dcrat | 0c240b2768116ef0f03af241b177004e5e456ed9039744c8619956d0c960d31e

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/03/2025, 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxVersionFix.exe
Size

1.7MB
MD5

c4ecabd9a15748628acdb4eabe1f5733
SHA1

2abc8d0b03faae2a3dfbb5b3ace7bb049a895a49
SHA256

0c240b2768116ef0f03af241b177004e5e456ed9039744c8619956d0c960d31e
SHA512

9d673547d7369a18f9254f1b73ea33aadb51e6c84da8c6de84f5fe0bd7e3813778f980ea6646ff32d1b981bc56c8751acfa877025cb835088ec72c2bea24e687
SSDEEP

24576:h2G/nvxW3W70w+LhSRJVv14LegEY2nac1VbECN8Bz5jftyrp9+CA:hbA3pw+eJJ4pzZtU+

Score

10^/10

dcrat discovery infostealer rat spyware stealer

Malware Config

Signatures

DcRat 64 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2812	schtasks.exe
		1972	schtasks.exe
		2140	schtasks.exe
		1112	schtasks.exe
		3004	schtasks.exe
		996	schtasks.exe
		2540	schtasks.exe
		2948	schtasks.exe
		2028	schtasks.exe
		688	schtasks.exe
		3016	schtasks.exe
		2480	schtasks.exe
		2376	schtasks.exe
		1068	schtasks.exe
		1996	schtasks.exe
		1044	schtasks.exe
		2148	schtasks.exe
		2372	schtasks.exe
		2556	schtasks.exe
		2616	schtasks.exe
		1276	schtasks.exe
File created	C:\Windows\Setup\State\088424020bedd6		surrogateproviderSvc.exe
		916	schtasks.exe
		2732	schtasks.exe
		1784	schtasks.exe
		580	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		RobloxVersionFix.exe
		1824	schtasks.exe
		1360	schtasks.exe
		1328	schtasks.exe
		2864	schtasks.exe
		2568	schtasks.exe
		2896	schtasks.exe
		2120	schtasks.exe
		1712	schtasks.exe
		992	schtasks.exe
		600	schtasks.exe
		2928	schtasks.exe
		2984	schtasks.exe
		2596	schtasks.exe
		2304	schtasks.exe
		2828	schtasks.exe
		316	schtasks.exe
		2992	schtasks.exe
		1964	schtasks.exe
		1840	schtasks.exe
		780	schtasks.exe
		2676	schtasks.exe
		2108	schtasks.exe
		1348	schtasks.exe
		1032	schtasks.exe
		288	schtasks.exe
		1616	schtasks.exe
		2312	schtasks.exe
		1332	schtasks.exe
		3024	schtasks.exe
		1908	schtasks.exe
		2664	schtasks.exe
		1736	schtasks.exe
		1808	schtasks.exe
		908	schtasks.exe
		2792	schtasks.exe
		2420	schtasks.exe
		3056	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 63 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	1084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	1084	schtasks.exe	34

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d7f-9.dat	dcrat
behavioral1/memory/2688-13-0x0000000000050000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/1772-34-0x00000000010C0000-0x0000000001200000-memory.dmp	dcrat
behavioral1/memory/2080-73-0x0000000000BC0000-0x0000000000D00000-memory.dmp	dcrat

Executes dropped EXE 3 IoCs

pid	Process
2688	surrogateproviderSvc.exe
1772	surrogateproviderSvc.exe
2080	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2612	cmd.exe
2612	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
7	ipinfo.io

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe	surrogateproviderSvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\69ddcba757bf72	surrogateproviderSvc.exe
File created	C:\Program Files\7-Zip\csrss.exe	surrogateproviderSvc.exe
File created	C:\Program Files\7-Zip\886983d96e3d3e	surrogateproviderSvc.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\AuthCabs\surrogateproviderSvc.exe	surrogateproviderSvc.exe
File created	C:\Windows\Setup\State\088424020bedd6	surrogateproviderSvc.exe
File created	C:\Windows\Branding\ShellBrd\csrss.exe	surrogateproviderSvc.exe
File created	C:\Windows\Branding\ShellBrd\886983d96e3d3e	surrogateproviderSvc.exe
File created	C:\Windows\SoftwareDistribution\AuthCabs\07b10322839ab7	surrogateproviderSvc.exe
File created	C:\Windows\Setup\State\conhost.exe	surrogateproviderSvc.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\wininit.exe	surrogateproviderSvc.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\56085415360792	surrogateproviderSvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Pictures\System.exe	surrogateproviderSvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Pictures\27d1bcfc3c54e0	surrogateproviderSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxVersionFix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	System.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	System.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 63 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3056	schtasks.exe
1736	schtasks.exe
3024	schtasks.exe
2540	schtasks.exe
2992	schtasks.exe
2108	schtasks.exe
580	schtasks.exe
3016	schtasks.exe
3004	schtasks.exe
996	schtasks.exe
2616	schtasks.exe
2676	schtasks.exe
916	schtasks.exe
2420	schtasks.exe
688	schtasks.exe
1908	schtasks.exe
1808	schtasks.exe
908	schtasks.exe
1712	schtasks.exe
992	schtasks.exe
2948	schtasks.exe
1276	schtasks.exe
1332	schtasks.exe
2480	schtasks.exe
1348	schtasks.exe
2304	schtasks.exe
2148	schtasks.exe
2376	schtasks.exe
1840	schtasks.exe
1360	schtasks.exe
288	schtasks.exe
1616	schtasks.exe
2568	schtasks.exe
316	schtasks.exe
2312	schtasks.exe
2792	schtasks.exe
1784	schtasks.exe
2664	schtasks.exe
780	schtasks.exe
1032	schtasks.exe
1044	schtasks.exe
1972	schtasks.exe
1964	schtasks.exe
2596	schtasks.exe
2140	schtasks.exe
2120	schtasks.exe
2372	schtasks.exe
2896	schtasks.exe
600	schtasks.exe
2984	schtasks.exe
2812	schtasks.exe
1328	schtasks.exe
2556	schtasks.exe
2732	schtasks.exe
1068	schtasks.exe
1996	schtasks.exe
2928	schtasks.exe
2028	schtasks.exe
820	schtasks.exe
1824	schtasks.exe
1112	schtasks.exe
2864	schtasks.exe
2828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2688	surrogateproviderSvc.exe
2688	surrogateproviderSvc.exe
2688	surrogateproviderSvc.exe
1772	surrogateproviderSvc.exe
2080	System.exe
2080	System.exe
2080	System.exe
2080	System.exe
2080	System.exe
2080	System.exe
2080	System.exe
2080	System.exe
2080	System.exe
2080	System.exe
2080	System.exe
2080	System.exe
2080	System.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2080	System.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	surrogateproviderSvc.exe
Token: SeDebugPrivilege	1772	surrogateproviderSvc.exe
Token: SeDebugPrivilege	2080	System.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 2948	2036	RobloxVersionFix.exe	30
PID 2036 wrote to memory of 2948	2036	RobloxVersionFix.exe	30
PID 2036 wrote to memory of 2948	2036	RobloxVersionFix.exe	30
PID 2036 wrote to memory of 2948	2036	RobloxVersionFix.exe	30
PID 2948 wrote to memory of 2612	2948	WScript.exe	31
PID 2948 wrote to memory of 2612	2948	WScript.exe	31
PID 2948 wrote to memory of 2612	2948	WScript.exe	31
PID 2948 wrote to memory of 2612	2948	WScript.exe	31
PID 2612 wrote to memory of 2688	2612	cmd.exe	33
PID 2612 wrote to memory of 2688	2612	cmd.exe	33
PID 2612 wrote to memory of 2688	2612	cmd.exe	33
PID 2612 wrote to memory of 2688	2612	cmd.exe	33
PID 2688 wrote to memory of 1524	2688	surrogateproviderSvc.exe	50
PID 2688 wrote to memory of 1524	2688	surrogateproviderSvc.exe	50
PID 2688 wrote to memory of 1524	2688	surrogateproviderSvc.exe	50
PID 1524 wrote to memory of 1600	1524	cmd.exe	52
PID 1524 wrote to memory of 1600	1524	cmd.exe	52
PID 1524 wrote to memory of 1600	1524	cmd.exe	52
PID 1524 wrote to memory of 1772	1524	cmd.exe	53
PID 1524 wrote to memory of 1772	1524	cmd.exe	53
PID 1524 wrote to memory of 1772	1524	cmd.exe	53
PID 1772 wrote to memory of 2080	1772	surrogateproviderSvc.exe	102
PID 1772 wrote to memory of 2080	1772	surrogateproviderSvc.exe	102
PID 1772 wrote to memory of 2080	1772	surrogateproviderSvc.exe	102
PID 2080 wrote to memory of 3024	2080	System.exe	103
PID 2080 wrote to memory of 3024	2080	System.exe	103
PID 2080 wrote to memory of 3024	2080	System.exe	103
PID 2080 wrote to memory of 2480	2080	System.exe	104
PID 2080 wrote to memory of 2480	2080	System.exe	104
PID 2080 wrote to memory of 2480	2080	System.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RobloxVersionFix.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxVersionFix.exe"
1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\DriverbrokerCrt\MlPmIZTueRfhTMCPi.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\DriverbrokerCrt\8os3Em7t.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\DriverbrokerCrt\surrogateproviderSvc.exe
      "C:\DriverbrokerCrt\surrogateproviderSvc.exe"
      4⤵
      DcRat
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5HgwEuCkaa.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1524
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1600
      - C:\DriverbrokerCrt\surrogateproviderSvc.exe
        
        "C:\DriverbrokerCrt\surrogateproviderSvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\ServiceProfiles\LocalService\Pictures\System.exe
        
        "C:\Windows\ServiceProfiles\LocalService\Pictures\System.exe"
        7⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\193e7c4e-8bc0-4e3c-912e-2aa2050526d0.vbs"
        8⤵
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66937694-c9c5-4b5d-8eec-ba3e51325c99.vbs"
        8⤵
        
        PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\DriverbrokerCrt\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\DriverbrokerCrt\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\DriverbrokerCrt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Documents\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Searches\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Searches\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\conhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Setup\State\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\conhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\DriverbrokerCrt\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\DriverbrokerCrt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\DriverbrokerCrt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\RemotePackages\RemoteDesktops\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteDesktops\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\LocalService\Pictures\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Pictures\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\ServiceProfiles\LocalService\Pictures\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "surrogateproviderSvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\AuthCabs\surrogateproviderSvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "surrogateproviderSvc" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\AuthCabs\surrogateproviderSvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "surrogateproviderSvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\AuthCabs\surrogateproviderSvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DriverbrokerCrt\8os3Em7t.bat

Filesize
45B

MD5
8405523b77e502a8c914dc70b892f108

SHA1
2e861fbbb6d8c0c8d8202ffb465910daf421d731

SHA256
4dd3dbaedd2a4d877343c570eddc9e12cfa97e448ae2592cc935e3f01f425634

SHA512
1a08c548af62031afe3dd82acfd33d9334c97c5bd50d2e23e44bd327ad35f952124679c0be0adbc8848cb3ca659928767aba0ebaebee8f7a1f1b8d748a5330fe

Download Submit
C:\DriverbrokerCrt\MlPmIZTueRfhTMCPi.vbe

Filesize
200B

MD5
60c621e78018ae32d80ea7b1b1343f33

SHA1
cb52f961012f10d4b680155e6a6126cda3335f3e

SHA256
247abbd47f1a493ccbf109422cbba67f78a58dbe2866a2fad50899f18975b1bb

SHA512
9eca5dd5f44a01cfce920158599b3494b147ccbbc32d459488399917f9fcf3e0c87b54f63df61c5bca2dbc9ddde68aa11450fdc11e4945c02f56f118ec45003d

Download Submit
C:\Users\Admin\AppData\Local\Temp\193e7c4e-8bc0-4e3c-912e-2aa2050526d0.vbs

Filesize
735B

MD5
89bd5b0771b123e5752f6aec6e852725

SHA1
1fade144f35b66c70b537fa72e7b881a8125b095

SHA256
a8572e2d6cc08acd556aa3ed1d962010b329c9f165de5686e55e88052a8e0c57

SHA512
9ea328d838e822c575f01b06d7b068357a9ae7b55d3c10c5920ecdf2e39ed8ad5b6a31fa0a8907e33a5c56cea0662688193bbe79268f40f625167fe57b86675b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5HgwEuCkaa.bat

Filesize
208B

MD5
e9ef530fa85644cac432d3168444252d

SHA1
22fd06f40c9a2c3c62dcf50bca1cb79f34d570a4

SHA256
735df3c40d4fb9a9298c596810db76441b1c93975ddc778dd53615bbf697c995

SHA512
731b417f33452c81a9f835159e5f8808a567c39f3df2b260e08b3d24d5bcebca4469572ca66e863d9ccf8b867d17def8d43aca184d743b172ad47600f7b7cb68

Download Submit
C:\Users\Admin\AppData\Local\Temp\66937694-c9c5-4b5d-8eec-ba3e51325c99.vbs

Filesize
511B

MD5
dcc80ac738dad850900c64ee80354d07

SHA1
cae718c1d6cd232df7995afb51881c25af310f74

SHA256
c532010db782a29ae87efb57cdbdad62c86dbe2c91784aea18c136dbaee768d7

SHA512
a5ca09bde01cd2299d745e1e5fc80decdcfc4f788407d358f8ede262f2ce408ef9eb9bfad78f0cb5e0919a9eff9b37e09462ec64ffa943353b8d6a913ea0d51c

Download Submit
\DriverbrokerCrt\surrogateproviderSvc.exe

Filesize
1.2MB

MD5
b5badb070116d5e8125017ad9499762f

SHA1
9014974312328c23b2c5042ab83a12bf6f5da5a6

SHA256
7446c50c8697e9194564a0764f981ef475736a7dfbbc7ef10ed641c4d5e11cba

SHA512
86befc275da13cb4b7d00798883fcf65b07557d4c599da962573e5169e79126b1597997181961c5fb1a449dcc0210824d6583e654aef2879ba1dad6d4b89bc88

Download Submit
memory/1772-34-0x00000000010C0000-0x0000000001200000-memory.dmp

Filesize
1.2MB

Download
memory/2080-73-0x0000000000BC0000-0x0000000000D00000-memory.dmp

Filesize
1.2MB

Download
memory/2688-13-0x0000000000050000-0x0000000000190000-memory.dmp

Filesize
1.2MB

Download
memory/2688-17-0x0000000000460000-0x000000000046E000-memory.dmp

Filesize
56KB

Download
memory/2688-16-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/2688-15-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2688-14-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download