dcrat | 5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18

Analysis

max time kernel
298s
max time network
302s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
22-01-2023 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18.exe
Size

1.3MB
MD5

b9a0002e9a104374dea2f4ba571f1764
SHA1

627488abb7aeeb5f8f411a9694cebd6b4748a86f
SHA256

5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18
SHA512

439d0ad76753bf88adc6d92e80fda5bbc64c5724180d8689f79fbf48a80754eb5f127284f123a71129a110ccfeeccb1c3c4cb0879f7859a0648aa0e09ba805b5
SSDEEP

24576:U2G/nvxW3Ww0t4952ytIS/Zgi5N5vC8bg7Mj9W4eHdELPh:UbA30QAytISht5q8bQMB4o

Score

10^/10

dcrat evasion infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

hyperReviewwin.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\winlogon.exe\", \"C:\\Windows\\tracing\\sppsvc.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\explorer.exe\", \"C:\\Users\\All Users\\Start Menu\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\csrss.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\winlogon.exe\", \"C:\\Windows\\tracing\\sppsvc.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\explorer.exe\", \"C:\\Users\\All Users\\Start Menu\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\wininit.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\csrss.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\winlogon.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\winlogon.exe\", \"C:\\Windows\\tracing\\sppsvc.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\winlogon.exe\", \"C:\\Windows\\tracing\\sppsvc.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\explorer.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Uninstall Information\\csrss.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\winlogon.exe\", \"C:\\Windows\\tracing\\sppsvc.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\explorer.exe\", \"C:\\Users\\All Users\\Start Menu\\csrss.exe\""	hyperReviewwin.exe

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	1704	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	1704	schtasks.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe	dcrat
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe	dcrat
\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe	dcrat
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe	dcrat
behavioral1/memory/324-65-0x00000000012D0000-0x00000000013DA000-memory.dmp	dcrat
C:\Users\All Users\Start Menu\csrss.exe	dcrat
C:\ProgramData\Microsoft\Windows\Start Menu\csrss.exe	dcrat
behavioral1/memory/1488-77-0x0000000000820000-0x000000000092A000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

hyperReviewwin.execsrss.exe

pid process

324 hyperReviewwin.exe
1488 csrss.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1352 cmd.exe
1352 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1352	cmd.exe
1352	cmd.exe

Adds Run key to start application 2 TTPs 14 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

hyperReviewwin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Uninstall Information\\csrss.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Photo Viewer\\csrss.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\tracing\\sppsvc.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Start Menu\\csrss.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Start Menu\\csrss.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Uninstall Information\\csrss.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\winlogon.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\explorer.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.0\\explorer.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Photo Viewer\\csrss.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\wininit.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\wininit.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\winlogon.exe\""	hyperReviewwin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\tracing\\sppsvc.exe\""	hyperReviewwin.exe

Drops file in Program Files directory 11 IoCs

Processes:

hyperReviewwin.exe

description	ioc	process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\explorer.exe	hyperReviewwin.exe
File created	C:\Program Files\Windows Photo Viewer\csrss.exe	hyperReviewwin.exe
File created	C:\Program Files\Windows Photo Viewer\886983d96e3d3e	hyperReviewwin.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\56085415360792	hyperReviewwin.exe
File created	C:\Program Files\Uninstall Information\csrss.exe	hyperReviewwin.exe
File opened for modification	C:\Program Files\Uninstall Information\csrss.exe	hyperReviewwin.exe
File created	C:\Program Files\Uninstall Information\886983d96e3d3e	hyperReviewwin.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\wininit.exe	hyperReviewwin.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe	hyperReviewwin.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\cc11b995f2a76d	hyperReviewwin.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\7a0fd90576e088	hyperReviewwin.exe

Drops file in Windows directory 2 IoCs

Processes:

hyperReviewwin.exe

description ioc process

File created C:\Windows\tracing\0a1fd5f707cd16 hyperReviewwin.exe
File created C:\Windows\tracing\sppsvc.exe hyperReviewwin.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\tracing\0a1fd5f707cd16	hyperReviewwin.exe
File created	C:\Windows\tracing\sppsvc.exe	hyperReviewwin.exe

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1764	schtasks.exe
1100	schtasks.exe
2040	schtasks.exe
1576	schtasks.exe
1496	schtasks.exe
668	schtasks.exe
112	schtasks.exe
280	schtasks.exe
516	schtasks.exe
1820	schtasks.exe
1608	schtasks.exe
1348	schtasks.exe
1676	schtasks.exe
536	schtasks.exe
1956	schtasks.exe
960	schtasks.exe
1192	schtasks.exe
436	schtasks.exe
1436	schtasks.exe
2024	schtasks.exe
824	schtasks.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

272 reg.exe

pid	process
272	reg.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

hyperReviewwin.execsrss.exe

pid	process
324	hyperReviewwin.exe
324	hyperReviewwin.exe
324	hyperReviewwin.exe
324	hyperReviewwin.exe
324	hyperReviewwin.exe
324	hyperReviewwin.exe
324	hyperReviewwin.exe
1488	csrss.exe
1488	csrss.exe
1488	csrss.exe
1488	csrss.exe
1488	csrss.exe
1488	csrss.exe
1488	csrss.exe
1488	csrss.exe
1488	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hyperReviewwin.execsrss.exe

description pid process

Token: SeDebugPrivilege 324 hyperReviewwin.exe
Token: SeDebugPrivilege 1488 csrss.exe

description	pid	process
Token: SeDebugPrivilege	324	hyperReviewwin.exe
Token: SeDebugPrivilege	1488	csrss.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18.exeWScript.execmd.exehyperReviewwin.execmd.exe

description	pid	process	target process
PID 840 wrote to memory of 1596	840	5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18.exe	WScript.exe
PID 840 wrote to memory of 1596	840	5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18.exe	WScript.exe
PID 840 wrote to memory of 1596	840	5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18.exe	WScript.exe
PID 840 wrote to memory of 1596	840	5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18.exe	WScript.exe
PID 1596 wrote to memory of 1352	1596	WScript.exe	cmd.exe
PID 1596 wrote to memory of 1352	1596	WScript.exe	cmd.exe
PID 1596 wrote to memory of 1352	1596	WScript.exe	cmd.exe
PID 1596 wrote to memory of 1352	1596	WScript.exe	cmd.exe
PID 1352 wrote to memory of 324	1352	cmd.exe	hyperReviewwin.exe
PID 1352 wrote to memory of 324	1352	cmd.exe	hyperReviewwin.exe
PID 1352 wrote to memory of 324	1352	cmd.exe	hyperReviewwin.exe
PID 1352 wrote to memory of 324	1352	cmd.exe	hyperReviewwin.exe
PID 324 wrote to memory of 1748	324	hyperReviewwin.exe	cmd.exe
PID 324 wrote to memory of 1748	324	hyperReviewwin.exe	cmd.exe
PID 324 wrote to memory of 1748	324	hyperReviewwin.exe	cmd.exe
PID 1352 wrote to memory of 272	1352	cmd.exe	reg.exe
PID 1352 wrote to memory of 272	1352	cmd.exe	reg.exe
PID 1352 wrote to memory of 272	1352	cmd.exe	reg.exe
PID 1352 wrote to memory of 272	1352	cmd.exe	reg.exe
PID 1748 wrote to memory of 1728	1748	cmd.exe	w32tm.exe
PID 1748 wrote to memory of 1728	1748	cmd.exe	w32tm.exe
PID 1748 wrote to memory of 1728	1748	cmd.exe	w32tm.exe
PID 1748 wrote to memory of 1488	1748	cmd.exe	csrss.exe
PID 1748 wrote to memory of 1488	1748	cmd.exe	csrss.exe
PID 1748 wrote to memory of 1488	1748	cmd.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18.exe
"C:\Users\Admin\AppData\Local\Temp\5d05c7d74af3f812e23c91cb9cf1e346af9e8e074515862c7449cd8ff2dd8b18.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\GkeJrm3LHsNPCuEbXf7u.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\87AREt1.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe
"C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dO9tjRSg4o.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:1728

C:\Users\All Users\Start Menu\csrss.exe
"C:\Users\All Users\Start Menu\csrss.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\csrss.exe

Filesize
1.0MB

MD5
ce9d81db072369459840b1fe59a54ac9

SHA1
5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

SHA256
62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

SHA512
6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dO9tjRSg4o.bat

Filesize
204B

MD5
51368d4b8d43af37919877da00252470

SHA1
df38e901e4a4e0d8cae50c1a5a99cef4684d0c6e

SHA256
3f1052d1a2b83e826f67672215b283f81b1368a6ee83c4f09fde39c8d1ef9ee0

SHA512
8771bc3ba4788e5ad75b8bd14c448de8257be6f7d503a832e9e596f9fc9d878f26672c37d3c12b0aac70c53ff7db9098d986de1973f8dbc75ac8fa7a00dbbec6

Download Submit
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\87AREt1.bat

Filesize
173B

MD5
2445216481e9c79fe7a7d2dddd5dd047

SHA1
5caaf8f423f587b26c0d98bb57db0e295d7ca6a7

SHA256
0d8405ad4bde2e23144377872f204baf9cdbc1343a55c075dabeec49a64c7c3d

SHA512
7000b171a053a0bb20c435765f2c76272e71eb4f429e2b500282f4765b9141757cdcb93a94480ae8ae0b78624098a02bb71caa111e8ab516f12c863725f86484

Download Submit
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\GkeJrm3LHsNPCuEbXf7u.vbe

Filesize
221B

MD5
fc584ab062886ba5b7b34c8a8e4f1809

SHA1
6be7eeee2021f69be9e4513f0cb28408a56caba9

SHA256
873395e08f2ca43b4698329c5e2b6667dec76f2eeb08b05a1cff0a14e5a9db76

SHA512
a74d1b3567e169ed0ec0d135e31312eeae71f87e43c2311a16539f670116f2ce75bb4b4f33a6b462aa417c3764637b3e6c027b44728b2da7874031ac0cc4a7b8

Download Submit
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe

Filesize
1.0MB

MD5
ce9d81db072369459840b1fe59a54ac9

SHA1
5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

SHA256
62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

SHA512
6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

Download Submit
C:\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe

Filesize
1.0MB

MD5
ce9d81db072369459840b1fe59a54ac9

SHA1
5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

SHA256
62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

SHA512
6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

Download Submit
C:\Users\All Users\Start Menu\csrss.exe

Filesize
1.0MB

MD5
ce9d81db072369459840b1fe59a54ac9

SHA1
5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

SHA256
62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

SHA512
6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

Download Submit
\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe

Filesize
1.0MB

MD5
ce9d81db072369459840b1fe59a54ac9

SHA1
5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

SHA256
62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

SHA512
6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

Download Submit
\Users\Admin\AppData\Roaming\containerfontSessionmonitorsvc\hyperReviewwin.exe

Filesize
1.0MB

MD5
ce9d81db072369459840b1fe59a54ac9

SHA1
5813fcd53f7670656d036dfb49c6f9ed8f6eebbf

SHA256
62a30529b4349757f575cba71300e5deed89c480293142d92b44a314849a04bf

SHA512
6be82ee4dcf8bae4ee17ca174d4a90a7b74c4fd2494aefb2091d4edcefba4dfaa4db94bef180cce39959ed6997bde96f8914996138f188be2d880e86a4dfb97b

Download Submit
memory/272-71-0x0000000000000000-mapping.dmp

Download
memory/324-65-0x00000000012D0000-0x00000000013DA000-memory.dmp

Filesize
1.0MB

Download
memory/324-66-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/324-67-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/324-68-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/324-69-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/324-63-0x0000000000000000-mapping.dmp

Download
memory/840-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/1352-59-0x0000000000000000-mapping.dmp

Download
memory/1488-75-0x0000000000000000-mapping.dmp

Download
memory/1488-77-0x0000000000820000-0x000000000092A000-memory.dmp

Filesize
1.0MB

Download
memory/1596-55-0x0000000000000000-mapping.dmp

Download
memory/1728-73-0x0000000000000000-mapping.dmp

Download
memory/1748-70-0x0000000000000000-mapping.dmp

Download