Overview

overview

10

Static

static

3

076c80010c...33.exe

windows7-x64

10

076c80010c...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-01-2025 02:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533.exe

  • Size

    2.2MB

  • MD5

    be4ae5e0b545e43608ae6a60ce297871

  • SHA1

    ded512ee44ed38b7a6541b4e1d797387a27a5d93

  • SHA256

    076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533

  • SHA512

    45aafc3ec5787b1bf143a1d6b9f8ce79447157879c684849486d87a3a7b357862688016809277ff2c9e57a6d06a0613e12009c5a279d07ced4ecc3b3bc9cd0c3

  • SSDEEP

    24576:2TbBv5rUyXVoEmEVLqBMwOk+ADUZjmwMUuTEZ/iJJjhs4P/r+iHtxItZPFtOObx5:IBJvZ+qwOZFM+aJJbL+iNuuMxoyW29L

Score
10/10
dcratdiscoveryexecutioninfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 6 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533.exe
    "C:\Users\Admin\AppData\Local\Temp\076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\msportComWin\xtUjCOEXV8hvxooNRYyHQv7v29HXxWwl.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\msportComWin\5Jq5kgQebZBPc8KIFjklSaK6KtfwfF1rpT92XeRglY4x6Z5YYulxiLU9VV.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2644
        • C:\msportComWin\BridgePortsurrogateserverref.exe
          "C:\msportComWin/BridgePortsurrogateserverref.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2760
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ugtq1dts\ugtq1dts.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:792
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES650A.tmp" "c:\Windows\System32\CSC7EC510918D54468A9738D6A8C1669FAF.TMP"
              6⤵
                PID:1500
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2368
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2216
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2184
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1796
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/msportComWin/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2068
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2916
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2920
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1208
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2428
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2204
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2356
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1724
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1708
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2208
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\csrss.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1828
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dllhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:2352
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\DISM\audiodg.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1640
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1720
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\BridgePortsurrogateserverref.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:408
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cs1zAVteKl.bat"
              5⤵
                PID:3064
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  6⤵
                    PID:1028
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    6⤵
                      PID:1140
                    • C:\msportComWin\BridgePortsurrogateserverref.exe
                      "C:\msportComWin\BridgePortsurrogateserverref.exe"
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2080
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NbfRo2XZmG.bat"
                        7⤵
                          PID:2600
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            8⤵
                              PID:2496
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              8⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:2520
                            • C:\msportComWin\BridgePortsurrogateserverref.exe
                              "C:\msportComWin\BridgePortsurrogateserverref.exe"
                              8⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2248
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bFWQ59IHKo.bat"
                                9⤵
                                  PID:1716
                                  • C:\Windows\system32\chcp.com
                                    chcp 65001
                                    10⤵
                                      PID:1732
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      10⤵
                                        PID:2928
                                      • C:\msportComWin\BridgePortsurrogateserverref.exe
                                        "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                        10⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1324
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\um5tZ6OCE3.bat"
                                          11⤵
                                            PID:2384
                                            • C:\Windows\system32\chcp.com
                                              chcp 65001
                                              12⤵
                                                PID:1168
                                              • C:\Windows\system32\PING.EXE
                                                ping -n 10 localhost
                                                12⤵
                                                • System Network Configuration Discovery: Internet Connection Discovery
                                                • Runs ping.exe
                                                PID:444
                                              • C:\msportComWin\BridgePortsurrogateserverref.exe
                                                "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                12⤵
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1752
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k4B7WkvJxo.bat"
                                                  13⤵
                                                    PID:2868
                                                    • C:\Windows\system32\chcp.com
                                                      chcp 65001
                                                      14⤵
                                                        PID:2792
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        14⤵
                                                          PID:476
                                                        • C:\msportComWin\BridgePortsurrogateserverref.exe
                                                          "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                          14⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2068
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ylDQV2JGYe.bat"
                                                            15⤵
                                                              PID:1988
                                                              • C:\Windows\system32\chcp.com
                                                                chcp 65001
                                                                16⤵
                                                                  PID:2872
                                                                • C:\Windows\system32\PING.EXE
                                                                  ping -n 10 localhost
                                                                  16⤵
                                                                  • System Network Configuration Discovery: Internet Connection Discovery
                                                                  • Runs ping.exe
                                                                  PID:2008
                                                                • C:\msportComWin\BridgePortsurrogateserverref.exe
                                                                  "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                                  16⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1300
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TAB96jcSpT.bat"
                                                                    17⤵
                                                                      PID:2772
                                                                      • C:\Windows\system32\chcp.com
                                                                        chcp 65001
                                                                        18⤵
                                                                          PID:2600
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          18⤵
                                                                            PID:1128
                                                                          • C:\msportComWin\BridgePortsurrogateserverref.exe
                                                                            "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                                            18⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2360
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\50TwasnRS2.bat"
                                                                              19⤵
                                                                                PID:1368
                                                                                • C:\Windows\system32\chcp.com
                                                                                  chcp 65001
                                                                                  20⤵
                                                                                    PID:1252
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    20⤵
                                                                                      PID:2916
                                                                                    • C:\msportComWin\BridgePortsurrogateserverref.exe
                                                                                      "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                                                      20⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1796
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ECvQfnJznV.bat"
                                                                                        21⤵
                                                                                          PID:1324
                                                                                          • C:\Windows\system32\chcp.com
                                                                                            chcp 65001
                                                                                            22⤵
                                                                                              PID:2368
                                                                                            • C:\Windows\system32\PING.EXE
                                                                                              ping -n 10 localhost
                                                                                              22⤵
                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                              • Runs ping.exe
                                                                                              PID:2968
                                                                                            • C:\msportComWin\BridgePortsurrogateserverref.exe
                                                                                              "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                                                              22⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:3020
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kbtAGVbC4L.bat"
                                                                                                23⤵
                                                                                                  PID:1712
                                                                                                  • C:\Windows\system32\chcp.com
                                                                                                    chcp 65001
                                                                                                    24⤵
                                                                                                      PID:1728
                                                                                                    • C:\Windows\system32\PING.EXE
                                                                                                      ping -n 10 localhost
                                                                                                      24⤵
                                                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                      • Runs ping.exe
                                                                                                      PID:476
                                                                                                    • C:\msportComWin\BridgePortsurrogateserverref.exe
                                                                                                      "C:\msportComWin\BridgePortsurrogateserverref.exe"
                                                                                                      24⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:3036
                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gjUXinqH5W.bat"
                                                                                                        25⤵
                                                                                                          PID:856
                                                                                                          • C:\Windows\system32\chcp.com
                                                                                                            chcp 65001
                                                                                                            26⤵
                                                                                                              PID:2616
                                                                                                            • C:\Windows\system32\PING.EXE
                                                                                                              ping -n 10 localhost
                                                                                                              26⤵
                                                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                                                              • Runs ping.exe
                                                                                                              PID:532
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3004
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2988
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:556
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2028
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2800
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\csrss.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2824
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dllhost.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2588
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dllhost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:852
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\dllhost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2400
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\DISM\audiodg.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2460
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Logs\DISM\audiodg.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1740
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\DISM\audiodg.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1876
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1804
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2996
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1872
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "BridgePortsurrogateserverrefB" /sc MINUTE /mo 5 /tr "'C:\msportComWin\BridgePortsurrogateserverref.exe'" /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1988
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "BridgePortsurrogateserverref" /sc ONLOGON /tr "'C:\msportComWin\BridgePortsurrogateserverref.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2020
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "BridgePortsurrogateserverrefB" /sc MINUTE /mo 5 /tr "'C:\msportComWin\BridgePortsurrogateserverref.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2076

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Reconnaissance

                                                          Resource Development

                                                          Initial Access

                                                          Execution

                                                          Command and Scripting Interpreter

                                                          1
                                                          T1059

                                                          PowerShell

                                                          1
                                                          T1059.001

                                                          Scheduled Task/Job

                                                          1
                                                          T1053

                                                          Scheduled Task

                                                          1
                                                          T1053.005

                                                          Persistence

                                                          Boot or Logon Autostart Execution

                                                          2
                                                          T1547

                                                          Registry Run Keys / Startup Folder

                                                          1
                                                          T1547.001

                                                          Winlogon Helper DLL

                                                          1
                                                          T1547.004

                                                          Scheduled Task/Job

                                                          1
                                                          T1053

                                                          Scheduled Task

                                                          1
                                                          T1053.005

                                                          Privilege Escalation

                                                          Boot or Logon Autostart Execution

                                                          2
                                                          T1547

                                                          Registry Run Keys / Startup Folder

                                                          1
                                                          T1547.001

                                                          Winlogon Helper DLL

                                                          1
                                                          T1547.004

                                                          Scheduled Task/Job

                                                          1
                                                          T1053

                                                          Scheduled Task

                                                          1
                                                          T1053.005

                                                          Defense Evasion

                                                          Modify Registry

                                                          2
                                                          T1112

                                                          Credential Access

                                                          Discovery

                                                          Query Registry

                                                          1
                                                          T1012

                                                          Remote System Discovery

                                                          1
                                                          T1018

                                                          System Information Discovery

                                                          1
                                                          T1082

                                                          System Location Discovery

                                                          1
                                                          T1614

                                                          System Language Discovery

                                                          1
                                                          T1614.001

                                                          System Network Configuration Discovery

                                                          1
                                                          T1016

                                                          Internet Connection Discovery

                                                          1
                                                          T1016.001

                                                          Lateral Movement

                                                          Collection

                                                          Command and Control

                                                          Exfiltration

                                                          Impact

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Users\Admin\AppData\Local\Temp\50TwasnRS2.bat
                                                            Filesize

                                                            224B

                                                            MD5

                                                            479abfcddfc297e91d6779f1160f8bf1

                                                            SHA1

                                                            26ac93d0f1b13ccdee633550c12669ba1256a369

                                                            SHA256

                                                            8ae93f755717b91212b7c858a18e2be773d84b18400a1846248faaf7c9bd9b09

                                                            SHA512

                                                            56678e0cf25cbe5c96fbc6b2a48c2fe9be82c327e98fac5ea524404ae74a8dcd44c2ef44a6ad996bbefb94fbef773ad886ab75b037301d417fa4b25db41d03fc

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\Cs1zAVteKl.bat
                                                            Filesize

                                                            224B

                                                            MD5

                                                            dfc66af44f4494b3b8ba1adb5b04f1f4

                                                            SHA1

                                                            58901d0f8270d487f7e53cac11c14fb38167ab17

                                                            SHA256

                                                            ba8ebeb21ce86f117075e6b7556a8658989a3f9e3d250fe1d045d6f09313e771

                                                            SHA512

                                                            8dbd443863dfb4d571fee381fd066f18c49b557e5219b7e6fa633e562620cc0f5f28d4c2265ae0b31cbb1f0609634ff6e8067ef2dd1fd4e3d3ea5ecfbbde519b

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\ECvQfnJznV.bat
                                                            Filesize

                                                            176B

                                                            MD5

                                                            8c70ce833716c758ecd4ae0b4c6ef5e0

                                                            SHA1

                                                            0edd49f143ac68b5c39d8ffa9b1a92eecbc3d607

                                                            SHA256

                                                            99542b36edcbd0d28d8a5cdb9a65e6c228cbf0ee779e8be8ccf25c40e396d54c

                                                            SHA512

                                                            8c24baed34ba57248ec944c8735c3cc75a1e44f3e8148e2e1950e2455fb7f8645b3d3b3b88a1212e75ee7ad0c88ae681ef9423574e4d42f240389097415e4ac7

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\NbfRo2XZmG.bat
                                                            Filesize

                                                            176B

                                                            MD5

                                                            9dcb6982f0c85248b0cf5d5f8bdd5cb9

                                                            SHA1

                                                            919ded165dd112389bbc5236b169182a739b3425

                                                            SHA256

                                                            548d68f224544307bef91ecb3296d052fc648dbfea2a1edf5221e0716cbd8686

                                                            SHA512

                                                            0ecde4a0eaa65d6fecc257803f539a3dc42b5822f25bf35df26c41cd32b073be5dc4e978fa624fd0b817fe61d1be00f64171a59dcd2a48ad36d5015281ef00a7

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\RES650A.tmp
                                                            Filesize

                                                            1KB

                                                            MD5

                                                            ece4f9ed19bd51e51b66fa9ed3d108b9

                                                            SHA1

                                                            bb7cda3f81213635570ec48dd274a1e516cd0646

                                                            SHA256

                                                            8edea60589326622a013375cfa98342623d1e7a784c057bedab8dc1edde3c329

                                                            SHA512

                                                            a367b6e397c06fa9d3a9b399eaa5ef200970432b5cc1a26785ad6ff094e293b461bcfdada9427e2d96efd56984d0ac052057dfe2692c26a36513077f58cbc08f

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\TAB96jcSpT.bat
                                                            Filesize

                                                            224B

                                                            MD5

                                                            5fd0c5392d4d6cdc4c91632d9e73e68d

                                                            SHA1

                                                            208b6ddcf096f6d7da43375ceb713e97d4cd7ecc

                                                            SHA256

                                                            72708a4a6e93e44e583161b30a0e52a3ff390c11dbbe09c9ca6ca3762a76586f

                                                            SHA512

                                                            c72fcda1ea927a963e366d0d2eadc87ce00387b515e4be28535bf81b325835eddda6e3fff9b2a0dae69bda2f8282b3224f642f1283cb59238c494d80641027a5

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\bFWQ59IHKo.bat
                                                            Filesize

                                                            224B

                                                            MD5

                                                            3671aa2fd3d7d3caf72e9d4901e0b519

                                                            SHA1

                                                            c2699fe2fb8c4513e1ec39675c7335e9a55f831c

                                                            SHA256

                                                            4adf0aaa2dc02ee01f38d235630eba8d7904c71f8458d73e6dc1ea8a21dd512f

                                                            SHA512

                                                            4024026cf374f634d0b3975ef8db0d842ccaebe4c3925ecb05a19eb859929a76cccb0eaf8d4b28705a8c8df059fdbfa836ef8cd279680f581551a9509e6f37f4

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\gjUXinqH5W.bat
                                                            Filesize

                                                            176B

                                                            MD5

                                                            3d030a952637ef6d5afff03c98097137

                                                            SHA1

                                                            5816f19659efda0a163c3725b4a24414130d8331

                                                            SHA256

                                                            ad106e7b818f55f1cecf40990fd5f5f319f9f10f40c4f886c65fa5dc46838ad9

                                                            SHA512

                                                            92a3540280cc7d7b59753b4deaa985da11508b0517e2457283806c3ece9bb7bf51f1e72b2ef5f4d4cd6198a2ee8dd5bf5fd5478f60d520c9c496e2d350282efc

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\k4B7WkvJxo.bat
                                                            Filesize

                                                            224B

                                                            MD5

                                                            8c54affe1cae48b37625be0c5d4be69c

                                                            SHA1

                                                            0d414c3bf6ccf8bb5fc41f4f14a16872ec29eba7

                                                            SHA256

                                                            9af6834e52ee96992e566ab66f649135dcf23a33532e38f96e6887e13c754a18

                                                            SHA512

                                                            8110e1beba8ddfaf6db2a6e0cc2620d898bd9d3ba8080efbac7e94d25f3124f3798960d6748a5bbd93af51a70411b9f12065a0f1dec6c3d98d2d0fb1ccdd5171

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\kbtAGVbC4L.bat
                                                            Filesize

                                                            176B

                                                            MD5

                                                            01499598259854d75279c9d55471fac5

                                                            SHA1

                                                            59fadb9361cbc2054a9ee2d35bae2f0e98a32289

                                                            SHA256

                                                            2421dbdc5ed8a96695093aab9d7d7f0b924c9f10f627283ecc11e2d054de2c7e

                                                            SHA512

                                                            724ab224e8c66f56d331d6b521b384952098533da7893f01e73ad478f1a4852711e90c74094fc75b294740bba0a305a9713f096e9734bcb4f3e827f32b46273c

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\um5tZ6OCE3.bat
                                                            Filesize

                                                            176B

                                                            MD5

                                                            8366c4e43286e83b8b4e479d6ba1c911

                                                            SHA1

                                                            bd33fd53729236244d5b0bccc48e36dfdb761fb7

                                                            SHA256

                                                            032e18be071465d25eb6d6d818ac341b890520abc23a18fb5048051fe6ce4112

                                                            SHA512

                                                            237dc29b9560eaa90594af9b0e43b6c0bd38e25a86ffcfc4c961a2346fd5f843f8a5ce5c93c28548b1c79405b7b3df2a42cf9a1b5b20de5d205d322dc788f871

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\ylDQV2JGYe.bat
                                                            Filesize

                                                            176B

                                                            MD5

                                                            3942a6953ad36a1ce2e9c2f105970d26

                                                            SHA1

                                                            948d3ae8472a618cf32aca2a6edac66e8cb0d06d

                                                            SHA256

                                                            da372ab78ccb8ddb41e1f70a4c926b507932bbc505d449101a43401e2591dac9

                                                            SHA512

                                                            3862f12ebd32e2ea2230c0802d9eb0876b9aa28ef23988750749a70dfb3dc594638e9eebd4ac1471957556c33501166f3120cb71babf12a3ce92c7584e12b94e

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                                            Filesize

                                                            7KB

                                                            MD5

                                                            d8ecb018325d1140146d538089fa2413

                                                            SHA1

                                                            a284e1732e6964011f7584ff57f0af3d2d440f8d

                                                            SHA256

                                                            c678ddd9414bf77d3cf963bf4209058c85fe3075ff179d3f07242d12c25cfadf

                                                            SHA512

                                                            cfbd818b8bc33efbc408741c377bef109cf35d0c7a468f6157f50e407ac48f9e37163c2325451b54c6d190794b0a7be8a9057629bb8892cb3b4e0fcd9556d7ba

                                                            Download Submit

                                                          • C:\msportComWin\5Jq5kgQebZBPc8KIFjklSaK6KtfwfF1rpT92XeRglY4x6Z5YYulxiLU9VV.bat
                                                            Filesize

                                                            114B

                                                            MD5

                                                            ec4930435249e865ec0910b90ce34010

                                                            SHA1

                                                            e00242ba6b91abe0291ee6c003c7cda9f280a20c

                                                            SHA256

                                                            aecaccc8288e076efa186171eab1ce946b8c0438e607f00a442b04e1e080dfbb

                                                            SHA512

                                                            f1bb3a20bd279b62b94349d253b64a4bb9227fa214785e265b5f5457a552bddb141faea48109ed80a6d77f34c8ba68fd2911daa178893daee52259e89a6b80aa

                                                            Download Submit

                                                          • C:\msportComWin\xtUjCOEXV8hvxooNRYyHQv7v29HXxWwl.vbe
                                                            Filesize

                                                            248B

                                                            MD5

                                                            528d2d62b3a0a43e28f6c5bc9e59fb49

                                                            SHA1

                                                            b8347b3f11fdb951bf4c930bef813180c42f98c1

                                                            SHA256

                                                            9d271ddb2a3de2347db1800f94865bab4758e8f89760f7f0fc6368eb14a9597b

                                                            SHA512

                                                            a208e41f97a080ab5550632daa10ac7d4d43ca603207406df14e749765662089f38ff52feced3083dbcb08daa2821e9fc6df511fa1a1f18b4b9e8e38f68fa171

                                                            Download Submit

                                                          • \??\c:\Users\Admin\AppData\Local\Temp\ugtq1dts\ugtq1dts.0.cs
                                                            Filesize

                                                            402B

                                                            MD5

                                                            127cb7fc091492e7db4663d9cfa79f7d

                                                            SHA1

                                                            b577396c62a8540de96453ee559f1f122ab06743

                                                            SHA256

                                                            132325d8ee8e28c60656247d555520cf743939ba741ab4d7c7bc9c6ef76e80f8

                                                            SHA512

                                                            b8c917d2d4cb66cc2c6b7019aa166123e365caf111220246c481170a4d3b27e59e9600fd92e47236a66a0717cd6bf3b24fc326af1c9db38c9e53b10d5acd01a6

                                                            Download Submit

                                                          • \??\c:\Users\Admin\AppData\Local\Temp\ugtq1dts\ugtq1dts.cmdline
                                                            Filesize

                                                            235B

                                                            MD5

                                                            4462cb2ae64f15c879957e05442f2647

                                                            SHA1

                                                            efd2138aa3a036a12d5d96bc9572e9a478486911

                                                            SHA256

                                                            094b2e518464097a1f48d964e095fecd08243638ae819ceb324c86f4d418aca3

                                                            SHA512

                                                            b8adecec4dd5a9f1d44fc0b91f0db5b1c75ec4c2b1606c14d6e76594ff434eb802765f07217e490c2bb176f464563c34873f065acbf100957386288bdf5708fc

                                                            Download Submit

                                                          • \??\c:\Windows\System32\CSC7EC510918D54468A9738D6A8C1669FAF.TMP
                                                            Filesize

                                                            1KB

                                                            MD5

                                                            b74f131aab310dc6e37b43e729c24199

                                                            SHA1

                                                            bade4cf35d7e80e79880396c1fdd518d9ab78bdf

                                                            SHA256

                                                            5fdff2a34cc18e36619ff327b292a8255286dc102d85074b7fc625ccbdbe1858

                                                            SHA512

                                                            733cb12c94d0a8bedc9a38c073dff2fc46553854d7e835767aaa749b4754beef77fa3bc8232eab21c92bc808c08b150cafe5c035bb33d82292fbf76fec55d885

                                                            Download Submit

                                                          • \msportComWin\BridgePortsurrogateserverref.exe
                                                            Filesize

                                                            1.9MB

                                                            MD5

                                                            5f80a11e82cc7495cf5ad7df3d052721

                                                            SHA1

                                                            3a20eb31195a97cf5da7d3c20c1b8c4913b95a13

                                                            SHA256

                                                            851aa5f3636700f9bb71a4c0d040255f19871ba306f87d9f66b39f3b207ec15b

                                                            SHA512

                                                            7acdd2a4f5170212beabeba86dcb7a6be74c4c83815db3bb328d6541f6a259ec3c6ff469f103eb125163371f103ae3060404e1c34622f2d4d9cb34d2cc7b3c0d

                                                            Download Submit

                                                          • memory/1300-216-0x0000000000220000-0x0000000000410000-memory.dmp

                                                            Filesize

                                                            1.9MB

                                                            Download

                                                          • memory/1752-189-0x00000000003F0000-0x00000000005E0000-memory.dmp

                                                            Filesize

                                                            1.9MB

                                                            Download

                                                          • memory/1796-242-0x0000000000FA0000-0x0000000001190000-memory.dmp

                                                            Filesize

                                                            1.9MB

                                                            Download

                                                          • memory/2068-202-0x00000000013C0000-0x00000000015B0000-memory.dmp

                                                            Filesize

                                                            1.9MB

                                                            Download

                                                          • memory/2080-151-0x00000000001F0000-0x00000000003E0000-memory.dmp

                                                            Filesize

                                                            1.9MB

                                                            Download

                                                          • memory/2248-164-0x0000000001060000-0x0000000001250000-memory.dmp

                                                            Filesize

                                                            1.9MB

                                                            Download

                                                          • memory/2360-229-0x00000000002F0000-0x00000000004E0000-memory.dmp

                                                            Filesize

                                                            1.9MB

                                                            Download

                                                          • memory/2368-58-0x000000001B660000-0x000000001B942000-memory.dmp

                                                            Filesize

                                                            2.9MB

                                                            Download

                                                          • memory/2368-59-0x0000000002290000-0x0000000002298000-memory.dmp

                                                            Filesize

                                                            32KB

                                                            Download

                                                          • memory/2760-25-0x00000000005D0000-0x00000000005DC000-memory.dmp

                                                            Filesize

                                                            48KB

                                                            Download

                                                          • memory/2760-23-0x00000000005C0000-0x00000000005CE000-memory.dmp

                                                            Filesize

                                                            56KB

                                                            Download

                                                          • memory/2760-21-0x00000000005A0000-0x00000000005AE000-memory.dmp

                                                            Filesize

                                                            56KB

                                                            Download

                                                          • memory/2760-19-0x0000000000600000-0x0000000000618000-memory.dmp

                                                            Filesize

                                                            96KB

                                                            Download

                                                          • memory/2760-17-0x00000000005E0000-0x00000000005FC000-memory.dmp

                                                            Filesize

                                                            112KB

                                                            Download

                                                          • memory/2760-15-0x0000000000590000-0x000000000059E000-memory.dmp

                                                            Filesize

                                                            56KB

                                                            Download

                                                          • memory/2760-13-0x00000000013B0000-0x00000000015A0000-memory.dmp

                                                            Filesize

                                                            1.9MB

                                                            Download