Analysis

  • max time kernel
    62s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    31-05-2024 15:38

General

  • Target

    nursultan nexgen fix.exe

  • Size

    1.5MB

  • MD5

    a3d07c747770c9a471a44446e46e33d5

  • SHA1

    8340534fb1770bae9660287ddb0496e243efcfe4

  • SHA256

    16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de

  • SHA512

    307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99

  • SSDEEP

    24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 4 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe
    "C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\portagentbrowserweb\Containerruntime.exe
          "C:\portagentbrowserweb\Containerruntime.exe"
          4⤵
          • DcRat
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2588
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N8SyuyWpl3.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2720
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2204
              • C:\portagentbrowserweb\Containerruntime.exe
                "C:\portagentbrowserweb\Containerruntime.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2856
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\um8HIFfzyt.bat"
                  7⤵
                    PID:2888
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:1004
                      • C:\portagentbrowserweb\Containerruntime.exe
                        "C:\portagentbrowserweb\Containerruntime.exe"
                        8⤵
                        • Executes dropped EXE
                        • Drops file in Program Files directory
                        • Drops file in Windows directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1424
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VXmV8iK6sd.bat"
                          9⤵
                            PID:676
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:1556
                              • C:\Users\Admin\Idle.exe
                                "C:\Users\Admin\Idle.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2272
                  • C:\Windows\SysWOW64\reg.exe
                    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                    4⤵
                    • Modifies registry key
                    PID:2540
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\winlogon.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2412
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2600
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2384
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\wininit.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2484
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:3032
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              PID:2532
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SendTo\services.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              PID:304
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\services.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1004
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\SendTo\services.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1472
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "ContainerruntimeC" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\Containerruntime.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              PID:2352
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Containerruntime" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Containerruntime.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2628
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "ContainerruntimeC" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\Containerruntime.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1868
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1912
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2284
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:348
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Desktop\services.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1012
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1876
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Desktop\services.exe'" /rl HIGHEST /f
              1⤵
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2692
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\conhost.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:1840
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              PID:2688
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Creates scheduled task(s)
              PID:2672
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe"
              1⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:844
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5b09758,0x7fef5b09768,0x7fef5b09778
                2⤵
                  PID:284
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:2
                  2⤵
                    PID:1436
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:8
                    2⤵
                      PID:1504
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:8
                      2⤵
                        PID:944
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2268 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:1
                        2⤵
                          PID:1240
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2272 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:1
                          2⤵
                            PID:1384
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3188 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:2
                            2⤵
                              PID:2364
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3284 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:1
                              2⤵
                                PID:1744
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3416 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:8
                                2⤵
                                  PID:2516
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3536 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:8
                                  2⤵
                                    PID:2488
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 --field-trial-handle=1288,i,15004230773894207021,6634837885155707188,131072 /prefetch:8
                                    2⤵
                                      PID:1912
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Music\System.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:2196
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\System.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:444
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Music\System.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3036
                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                    1⤵
                                      PID:1252
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "chromec" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\chrome.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2932
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\chrome.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2636
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "chromec" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\chrome.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2832
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "chromec" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\chrome.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      PID:2380
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\chrome.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2420
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "chromec" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\chrome.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1768
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Idle.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:904
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2960
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2896
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2064
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:880
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\wininit.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1988
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "chromec" /sc MINUTE /mo 13 /tr "'C:\portagentbrowserweb\chrome.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1488
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\portagentbrowserweb\chrome.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2012
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "chromec" /sc MINUTE /mo 6 /tr "'C:\portagentbrowserweb\chrome.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2144
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2032
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2016
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\winlogon.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      PID:1216
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\audiodg.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:856
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\audiodg.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2592
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\audiodg.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1556
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "ContainerruntimeC" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Containerruntime.exe'" /f
                                      1⤵
                                      • Process spawned unexpected child process
                                      PID:2292
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "Containerruntime" /sc ONLOGON /tr "'C:\Users\Default User\Containerruntime.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1328
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "ContainerruntimeC" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Containerruntime.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:476
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\lsass.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:764
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1768
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\lsass.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      PID:2376
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "chromec" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\chrome.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2844
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Windows\de-DE\chrome.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1516
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "chromec" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\chrome.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:616
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\spoolsv.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2520
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      PID:2940
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\spoolsv.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2488
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\en-US\wininit.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1020
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\wininit.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1280
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\en-US\wininit.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:1756
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "chromec" /sc MINUTE /mo 9 /tr "'C:\portagentbrowserweb\chrome.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2384
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\portagentbrowserweb\chrome.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:2772
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "chromec" /sc MINUTE /mo 13 /tr "'C:\portagentbrowserweb\chrome.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      • Creates scheduled task(s)
                                      PID:444
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\taskhost.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Process spawned unexpected child process
                                      PID:692
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Creates scheduled task(s)
                                      PID:2896
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Creates scheduled task(s)
                                      PID:2792
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsm.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Creates scheduled task(s)
                                      PID:2056
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\lsm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • Creates scheduled task(s)
                                      PID:1332
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsm.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Creates scheduled task(s)
                                      PID:2576
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "chromec" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Templates\chrome.exe'" /f
                                      1⤵
                                      • DcRat
                                      • Creates scheduled task(s)
                                      PID:2100
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Users\Default\Templates\chrome.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Creates scheduled task(s)
                                      PID:2368
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "chromec" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\chrome.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Creates scheduled task(s)
                                      PID:2640
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe'" /f
                                      1⤵
                                      • Creates scheduled task(s)
                                      PID:1936
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      PID:356
                                    • C:\Windows\system32\schtasks.exe
                                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\explorer.exe'" /rl HIGHEST /f
                                      1⤵
                                      • DcRat
                                      • Creates scheduled task(s)
                                      PID:1512

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
                                      Filesize

                                      16B

                                      MD5

                                      aefd77f47fb84fae5ea194496b44c67a

                                      SHA1

                                      dcfbb6a5b8d05662c4858664f81693bb7f803b82

                                      SHA256

                                      4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

                                      SHA512

                                      b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
                                      Filesize

                                      264KB

                                      MD5

                                      f50f89a0a91564d0b8a211f8921aa7de

                                      SHA1

                                      112403a17dd69d5b9018b8cede023cb3b54eab7d

                                      SHA256

                                      b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                      SHA512

                                      bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                      Filesize

                                      5KB

                                      MD5

                                      80e1eec4586acb751915a651dc5c82d3

                                      SHA1

                                      521f3b72a9e98d2b3cbfadd1ed536fbdbfdbcc67

                                      SHA256

                                      07da6b05889728a97ee94f97e3e5f2054fd9b537aa674ce05e1d59732cfed699

                                      SHA512

                                      25ef428e6d794ddb7fcb874b442518748f11b175409886bd52bf2647e7a1af38c152ea1f65e54665068abd941581b66f64ab27111bbb1d15c09bcb23d6baabea

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                      Filesize

                                      5KB

                                      MD5

                                      a20585fc4c09fc90b00aba0826e18e74

                                      SHA1

                                      b2f17afbb0c5522dea7dac32ab11d2a8c59c3fdd

                                      SHA256

                                      bff96d508f8f9825fc2df2c41b21c8e5b5f3b04991bf0a28aca0cd428acdd47c

                                      SHA512

                                      5299311272dfaa15543d14addc3cc1f36bba93f30d9dabd0d573d10227ec0a4eebd46eea6e98f9473fca71d96e3a41db2d8623f7952eb2b06c724678fdeeee86

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
                                      Filesize

                                      16B

                                      MD5

                                      18e723571b00fb1694a3bad6c78e4054

                                      SHA1

                                      afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                      SHA256

                                      8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                      SHA512

                                      43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                      Filesize

                                      282KB

                                      MD5

                                      fdb43021b34764389cae493814fd5775

                                      SHA1

                                      d9f93eba47e454aad6e4c7bc244e1d2325a03e1e

                                      SHA256

                                      c01c236b1747ef72af05e500f7c35aa66f1f02f0752507228461210bc771e60e

                                      SHA512

                                      d9401273e9f1585dc7769279c7645b52fdcde64e26f50c1aa1a31eca5885b1deafebaf991380f7bef517dafb4dde8af3c94b156cd29b56acc07099564c45b5f2

                                    • C:\Users\Admin\AppData\Local\Temp\N8SyuyWpl3.bat
                                      Filesize

                                      208B

                                      MD5

                                      ce0480728a4da0444ab88a508efbc904

                                      SHA1

                                      f8e16b6667f01222a2c09d4a393df3d181035878

                                      SHA256

                                      dc74365cd4160201fedf53a346934d983c0709150a918500dcdb9e799124f605

                                      SHA512

                                      f0c106d07dd42d3c1ce3da2f9c7e8a23833c5c7ed96297f152e13a645e82ff946c1f08ca835ce9180afc341c651c603dcfe0432828fd4f2dc34f6ea3939e75c2

                                    • C:\Users\Admin\AppData\Local\Temp\VXmV8iK6sd.bat
                                      Filesize

                                      188B

                                      MD5

                                      f7a351fd8fd0f4819a1757d6b17f21e1

                                      SHA1

                                      948cfabd492c1b3a18f243ea4bb698d6f529a228

                                      SHA256

                                      96b9f5ca01302b138560f557a1a18c25c70f34f725d437aba1fb38bb1fa253f4

                                      SHA512

                                      0e68d63d547d8dc02ce706b9e301770e2209bf882bad39244818a2629d03b939fd7d7b127a72f836feb5dd4973e7ca4d8306fca969c6380fa347525f36497502

                                    • C:\Users\Admin\AppData\Local\Temp\um8HIFfzyt.bat
                                      Filesize

                                      208B

                                      MD5

                                      bb03dfc9b13b517e5500f1bdef2c2a19

                                      SHA1

                                      885abf300c93b86e8f1d5e179979a427d372d2b7

                                      SHA256

                                      eb81a241e7f0855e8bc88cc62f25724f242638641641b2bb9d709d3870159c51

                                      SHA512

                                      b13a430442b85759945090a5271632c4b5af003d6a57c4ff23c16d530204be75f54e05d3ce56943f2f531f2696b7094f3a3aa714a37e013ca0c8d27e39ce756c

                                    • C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat
                                      Filesize

                                      157B

                                      MD5

                                      c8f8a078dace2ff4cb106803c9199643

                                      SHA1

                                      a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5

                                      SHA256

                                      1b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d

                                      SHA512

                                      efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999

                                    • C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe
                                      Filesize

                                      220B

                                      MD5

                                      61a07f2f9e8e9b1f5175b2d60c3e3f18

                                      SHA1

                                      e695b0c2b43c786453bf3f6ae504f0626951d281

                                      SHA256

                                      5c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1

                                      SHA512

                                      8ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d

                                    • \??\pipe\crashpad_844_ETQDPUBCPWMUBZAV
                                      MD5

                                      d41d8cd98f00b204e9800998ecf8427e

                                      SHA1

                                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                                      SHA256

                                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                      SHA512

                                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                    • \portagentbrowserweb\Containerruntime.exe
                                      Filesize

                                      1.2MB

                                      MD5

                                      5887a563351ca99247b7e2c448bd9f2e

                                      SHA1

                                      b24695e88143863297535989900bb7521ea86d67

                                      SHA256

                                      e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390

                                      SHA512

                                      b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107

                                    • memory/2272-170-0x0000000000D20000-0x0000000000E52000-memory.dmp
                                      Filesize

                                      1.2MB

                                    • memory/2588-14-0x0000000000500000-0x000000000051C000-memory.dmp
                                      Filesize

                                      112KB

                                    • memory/2588-16-0x0000000000540000-0x000000000054C000-memory.dmp
                                      Filesize

                                      48KB

                                    • memory/2588-15-0x0000000000520000-0x0000000000536000-memory.dmp
                                      Filesize

                                      88KB

                                    • memory/2588-13-0x0000000000150000-0x0000000000282000-memory.dmp
                                      Filesize

                                      1.2MB

                                    • memory/2856-37-0x0000000000D60000-0x0000000000E92000-memory.dmp
                                      Filesize

                                      1.2MB