dcrat | e297203dfba8fae21f135b84577e5ca2bab763ce31dd4870a6675ce4bf4b4438

Analysis

max time kernel
130s
max time network
149s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
12-07-2023 18:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b2d4fcde79ec18965ade78318c38c4c.exe
Size

3.5MB
MD5

2b2d4fcde79ec18965ade78318c38c4c
SHA1

6117aa4ee5f83046ba23398deeeb892b1bb22bab
SHA256

e297203dfba8fae21f135b84577e5ca2bab763ce31dd4870a6675ce4bf4b4438
SHA512

bb3d45a350c1c8a7ad79251872d2d163249c65b3953d2031f817322972915d75c5a839599ad0a37251bee5346ab1ff3fdfde47b341255c02f0c9f51c3b0325b8
SSDEEP

98304:vJGVP6249vx6nXmtxhwv1CT86mtaxOl7uss/31N3H:vUVoVxQX2xh2088xMk/lh

Score

10^/10

dcrat orcus новый тег infostealer rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Новый тег

128.59.46.185:20954

Mutex

sudo_t5h71vhdjlc15uv100unb79v0m48rb0o

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\securepipeasync\lineline.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 10 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001223f-67.dat	family_orcus
behavioral1/files/0x000b00000001223f-66.dat	family_orcus
behavioral1/files/0x000b00000001223f-64.dat	family_orcus
behavioral1/files/0x0009000000015e6e-82.dat	family_orcus
behavioral1/files/0x0009000000015e6e-88.dat	family_orcus
behavioral1/files/0x0009000000015e6e-86.dat	family_orcus
behavioral1/files/0x0009000000015e6e-90.dat	family_orcus
behavioral1/files/0x0009000000015e6e-94.dat	family_orcus
behavioral1/files/0x0009000000015e6e-195.dat	family_orcus
behavioral1/files/0x0009000000015e6e-197.dat	family_orcus

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0009000000012024-57.dat	dcrat
behavioral1/files/0x0009000000012024-60.dat	dcrat
behavioral1/files/0x0009000000012024-59.dat	dcrat
behavioral1/files/0x0009000000012024-68.dat	dcrat
behavioral1/files/0x0007000000015dad-160.dat	dcrat
behavioral1/files/0x0007000000015dad-163.dat	dcrat
behavioral1/files/0x0007000000015dad-162.dat	dcrat
behavioral1/files/0x0007000000015dad-161.dat	dcrat
behavioral1/memory/2068-164-0x00000000000A0000-0x0000000000144000-memory.dmp	dcrat
behavioral1/memory/2068-165-0x000000001B330000-0x000000001B3B0000-memory.dmp	dcrat

Orcurs Rat Executable 12 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001223f-67.dat	orcus
behavioral1/files/0x000b00000001223f-66.dat	orcus
behavioral1/files/0x000b00000001223f-64.dat	orcus
behavioral1/memory/2968-69-0x00000000013D0000-0x00000000016E0000-memory.dmp	orcus
behavioral1/files/0x0009000000015e6e-82.dat	orcus
behavioral1/files/0x0009000000015e6e-88.dat	orcus
behavioral1/files/0x0009000000015e6e-86.dat	orcus
behavioral1/files/0x0009000000015e6e-90.dat	orcus
behavioral1/memory/2800-91-0x0000000000230000-0x0000000000540000-memory.dmp	orcus
behavioral1/files/0x0009000000015e6e-94.dat	orcus
behavioral1/files/0x0009000000015e6e-195.dat	orcus
behavioral1/files/0x0009000000015e6e-197.dat	orcus

Executes dropped EXE 7 IoCs

pid	Process
2496	DCRatBuild.exe
2968	lineline.exe
2800	lineline.exe
528	lineline.exe
2068	hyperReview.exe
1304	lineline.exe
2932	lineline.exe

Loads dropped DLL 5 IoCs

pid	Process
2536	2b2d4fcde79ec18965ade78318c38c4c.exe
2536	2b2d4fcde79ec18965ade78318c38c4c.exe
2968	lineline.exe
2344	cmd.exe
2344	cmd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2968	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe
2800	lineline.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	lineline.exe
Token: SeDebugPrivilege	2800	lineline.exe
Token: SeDebugPrivilege	2068	hyperReview.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2496	2536	2b2d4fcde79ec18965ade78318c38c4c.exe	28
PID 2536 wrote to memory of 2496	2536	2b2d4fcde79ec18965ade78318c38c4c.exe	28
PID 2536 wrote to memory of 2496	2536	2b2d4fcde79ec18965ade78318c38c4c.exe	28
PID 2536 wrote to memory of 2496	2536	2b2d4fcde79ec18965ade78318c38c4c.exe	28
PID 2536 wrote to memory of 2968	2536	2b2d4fcde79ec18965ade78318c38c4c.exe	29
PID 2536 wrote to memory of 2968	2536	2b2d4fcde79ec18965ade78318c38c4c.exe	29
PID 2536 wrote to memory of 2968	2536	2b2d4fcde79ec18965ade78318c38c4c.exe	29
PID 2536 wrote to memory of 2968	2536	2b2d4fcde79ec18965ade78318c38c4c.exe	29
PID 2496 wrote to memory of 1424	2496	DCRatBuild.exe	30
PID 2496 wrote to memory of 1424	2496	DCRatBuild.exe	30
PID 2496 wrote to memory of 1424	2496	DCRatBuild.exe	30
PID 2496 wrote to memory of 1424	2496	DCRatBuild.exe	30
PID 2968 wrote to memory of 2800	2968	lineline.exe	31
PID 2968 wrote to memory of 2800	2968	lineline.exe	31
PID 2968 wrote to memory of 2800	2968	lineline.exe	31
PID 2404 wrote to memory of 528	2404	taskeng.exe	34
PID 2404 wrote to memory of 528	2404	taskeng.exe	34
PID 2404 wrote to memory of 528	2404	taskeng.exe	34
PID 2800 wrote to memory of 2732	2800	lineline.exe	33
PID 2800 wrote to memory of 2732	2800	lineline.exe	33
PID 2800 wrote to memory of 2732	2800	lineline.exe	33
PID 2800 wrote to memory of 2732	2800	lineline.exe	33
PID 2800 wrote to memory of 2732	2800	lineline.exe	33
PID 2800 wrote to memory of 2732	2800	lineline.exe	33
PID 2800 wrote to memory of 2732	2800	lineline.exe	33
PID 2800 wrote to memory of 2732	2800	lineline.exe	33
PID 2800 wrote to memory of 872	2800	lineline.exe	35
PID 2800 wrote to memory of 872	2800	lineline.exe	35
PID 2800 wrote to memory of 872	2800	lineline.exe	35
PID 2800 wrote to memory of 872	2800	lineline.exe	35
PID 2800 wrote to memory of 872	2800	lineline.exe	35
PID 2800 wrote to memory of 872	2800	lineline.exe	35
PID 2800 wrote to memory of 872	2800	lineline.exe	35
PID 2800 wrote to memory of 872	2800	lineline.exe	35
PID 2800 wrote to memory of 980	2800	lineline.exe	36
PID 2800 wrote to memory of 980	2800	lineline.exe	36
PID 2800 wrote to memory of 980	2800	lineline.exe	36
PID 2800 wrote to memory of 980	2800	lineline.exe	36
PID 2800 wrote to memory of 980	2800	lineline.exe	36
PID 2800 wrote to memory of 980	2800	lineline.exe	36
PID 2800 wrote to memory of 980	2800	lineline.exe	36
PID 2800 wrote to memory of 980	2800	lineline.exe	36
PID 2800 wrote to memory of 572	2800	lineline.exe	37
PID 2800 wrote to memory of 572	2800	lineline.exe	37
PID 2800 wrote to memory of 572	2800	lineline.exe	37
PID 2800 wrote to memory of 572	2800	lineline.exe	37
PID 2800 wrote to memory of 572	2800	lineline.exe	37
PID 2800 wrote to memory of 572	2800	lineline.exe	37
PID 2800 wrote to memory of 572	2800	lineline.exe	37
PID 2800 wrote to memory of 572	2800	lineline.exe	37
PID 2800 wrote to memory of 1644	2800	lineline.exe	38
PID 2800 wrote to memory of 1644	2800	lineline.exe	38
PID 2800 wrote to memory of 1644	2800	lineline.exe	38
PID 2800 wrote to memory of 1644	2800	lineline.exe	38
PID 2800 wrote to memory of 1644	2800	lineline.exe	38
PID 2800 wrote to memory of 1644	2800	lineline.exe	38
PID 2800 wrote to memory of 1644	2800	lineline.exe	38
PID 2800 wrote to memory of 1644	2800	lineline.exe	38
PID 2800 wrote to memory of 2160	2800	lineline.exe	39
PID 2800 wrote to memory of 2160	2800	lineline.exe	39
PID 2800 wrote to memory of 2160	2800	lineline.exe	39
PID 2800 wrote to memory of 2160	2800	lineline.exe	39
PID 2800 wrote to memory of 2160	2800	lineline.exe	39
PID 2800 wrote to memory of 1868	2800	lineline.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2b2d4fcde79ec18965ade78318c38c4c.exe
"C:\Users\Admin\AppData\Local\Temp\2b2d4fcde79ec18965ade78318c38c4c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\portFontruntimesvc\IFs7PxNlf0FukhYTS68xpV.vbe"
    3⤵
    PID:1424
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\portFontruntimesvc\MDelSg1gMf2sbupZ4DcoQydnq.bat" "
      4⤵
      Loads dropped DLL
      PID:2344
    - - C:\portFontruntimesvc\hyperReview.exe
        
        "C:\portFontruntimesvc\hyperReview.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
- C:\Users\Admin\AppData\Local\Temp\lineline.exe
  "C:\Users\Admin\AppData\Local\Temp\lineline.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe
    "C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:2732
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:872
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:980
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:572
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:1644
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      PID:2160
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      PID:1868
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      PID:1284
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      PID:1524
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      PID:2088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:2264
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:2408
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:2132
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:2584
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:2104
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      PID:1388
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      PID:1016
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      PID:1696
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      PID:880
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      PID:3016
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      PID:2176
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      PID:2244
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      PID:2748
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      PID:3040
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
      4⤵
      PID:2476
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:1620
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:1664
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:2904
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:2912
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:2884
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:3032
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:1124
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:2256
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:2880
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:1480
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      4⤵
      PID:1640
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      4⤵
      PID:1380
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      4⤵
      PID:1268
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      4⤵
      PID:1680
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      4⤵
      PID:1088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      PID:1068
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      PID:1064
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      PID:748
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      PID:1916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
      4⤵
      PID:1052
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:2656
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:2056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:2008
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:2864
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      4⤵
      PID:2152

C:\Windows\system32\taskeng.exe
taskeng.exe {083BBB4D-D589-4D02-B64F-45B981195CC7} S-1-5-21-4159544280-4273523227-683900707-1000:UMAXQRGK\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe
  C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe
  C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe
  C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe
  2⤵
  - Executes dropped EXE
  PID:2932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab9F7C.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
940KB

MD5
35358d4b383f19ddbfff815b641a86f4

SHA1
6be51752e0192aeb013c095fc58fd974ad9f8071

SHA256
f6ff85c92c4d439d812ac91063809398fdaf93367df696c09a80c6779f5e3ad8

SHA512
77c1e20631b472c1edcd653d9e4ad2f3ffa217b38b1a5c297fcbdda33a39011480491b7f813e6fa8677f6e3d3f7ef2b424f236814ad5c169c4ca80d7bc7113a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
940KB

MD5
35358d4b383f19ddbfff815b641a86f4

SHA1
6be51752e0192aeb013c095fc58fd974ad9f8071

SHA256
f6ff85c92c4d439d812ac91063809398fdaf93367df696c09a80c6779f5e3ad8

SHA512
77c1e20631b472c1edcd653d9e4ad2f3ffa217b38b1a5c297fcbdda33a39011480491b7f813e6fa8677f6e3d3f7ef2b424f236814ad5c169c4ca80d7bc7113a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
940KB

MD5
35358d4b383f19ddbfff815b641a86f4

SHA1
6be51752e0192aeb013c095fc58fd974ad9f8071

SHA256
f6ff85c92c4d439d812ac91063809398fdaf93367df696c09a80c6779f5e3ad8

SHA512
77c1e20631b472c1edcd653d9e4ad2f3ffa217b38b1a5c297fcbdda33a39011480491b7f813e6fa8677f6e3d3f7ef2b424f236814ad5c169c4ca80d7bc7113a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\lineline.exe

Filesize
3.1MB

MD5
c947802e4ff7646d3dcfa28fa3a9f47b

SHA1
7d2b692d73ec80ab9c32480bf0a728438cc2862f

SHA256
d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b

SHA512
bc86c4261a19db626d92785a91fa17fc6dcab6b84c729b19ca95827133dd81636f0ab9ec24dc824c31b207d6b42ebfd81383c0c9112c1672aa50a1f3cfa78593

Download Submit
C:\Users\Admin\AppData\Local\Temp\lineline.exe

Filesize
3.1MB

MD5
c947802e4ff7646d3dcfa28fa3a9f47b

SHA1
7d2b692d73ec80ab9c32480bf0a728438cc2862f

SHA256
d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b

SHA512
bc86c4261a19db626d92785a91fa17fc6dcab6b84c729b19ca95827133dd81636f0ab9ec24dc824c31b207d6b42ebfd81383c0c9112c1672aa50a1f3cfa78593

Download Submit
C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe

Filesize
3.1MB

MD5
c947802e4ff7646d3dcfa28fa3a9f47b

SHA1
7d2b692d73ec80ab9c32480bf0a728438cc2862f

SHA256
d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b

SHA512
bc86c4261a19db626d92785a91fa17fc6dcab6b84c729b19ca95827133dd81636f0ab9ec24dc824c31b207d6b42ebfd81383c0c9112c1672aa50a1f3cfa78593

Download Submit
C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe

Filesize
3.1MB

MD5
c947802e4ff7646d3dcfa28fa3a9f47b

SHA1
7d2b692d73ec80ab9c32480bf0a728438cc2862f

SHA256
d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b

SHA512
bc86c4261a19db626d92785a91fa17fc6dcab6b84c729b19ca95827133dd81636f0ab9ec24dc824c31b207d6b42ebfd81383c0c9112c1672aa50a1f3cfa78593

Download Submit
C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe

Filesize
3.1MB

MD5
c947802e4ff7646d3dcfa28fa3a9f47b

SHA1
7d2b692d73ec80ab9c32480bf0a728438cc2862f

SHA256
d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b

SHA512
bc86c4261a19db626d92785a91fa17fc6dcab6b84c729b19ca95827133dd81636f0ab9ec24dc824c31b207d6b42ebfd81383c0c9112c1672aa50a1f3cfa78593

Download Submit
C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe

Filesize
3.1MB

MD5
c947802e4ff7646d3dcfa28fa3a9f47b

SHA1
7d2b692d73ec80ab9c32480bf0a728438cc2862f

SHA256
d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b

SHA512
bc86c4261a19db626d92785a91fa17fc6dcab6b84c729b19ca95827133dd81636f0ab9ec24dc824c31b207d6b42ebfd81383c0c9112c1672aa50a1f3cfa78593

Download Submit
C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe

Filesize
3.1MB

MD5
c947802e4ff7646d3dcfa28fa3a9f47b

SHA1
7d2b692d73ec80ab9c32480bf0a728438cc2862f

SHA256
d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b

SHA512
bc86c4261a19db626d92785a91fa17fc6dcab6b84c729b19ca95827133dd81636f0ab9ec24dc824c31b207d6b42ebfd81383c0c9112c1672aa50a1f3cfa78593

Download Submit
C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe

Filesize
3.1MB

MD5
c947802e4ff7646d3dcfa28fa3a9f47b

SHA1
7d2b692d73ec80ab9c32480bf0a728438cc2862f

SHA256
d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b

SHA512
bc86c4261a19db626d92785a91fa17fc6dcab6b84c729b19ca95827133dd81636f0ab9ec24dc824c31b207d6b42ebfd81383c0c9112c1672aa50a1f3cfa78593

Download Submit
C:\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\portFontruntimesvc\IFs7PxNlf0FukhYTS68xpV.vbe

Filesize
220B

MD5
696dd36e43dfabcb46c5d1a01d83e074

SHA1
ccd0630199c3f2b8069df5d6c60143d4667f1bca

SHA256
8b79645b9b1edfcca61d94bc484a34e97acd457c523ffdc6302f2c8d9f516890

SHA512
f2f8234b5ad627c6cc9a67b9ed60fc752f0f871fe29835a7e67ecfd0925fa8c012b91345e6e2847cfff82c384a3c70e555ada6187ceecfc9383bbfa75e271ecf

Download Submit
C:\portFontruntimesvc\MDelSg1gMf2sbupZ4DcoQydnq.bat

Filesize
39B

MD5
8d2aa3c1f34c8d66ebe1fe33d1be720c

SHA1
6c2eee861d06a0f2213c879e55117ad49810060b

SHA256
adfa34a0415a3b8a9eed4bb4bcdd7f8ef8c9619b2ed1cc7efd28dded503be2bf

SHA512
9e3635bbd28459ae4aea66cab7f320b870d0aa9e70908f149e139c8d868f9bcc208be595b696b00096c90a6de039a53e757db8d55d7bdd381401577c45b3197c

Download Submit
C:\portFontruntimesvc\hyperReview.exe

Filesize
631KB

MD5
fff99ff34acdaff6fc588d3d9464a6bf

SHA1
42d0449b6cfc9e670ef47fe88b0d564402faae85

SHA256
e6577e298a5e589713417975f6dd31d24ae166244e7131a57d6a74c9e9645869

SHA512
74d989e8a1f632074ccb07f200568ebcc9261464dfc60aa57d070c9fb5329bfd641b0d5bba3bfa2cdc7f7e119376535b16ed9ee7da6392617e1083747713e8aa

Download Submit
C:\portFontruntimesvc\hyperReview.exe

Filesize
631KB

MD5
fff99ff34acdaff6fc588d3d9464a6bf

SHA1
42d0449b6cfc9e670ef47fe88b0d564402faae85

SHA256
e6577e298a5e589713417975f6dd31d24ae166244e7131a57d6a74c9e9645869

SHA512
74d989e8a1f632074ccb07f200568ebcc9261464dfc60aa57d070c9fb5329bfd641b0d5bba3bfa2cdc7f7e119376535b16ed9ee7da6392617e1083747713e8aa

Download Submit
\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
940KB

MD5
35358d4b383f19ddbfff815b641a86f4

SHA1
6be51752e0192aeb013c095fc58fd974ad9f8071

SHA256
f6ff85c92c4d439d812ac91063809398fdaf93367df696c09a80c6779f5e3ad8

SHA512
77c1e20631b472c1edcd653d9e4ad2f3ffa217b38b1a5c297fcbdda33a39011480491b7f813e6fa8677f6e3d3f7ef2b424f236814ad5c169c4ca80d7bc7113a7

Download Submit
\Users\Admin\AppData\Local\Temp\lineline.exe

Filesize
3.1MB

MD5
c947802e4ff7646d3dcfa28fa3a9f47b

SHA1
7d2b692d73ec80ab9c32480bf0a728438cc2862f

SHA256
d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b

SHA512
bc86c4261a19db626d92785a91fa17fc6dcab6b84c729b19ca95827133dd81636f0ab9ec24dc824c31b207d6b42ebfd81383c0c9112c1672aa50a1f3cfa78593

Download Submit
\Users\Admin\AppData\Roaming\securepipeasync\lineline.exe

Filesize
3.1MB

MD5
c947802e4ff7646d3dcfa28fa3a9f47b

SHA1
7d2b692d73ec80ab9c32480bf0a728438cc2862f

SHA256
d2a76383575f395bb84b0df4a5a00da8882bfe6f4f0efee14abf6831ff35631b

SHA512
bc86c4261a19db626d92785a91fa17fc6dcab6b84c729b19ca95827133dd81636f0ab9ec24dc824c31b207d6b42ebfd81383c0c9112c1672aa50a1f3cfa78593

Download Submit
\portFontruntimesvc\hyperReview.exe

Filesize
631KB

MD5
fff99ff34acdaff6fc588d3d9464a6bf

SHA1
42d0449b6cfc9e670ef47fe88b0d564402faae85

SHA256
e6577e298a5e589713417975f6dd31d24ae166244e7131a57d6a74c9e9645869

SHA512
74d989e8a1f632074ccb07f200568ebcc9261464dfc60aa57d070c9fb5329bfd641b0d5bba3bfa2cdc7f7e119376535b16ed9ee7da6392617e1083747713e8aa

Download Submit
\portFontruntimesvc\hyperReview.exe

Filesize
631KB

MD5
fff99ff34acdaff6fc588d3d9464a6bf

SHA1
42d0449b6cfc9e670ef47fe88b0d564402faae85

SHA256
e6577e298a5e589713417975f6dd31d24ae166244e7131a57d6a74c9e9645869

SHA512
74d989e8a1f632074ccb07f200568ebcc9261464dfc60aa57d070c9fb5329bfd641b0d5bba3bfa2cdc7f7e119376535b16ed9ee7da6392617e1083747713e8aa

Download Submit
memory/528-99-0x000000001B9A0000-0x000000001BA20000-memory.dmp

Filesize
512KB

Download
memory/1304-196-0x000000001C180000-0x000000001C200000-memory.dmp

Filesize
512KB

Download
memory/2068-164-0x00000000000A0000-0x0000000000144000-memory.dmp

Filesize
656KB

Download
memory/2068-165-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2068-166-0x00000000001F0000-0x000000000020C000-memory.dmp

Filesize
112KB

Download
memory/2068-167-0x0000000000510000-0x0000000000526000-memory.dmp

Filesize
88KB

Download
memory/2068-171-0x000000001B330000-0x000000001B3B0000-memory.dmp

Filesize
512KB

Download
memory/2732-95-0x0000000000280000-0x0000000000590000-memory.dmp

Filesize
3.1MB

Download
memory/2800-168-0x0000000002740000-0x000000000274E000-memory.dmp

Filesize
56KB

Download
memory/2800-142-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/2800-93-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/2800-92-0x00000000024D0000-0x000000000251E000-memory.dmp

Filesize
312KB

Download
memory/2800-91-0x0000000000230000-0x0000000000540000-memory.dmp

Filesize
3.1MB

Download
memory/2800-170-0x000000001BEB0000-0x000000001BF30000-memory.dmp

Filesize
512KB

Download
memory/2800-141-0x0000000002540000-0x000000000255A000-memory.dmp

Filesize
104KB

Download
memory/2800-169-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/2932-198-0x000000001BFD0000-0x000000001C050000-memory.dmp

Filesize
512KB

Download
memory/2968-79-0x00000000005C0000-0x000000000061E000-memory.dmp

Filesize
376KB

Download
memory/2968-80-0x0000000000A00000-0x0000000000A0E000-memory.dmp

Filesize
56KB

Download
memory/2968-81-0x0000000000C50000-0x0000000000C64000-memory.dmp

Filesize
80KB

Download
memory/2968-77-0x000000001BFF0000-0x000000001C070000-memory.dmp

Filesize
512KB

Download
memory/2968-69-0x00000000013D0000-0x00000000016E0000-memory.dmp

Filesize
3.1MB

Download