dcrat | b134e4e5d74eb1a5ddd66625837b44ed6d23fbac004bbaae91ece785b7c574e3

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2023, 05:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

397f5c91fd7cafc22c3fe28bc8fe675a.exe
Size

1.3MB
MD5

397f5c91fd7cafc22c3fe28bc8fe675a
SHA1

02e127ae9c5a55e9b48731a3d47220cdb056f3eb
SHA256

b134e4e5d74eb1a5ddd66625837b44ed6d23fbac004bbaae91ece785b7c574e3
SHA512

fdb348e8d451e68f59c02c57dcc788e486f7244211687b854463768961c50bd70fad6e5e0e2e66dd3c42666fa6d04fcf1014e3dd356011eeaba4a6a7031bf311
SSDEEP

24576:dA1MqYjjU6kS6e5jB/n4L6JXWutEcPO6KhepiKnG/hnPrdSkl+j9aTw1OquD:d4dK756e5VgL6JXWutEcLmesKG/hQzj4

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3568	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	1484	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	1484	schtasks.exe	90

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000700000002326d-137.dat	dcrat
behavioral2/files/0x000700000002326d-140.dat	dcrat
behavioral2/files/0x000700000002326d-143.dat	dcrat
behavioral2/files/0x000600000002327a-155.dat	dcrat
behavioral2/files/0x000600000002327a-154.dat	dcrat
behavioral2/memory/3136-156-0x0000000000060000-0x0000000000136000-memory.dmp	dcrat
behavioral2/files/0x0006000000023280-161.dat	dcrat
behavioral2/files/0x000600000002328c-193.dat	dcrat
behavioral2/files/0x000600000002328c-195.dat	dcrat

Executes dropped EXE 3 IoCs

pid	Process
1272	prikol.exe
3136	agentServer.exe
4480	RuntimeBroker.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\StartMenuExperienceHost.exe	agentServer.exe
File created	C:\Program Files\MSBuild\55b276f4edf653	agentServer.exe
File created	C:\Program Files (x86)\Common Files\conhost.exe	agentServer.exe
File created	C:\Program Files (x86)\Common Files\088424020bedd6	agentServer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\en-US\9e8d7a4ca61bd9	agentServer.exe
File created	C:\Windows\en-US\RuntimeBroker.exe	agentServer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2792	schtasks.exe
3984	schtasks.exe
2044	schtasks.exe
4916	schtasks.exe
4592	schtasks.exe
4616	schtasks.exe
2032	schtasks.exe
4548	schtasks.exe
5096	schtasks.exe
4380	schtasks.exe
1364	schtasks.exe
3412	schtasks.exe
3692	schtasks.exe
4656	schtasks.exe
3952	schtasks.exe
4224	schtasks.exe
2888	schtasks.exe
4268	schtasks.exe
3048	schtasks.exe
2712	schtasks.exe
3848	schtasks.exe
2304	schtasks.exe
1916	schtasks.exe
4000	schtasks.exe
2816	schtasks.exe
3660	schtasks.exe
4444	schtasks.exe
2452	schtasks.exe
3500	schtasks.exe
3568	schtasks.exe
1264	schtasks.exe
2512	schtasks.exe
3808	schtasks.exe
5016	schtasks.exe
1332	schtasks.exe
3840	schtasks.exe
3404	schtasks.exe
2748	schtasks.exe
3964	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	prikol.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3136	agentServer.exe
3136	agentServer.exe
3136	agentServer.exe
3136	agentServer.exe
3136	agentServer.exe
4480	RuntimeBroker.exe
4480	RuntimeBroker.exe
4480	RuntimeBroker.exe
4480	RuntimeBroker.exe
4480	RuntimeBroker.exe
4480	RuntimeBroker.exe
4480	RuntimeBroker.exe
4480	RuntimeBroker.exe
4480	RuntimeBroker.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4480	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3136	agentServer.exe
Token: SeDebugPrivilege	4480	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 1272	1536	397f5c91fd7cafc22c3fe28bc8fe675a.exe	81
PID 1536 wrote to memory of 1272	1536	397f5c91fd7cafc22c3fe28bc8fe675a.exe	81
PID 1536 wrote to memory of 1272	1536	397f5c91fd7cafc22c3fe28bc8fe675a.exe	81
PID 1272 wrote to memory of 3052	1272	prikol.exe	82
PID 1272 wrote to memory of 3052	1272	prikol.exe	82
PID 1272 wrote to memory of 3052	1272	prikol.exe	82
PID 3052 wrote to memory of 3152	3052	WScript.exe	86
PID 3052 wrote to memory of 3152	3052	WScript.exe	86
PID 3052 wrote to memory of 3152	3052	WScript.exe	86
PID 3152 wrote to memory of 3136	3152	cmd.exe	88
PID 3152 wrote to memory of 3136	3152	cmd.exe	88
PID 3136 wrote to memory of 4480	3136	agentServer.exe	130
PID 3136 wrote to memory of 4480	3136	agentServer.exe	130

C:\Users\Admin\AppData\Local\Temp\397f5c91fd7cafc22c3fe28bc8fe675a.exe
"C:\Users\Admin\AppData\Local\Temp\397f5c91fd7cafc22c3fe28bc8fe675a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Users\Admin\AppData\Local\Temp\prikol.exe
  "C:\Users\Admin\AppData\Local\Temp\prikol.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\comhostDhcpcommon\2tGgrQ6HpW.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\comhostDhcpcommon\V15q6MjWRY5zvqjkxpp.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3152
    - - C:\comhostDhcpcommon\agentServer.exe
        
        "C:\comhostDhcpcommon\agentServer.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3136
      - C:\Windows\en-US\RuntimeBroker.exe
        
        "C:\Windows\en-US\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Documents\My Pictures\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Documents\My Pictures\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\comhostDhcpcommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\comhostDhcpcommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\comhostDhcpcommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\odt\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\odt\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\prikol.exe

Filesize
1.1MB

MD5
1df91d3d9db8d531d84c3090af0c5399

SHA1
d5289bf48dc32630219ca3fb50b9509e40a61d82

SHA256
a6e63a37391179fcb2b624a4e3a12a2d59fcd2479b79d8e0d117facd0b6b4948

SHA512
85762e86d9aeb7d8360af01405e90fd5a06c1b5f53c5c913b1a2d025361bed7e3bb8cfca05e23c3ae87fe9fec8073e4687d5700d88b29adaa027186186288979

Download Submit
C:\Users\Admin\AppData\Local\Temp\prikol.exe

Filesize
1.1MB

MD5
1df91d3d9db8d531d84c3090af0c5399

SHA1
d5289bf48dc32630219ca3fb50b9509e40a61d82

SHA256
a6e63a37391179fcb2b624a4e3a12a2d59fcd2479b79d8e0d117facd0b6b4948

SHA512
85762e86d9aeb7d8360af01405e90fd5a06c1b5f53c5c913b1a2d025361bed7e3bb8cfca05e23c3ae87fe9fec8073e4687d5700d88b29adaa027186186288979

Download Submit
C:\Users\Admin\AppData\Local\Temp\prikol.exe

Filesize
1.1MB

MD5
1df91d3d9db8d531d84c3090af0c5399

SHA1
d5289bf48dc32630219ca3fb50b9509e40a61d82

SHA256
a6e63a37391179fcb2b624a4e3a12a2d59fcd2479b79d8e0d117facd0b6b4948

SHA512
85762e86d9aeb7d8360af01405e90fd5a06c1b5f53c5c913b1a2d025361bed7e3bb8cfca05e23c3ae87fe9fec8073e4687d5700d88b29adaa027186186288979

Download Submit
C:\Users\Default\Pictures\dwm.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
C:\Windows\en-US\RuntimeBroker.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
C:\Windows\en-US\RuntimeBroker.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
C:\comhostDhcpcommon\2tGgrQ6HpW.vbe

Filesize
213B

MD5
c0dbb672804e81ed5bdc6ae50ec4b16a

SHA1
df8bfc820f8de52ce8293395446991e5e5c43125

SHA256
3a91849c1602a6fd0556663ea487f01d64fe4828f619ed5eb3f13c67c20dd905

SHA512
6546e2c5c95f5bab69f7664cd4a0850a55554a1394a3dfe8252d048227df6ca8f0aec034f5954dbfc8eaf2137e642970364f71c1a5be5d5a68b6e5c32858f9e7

Download Submit
C:\comhostDhcpcommon\V15q6MjWRY5zvqjkxpp.bat

Filesize
38B

MD5
9daeb83018f1b30f4911748df09b9fa5

SHA1
6162370200b2c9e65620291d6ff114236492824e

SHA256
c85b773f45f51d07874769ea344f153f63709b38f04cfc4180a7791392dcd5bb

SHA512
1ec027262ba1aca607e00d00afb4cff5f471f39fb76760a1ac7af1437bd23814f0cb1ef8cad2211db104772ba02501812ba8e96f41ee3e0da56a7aac3ef5bced

Download Submit
C:\comhostDhcpcommon\agentServer.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
C:\comhostDhcpcommon\agentServer.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
memory/3136-157-0x00007FFE41F10000-0x00007FFE429D1000-memory.dmp

Filesize
10.8MB

Download
memory/3136-158-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/3136-156-0x0000000000060000-0x0000000000136000-memory.dmp

Filesize
856KB

Download
memory/3136-196-0x00007FFE41F10000-0x00007FFE429D1000-memory.dmp

Filesize
10.8MB

Download
memory/4480-197-0x00007FFE41F10000-0x00007FFE429D1000-memory.dmp

Filesize
10.8MB

Download
memory/4480-198-0x00007FFE41F10000-0x00007FFE429D1000-memory.dmp

Filesize
10.8MB

Download