dcrat | 82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b

Analysis

max time kernel
65s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-03-2023 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0fb4af03514fe70e036bbea624ea81f.exe
Size

1.6MB
MD5

a0fb4af03514fe70e036bbea624ea81f
SHA1

435f3ef79e360d89cab884e990a558722c9ce272
SHA256

82b8546043bca13cf187119fb68cdabd9ffef9688e16eaff06211d52bb36249b
SHA512

d3bc4a717f7057b4b2da642c6272f0d357dc0bdf39f898931491e409d4b58790a715138541668a56046c5332178ddb10fc439e5c4d0a7ac6825b82f34e9c268c
SSDEEP

24576:B2G/nvxW3WQnkHnDIlJzbBA5clWJG4kQy0ohgEGdHKK5Cu8Kc9mfCQbZ8/zARp:BbA37kHnDIbzi5MWjmuHNKQbi/E/

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1596	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1596	schtasks.exe

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
\PortfontWin\agentNet.exe	dcrat
C:\PortfontWin\agentNet.exe	dcrat
\PortfontWin\agentNet.exe	dcrat
C:\PortfontWin\agentNet.exe	dcrat
behavioral1/memory/1492-72-0x0000000000F70000-0x00000000010C0000-memory.dmp	dcrat
behavioral1/memory/1492-76-0x000000001B280000-0x000000001B300000-memory.dmp	dcrat
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\agentNet.exe	dcrat
C:\PortfontWin\csrss.exe	dcrat
C:\PortfontWin\csrss.exe	dcrat
behavioral1/memory/436-116-0x0000000000330000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/436-119-0x0000000000480000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/436-125-0x0000000000480000-0x0000000000500000-memory.dmp	dcrat

Executes dropped EXE 2 IoCs

Processes:

agentNet.execsrss.exe

pid process

1492 agentNet.exe
436 csrss.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

584 cmd.exe
584 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
584	cmd.exe
584	cmd.exe

Drops file in Program Files directory 14 IoCs

Processes:

agentNet.exe

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe	agentNet.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6ccacd8608530f	agentNet.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe	agentNet.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\56085415360792	agentNet.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe	agentNet.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\winlogon.exe	agentNet.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\69ddcba757bf72	agentNet.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\0a1fd5f707cd16	agentNet.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\lsass.exe	agentNet.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\c5b4cb5e9653cc	agentNet.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\6203df4a6bafc7	agentNet.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\wininit.exe	agentNet.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\sppsvc.exe	agentNet.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\cc11b995f2a76d	agentNet.exe

Drops file in Windows directory 2 IoCs

Processes:

agentNet.exe

description ioc process

File created C:\Windows\Cursors\csrss.exe agentNet.exe
File created C:\Windows\Cursors\886983d96e3d3e agentNet.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Cursors\csrss.exe	agentNet.exe
File created	C:\Windows\Cursors\886983d96e3d3e	agentNet.exe

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1092	schtasks.exe
1112	schtasks.exe
1732	schtasks.exe
1076	schtasks.exe
1980	schtasks.exe
1732	schtasks.exe
996	schtasks.exe
1796	schtasks.exe
1852	schtasks.exe
1344	schtasks.exe
1764	schtasks.exe
2008	schtasks.exe
1684	schtasks.exe
572	schtasks.exe
836	schtasks.exe
1168	schtasks.exe
1844	schtasks.exe
1756	schtasks.exe
1944	schtasks.exe
1948	schtasks.exe
1720	schtasks.exe
1368	schtasks.exe
1728	schtasks.exe
1316	schtasks.exe
848	schtasks.exe
944	schtasks.exe
944	schtasks.exe
1276	schtasks.exe
1192	schtasks.exe
1488	schtasks.exe
1352	schtasks.exe
848	schtasks.exe
696	schtasks.exe
1152	schtasks.exe
1436	schtasks.exe
1968	schtasks.exe
1348	schtasks.exe
1264	schtasks.exe
1644	schtasks.exe
112	schtasks.exe
1712	schtasks.exe
388	schtasks.exe
108	schtasks.exe
876	schtasks.exe
592	schtasks.exe
956	schtasks.exe
1684	schtasks.exe
1960	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

agentNet.execsrss.exe

pid	process
1492	agentNet.exe
436	csrss.exe
436	csrss.exe
436	csrss.exe
436	csrss.exe
436	csrss.exe
436	csrss.exe
436	csrss.exe
436	csrss.exe
436	csrss.exe
436	csrss.exe
436	csrss.exe
436	csrss.exe
436	csrss.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

agentNet.execsrss.exe

description pid process

Token: SeDebugPrivilege 1492 agentNet.exe
Token: SeDebugPrivilege 436 csrss.exe

description	pid	process
Token: SeDebugPrivilege	1492	agentNet.exe
Token: SeDebugPrivilege	436	csrss.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

a0fb4af03514fe70e036bbea624ea81f.exeWScript.execmd.exeagentNet.exe

description	pid	process	target process
PID 1192 wrote to memory of 1960	1192	a0fb4af03514fe70e036bbea624ea81f.exe	WScript.exe
PID 1192 wrote to memory of 1960	1192	a0fb4af03514fe70e036bbea624ea81f.exe	WScript.exe
PID 1192 wrote to memory of 1960	1192	a0fb4af03514fe70e036bbea624ea81f.exe	WScript.exe
PID 1192 wrote to memory of 1960	1192	a0fb4af03514fe70e036bbea624ea81f.exe	WScript.exe
PID 1192 wrote to memory of 524	1192	a0fb4af03514fe70e036bbea624ea81f.exe	WScript.exe
PID 1192 wrote to memory of 524	1192	a0fb4af03514fe70e036bbea624ea81f.exe	WScript.exe
PID 1192 wrote to memory of 524	1192	a0fb4af03514fe70e036bbea624ea81f.exe	WScript.exe
PID 1192 wrote to memory of 524	1192	a0fb4af03514fe70e036bbea624ea81f.exe	WScript.exe
PID 1960 wrote to memory of 584	1960	WScript.exe	cmd.exe
PID 1960 wrote to memory of 584	1960	WScript.exe	cmd.exe
PID 1960 wrote to memory of 584	1960	WScript.exe	cmd.exe
PID 1960 wrote to memory of 584	1960	WScript.exe	cmd.exe
PID 584 wrote to memory of 1492	584	cmd.exe	agentNet.exe
PID 584 wrote to memory of 1492	584	cmd.exe	agentNet.exe
PID 584 wrote to memory of 1492	584	cmd.exe	agentNet.exe
PID 584 wrote to memory of 1492	584	cmd.exe	agentNet.exe
PID 1492 wrote to memory of 436	1492	agentNet.exe	csrss.exe
PID 1492 wrote to memory of 436	1492	agentNet.exe	csrss.exe
PID 1492 wrote to memory of 436	1492	agentNet.exe	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a0fb4af03514fe70e036bbea624ea81f.exe
"C:\Users\Admin\AppData\Local\Temp\a0fb4af03514fe70e036bbea624ea81f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\PortfontWin\faioFQaWMfyQql5F1lpCdLP.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\PortfontWin\ItIWhmVbvimfR.bat" "
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584

C:\PortfontWin\agentNet.exe
"C:\PortfontWin\agentNet.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\PortfontWin\csrss.exe
"C:\PortfontWin\csrss.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\PortfontWin\file.vbs"
2⤵
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Local Settings\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentNeta" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\agentNet.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentNet" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\agentNet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentNeta" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\agentNet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\PortfontWin\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PortfontWin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\PortfontWin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\PortfontWin\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\PortfontWin\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\PortfontWin\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortfontWin\ItIWhmVbvimfR.bat
Filesize
29B

MD5
fd0d6ddda55e2608a242669717a0d517

SHA1
294004545081c4634c07f7cca31819207588c310

SHA256
dd0a8c6636afc291a09f480b9294860f6412555b0bfda3808917eff3637a005d

SHA512
d23fddbf26c32b50c3fe3eb654da3ac25e84b7d5bf3501c682bac74f39295a58c1072dd02b97e340a0ec28e30c58ed1bb1448badb5e680baea4d6bce769215a0

Download Submit
C:\PortfontWin\agentNet.exe
Filesize
1.3MB

MD5
cd663693d7804e051bd4d890a643a521

SHA1
186510d39cc3a7d928f47c3d6813c27c5e7e3674

SHA256
f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

SHA512
a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

Download Submit
C:\PortfontWin\agentNet.exe
Filesize
1.3MB

MD5
cd663693d7804e051bd4d890a643a521

SHA1
186510d39cc3a7d928f47c3d6813c27c5e7e3674

SHA256
f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

SHA512
a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

Download Submit
C:\PortfontWin\csrss.exe
Filesize
1.3MB

MD5
cd663693d7804e051bd4d890a643a521

SHA1
186510d39cc3a7d928f47c3d6813c27c5e7e3674

SHA256
f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

SHA512
a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

Download Submit
C:\PortfontWin\csrss.exe
Filesize
1.3MB

MD5
cd663693d7804e051bd4d890a643a521

SHA1
186510d39cc3a7d928f47c3d6813c27c5e7e3674

SHA256
f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

SHA512
a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

Download Submit
C:\PortfontWin\faioFQaWMfyQql5F1lpCdLP.vbe
Filesize
201B

MD5
d82d15119bf0f8e8e3077d786bcbbefb

SHA1
92a74c59f2984d8f7f9fcd22f44c463cc0177cbd

SHA256
1be73a1a92fa60e7ec1ab2b7777780d7f958c284b4c1596ea9ab5c3ad581e76f

SHA512
9aaa9dd3906c1b531b9c85f61b9da3d11f458f7eba22a4107fa4ed49868b45f1d0f804296f1ef35c62115d77204b99c235c9e6f504b65d752caf3f58c44eacaa

Download Submit
C:\PortfontWin\file.vbs
Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\agentNet.exe
Filesize
1.3MB

MD5
cd663693d7804e051bd4d890a643a521

SHA1
186510d39cc3a7d928f47c3d6813c27c5e7e3674

SHA256
f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

SHA512
a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

Download Submit
\PortfontWin\agentNet.exe
Filesize
1.3MB

MD5
cd663693d7804e051bd4d890a643a521

SHA1
186510d39cc3a7d928f47c3d6813c27c5e7e3674

SHA256
f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

SHA512
a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

Download Submit
\PortfontWin\agentNet.exe
Filesize
1.3MB

MD5
cd663693d7804e051bd4d890a643a521

SHA1
186510d39cc3a7d928f47c3d6813c27c5e7e3674

SHA256
f950a9b3a3930c29d9fadeee93d8e25d5771008c0f0ed492616802977b4fb873

SHA512
a5a5be5ad57ea6eb18ec7ad8d0ae73f7867c10b6c34ce7152daeef8a99206ddca0fc121ba90a939b39aada01e313de1254dfdaf3e5f20769a8d7ba5254174c0e

Download Submit
memory/436-116-0x0000000000330000-0x0000000000480000-memory.dmp

Filesize
1.3MB

Download
memory/436-117-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/436-118-0x0000000000480000-0x0000000000500000-memory.dmp

Filesize
512KB

Download
memory/436-119-0x0000000000480000-0x0000000000500000-memory.dmp

Filesize
512KB

Download
memory/436-125-0x0000000000480000-0x0000000000500000-memory.dmp

Filesize
512KB

Download
memory/1492-75-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/1492-76-0x000000001B280000-0x000000001B300000-memory.dmp

Filesize
512KB

Download
memory/1492-77-0x0000000000A80000-0x0000000000A8E000-memory.dmp

Filesize
56KB

Download
memory/1492-74-0x0000000000A40000-0x0000000000A56000-memory.dmp

Filesize
88KB

Download
memory/1492-73-0x0000000000630000-0x000000000064C000-memory.dmp

Filesize
112KB

Download
memory/1492-72-0x0000000000F70000-0x00000000010C0000-memory.dmp

Filesize
1.3MB

Download