a3ecd09f65ca4e7821a0b7f8596edcd679573f5b

SHA256
fa78ac8f4c94923c7e53a3bf6936b46aff02f7746ee9518460c2d529ea2982d4

SHA512
a6d1a2b6363ad8a560567e6c11a48f8d1bc4cdfc36474902edf39f676440be82619aae52279121a776486d0edfe7a448f0fe9707b27ae760c1d6dd0201f6adc3

Download Submit
memory/736-51-0x0000000001B10000-0x0000000001B22000-memory.dmp

Filesize
72KB

Download
memory/4972-6-0x000000001BCC0000-0x000000001BD16000-memory.dmp

Filesize
344KB

Download
memory/4972-0-0x00007FFDCF483000-0x00007FFDCF485000-memory.dmp

Filesize
8KB

Download
memory/4972-5-0x000000001B5C0000-0x000000001B5D6000-memory.dmp

Filesize
88KB

Download
memory/4972-4-0x000000001BC70000-0x000000001BCC0000-memory.dmp

Filesize
320KB

Download
memory/4972-7-0x00000000012E0000-0x00000000012F2000-memory.dmp

Filesize
72KB

Download
memory/4972-8-0x000000001C580000-0x000000001CAA8000-memory.dmp

Filesize
5.2MB

Download
memory/4972-9-0x000000001B600000-0x000000001B60E000-memory.dmp

Filesize
56KB

Download
memory/4972-10-0x000000001B720000-0x000000001B728000-memory.dmp

Filesize
32KB

Download
memory/4972-11-0x000000001B730000-0x000000001B738000-memory.dmp

Filesize
32KB

Download
memory/4972-3-0x00000000012C0000-0x00000000012DC000-memory.dmp

Filesize
112KB

Download
memory/4972-2-0x00007FFDCF480000-0x00007FFDCFF41000-memory.dmp

Filesize
10.8MB

Download
memory/4972-47-0x00007FFDCF480000-0x00007FFDCFF41000-memory.dmp

Filesize
10.8MB

Download
memory/4972-1-0x0000000000840000-0x0000000000A92000-memory.dmp

Filesize
2.3MB

Download