Overview
overview
10Static
static
10-pril-main...th.exe
windows10-2004-x64
10-pril-main...aw.exe
windows10-2004-x64
10-pril-main...wd.exe
windows10-2004-x64
7-pril-main...gh.exe
windows10-2004-x64
10-pril-main...se.exe
windows10-2004-x64
10-pril-main...ed.exe
windows10-2004-x64
10Installer/CapCut.exe
windows10-2004-x64
10start-main...on.exe
windows10-2004-x64
8start-main/Sushi.exe
windows10-2004-x64
10start-main...wd.exe
windows10-2004-x64
1start-main...sd.exe
windows10-2004-x64
10start-main...fd.exe
windows10-2004-x64
10start-main...we.exe
windows10-2004-x64
5start-main...wd.exe
windows10-2004-x64
10start-main...pu.exe
windows10-2004-x64
10start-main...th.exe
windows10-2004-x64
5start-main...ed.exe
windows10-2004-x64
10start-main...fk.exe
windows10-2004-x64
5start-main...ha.exe
windows10-2004-x64
10start-main...ha.exe
windows10-2004-x64
10start-main...ea.exe
windows10-2004-x64
10start-main...as.exe
windows10-2004-x64
7start-main...dw.exe
windows10-2004-x64
8start-main...ha.exe
windows10-2004-x64
1start-main...wt.exe
windows10-2004-x64
10start-main...wd.exe
windows10-2004-x64
10start-main...gh.exe
windows10-2004-x64
3start-main/pdf.exe
windows10-2004-x64
10start-main...dh.exe
windows10-2004-x64
10start-main...as.exe
windows10-2004-x64
7start-main...tj.exe
windows10-2004-x64
10Analysis
-
max time kernel
139s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 08:01
Static task
static1
Behavioral task
behavioral1
Sample
-pril-main/dwthjadth.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
-pril-main/feuiyjjdaw.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
-pril-main/kldrgawdtjawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral4
Sample
-pril-main/pothjadwtrgh.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
-pril-main/ptjjsekfthse.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral6
Sample
-pril-main/thadkythjawed.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Installer/CapCut.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral8
Sample
start-main/Session.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
start-main/Sushi.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral10
Sample
start-main/fgthawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
start-main/gawdrgasd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral12
Sample
start-main/hbfgjhhesfd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
start-main/hdawuithjawe.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
start-main/hnfsefawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
start-main/jerniuiopu.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
start-main/jthusjefth.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
start-main/jythjadthawed.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral18
Sample
start-main/khseofk.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
start-main/khtoawdltrha.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral20
Sample
start-main/ksfawtyha.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
start-main/ktyhpldea.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral22
Sample
start-main/lhoefskghas.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
start-main/ltpohpadw.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral24
Sample
start-main/mhbiwejrtgha.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
start-main/njrtdhadawt.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral26
Sample
start-main/odrsfgawd.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
start-main/opthjdkawrtgh.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral28
Sample
start-main/pdf.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
start-main/pthjadh.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral30
Sample
start-main/ptihjawdthas.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
start-main/yjadyjasfdtj.exe
Resource
win10v2004-20241007-en
General
-
Target
start-main/yjadyjasfdtj.exe
-
Size
855KB
-
MD5
5780dbae6ac61a88c8d89f216f324146
-
SHA1
cebcebedc7aaea3a4dd1fbec933cd169bf92e9dc
-
SHA256
4b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605
-
SHA512
8a595384247649e31ef0c69a63243199d224334d75b66fd486a8e6ba0ac3c2b5521e1ead4b64fb9c968c21a4836581dde10e78f36217b62862c40bed2d105920
-
SSDEEP
12288:I/TnPz84JfpflKH6qHJJMA+7pW3Ari4VVyZC0+1cp9rcDNpTWDTQGCZ6:I/TnzfS6qpJMA+73iE0nTr66
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
Processes:
yjadyjasfdtj.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\"" yjadyjasfdtj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\"" yjadyjasfdtj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\fr-FR\\unsecapp.exe\"" yjadyjasfdtj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Windows\\fr-FR\\unsecapp.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\start-main\\yjadyjasfdtj.exe\"" yjadyjasfdtj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\"" yjadyjasfdtj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" yjadyjasfdtj.exe -
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 5000 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4148 5000 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4828 5000 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1844 5000 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5116 5000 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4756 5000 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3492 5000 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 5000 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3552 5000 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4724 5000 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4652 5000 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 220 5000 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 804 5000 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4956 5000 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1864 5000 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3536 5000 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5056 5000 schtasks.exe 87 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 5000 schtasks.exe 87 -
DCRat payload 2 IoCs
Processes:
resource yara_rule behavioral31/memory/2956-1-0x0000000000D70000-0x0000000000E4C000-memory.dmp family_dcrat_v2 behavioral31/files/0x0007000000023cc4-30.dat family_dcrat_v2 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
yjadyjasfdtj.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation yjadyjasfdtj.exe -
Adds Run key to start application 2 TTPs 12 IoCs
Processes:
yjadyjasfdtj.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\"" yjadyjasfdtj.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" yjadyjasfdtj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" yjadyjasfdtj.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\fr-FR\\unsecapp.exe\"" yjadyjasfdtj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yjadyjasfdtj = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\start-main\\yjadyjasfdtj.exe\"" yjadyjasfdtj.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\"" yjadyjasfdtj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\"" yjadyjasfdtj.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Windows Mail\\upfc.exe\"" yjadyjasfdtj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\fr-FR\\unsecapp.exe\"" yjadyjasfdtj.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yjadyjasfdtj = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\start-main\\yjadyjasfdtj.exe\"" yjadyjasfdtj.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" yjadyjasfdtj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\"" yjadyjasfdtj.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ipinfo.io 8 ipinfo.io 52 ipinfo.io 53 ipinfo.io -
Drops file in System32 directory 2 IoCs
Processes:
csc.exedescription ioc Process File created \??\c:\Windows\System32\CSCD3F585FDF0284F3586DD736A599960CC.TMP csc.exe File created \??\c:\Windows\System32\ovufcs.exe csc.exe -
Drops file in Program Files directory 4 IoCs
Processes:
yjadyjasfdtj.exedescription ioc Process File created C:\Program Files (x86)\Windows Mail\upfc.exe yjadyjasfdtj.exe File created C:\Program Files (x86)\Windows Mail\ea1d8f6d871115 yjadyjasfdtj.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe yjadyjasfdtj.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e yjadyjasfdtj.exe -
Drops file in Windows directory 3 IoCs
Processes:
yjadyjasfdtj.exedescription ioc Process File created C:\Windows\fr-FR\unsecapp.exe yjadyjasfdtj.exe File opened for modification C:\Windows\fr-FR\unsecapp.exe yjadyjasfdtj.exe File created C:\Windows\fr-FR\29c1c3cc0f7685 yjadyjasfdtj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
yjadyjasfdtj.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings yjadyjasfdtj.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid Process 3552 schtasks.exe 1496 schtasks.exe 4148 schtasks.exe 4828 schtasks.exe 1844 schtasks.exe 3492 schtasks.exe 2348 schtasks.exe 1864 schtasks.exe 5056 schtasks.exe 2228 schtasks.exe 4756 schtasks.exe 4724 schtasks.exe 220 schtasks.exe 4956 schtasks.exe 5116 schtasks.exe 804 schtasks.exe 3536 schtasks.exe 4652 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
yjadyjasfdtj.exepid Process 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe 2956 yjadyjasfdtj.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
yjadyjasfdtj.exedescription pid Process Token: SeDebugPrivilege 2956 yjadyjasfdtj.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
yjadyjasfdtj.execsc.execmd.exedescription pid Process procid_target PID 2956 wrote to memory of 1388 2956 yjadyjasfdtj.exe 91 PID 2956 wrote to memory of 1388 2956 yjadyjasfdtj.exe 91 PID 1388 wrote to memory of 2736 1388 csc.exe 93 PID 1388 wrote to memory of 2736 1388 csc.exe 93 PID 2956 wrote to memory of 4784 2956 yjadyjasfdtj.exe 109 PID 2956 wrote to memory of 4784 2956 yjadyjasfdtj.exe 109 PID 4784 wrote to memory of 2972 4784 cmd.exe 111 PID 4784 wrote to memory of 2972 4784 cmd.exe 111 PID 4784 wrote to memory of 2188 4784 cmd.exe 112 PID 4784 wrote to memory of 2188 4784 cmd.exe 112 PID 4784 wrote to memory of 2960 4784 cmd.exe 119 PID 4784 wrote to memory of 2960 4784 cmd.exe 119 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\start-main\yjadyjasfdtj.exe"C:\Users\Admin\AppData\Local\Temp\start-main\yjadyjasfdtj.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y3oj4ull\y3oj4ull.cmdline"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES50C.tmp" "c:\Windows\System32\CSCD3F585FDF0284F3586DD736A599960CC.TMP"3⤵PID:2736
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OQx62mXHfy.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\system32\chcp.comchcp 650013⤵PID:2972
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2188
-
-
C:\Users\Admin\AppData\Local\Temp\start-main\yjadyjasfdtj.exe"C:\Users\Admin\AppData\Local\Temp\start-main\yjadyjasfdtj.exe"3⤵PID:2960
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\unsecapp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\fr-FR\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\unsecapp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "yjadyjasfdtjy" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\start-main\yjadyjasfdtj.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "yjadyjasfdtj" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\start-main\yjadyjasfdtj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "yjadyjasfdtjy" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\start-main\yjadyjasfdtj.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
855KB
MD55780dbae6ac61a88c8d89f216f324146
SHA1cebcebedc7aaea3a4dd1fbec933cd169bf92e9dc
SHA2564b1967b04039c9b7a23651043b38c895cca2eb560de30a960368f82549079605
SHA5128a595384247649e31ef0c69a63243199d224334d75b66fd486a8e6ba0ac3c2b5521e1ead4b64fb9c968c21a4836581dde10e78f36217b62862c40bed2d105920
-
Filesize
237B
MD5e1fbef1cbf75a391ba4efdbef10ee101
SHA16f39a7b5be36a589cffeae2d2b5927af86675aad
SHA2562528522f3036893dad62bdf53c563a63bf2dfeea0ad03c5d838d2a675be41a34
SHA512c146b88fef16b7175f4d68dee2de37d8437f33902fcf340a90a5911f99624150a9df113362746df94400efd7b974c5683bf6c7e6ba70ddfe99f90893ea096a64
-
Filesize
1KB
MD5a1f55f932de6f391177aabfedab6c01e
SHA16a28426751f4102650b76108bcf393bf1b489c76
SHA256c13c29d50566e22e654d7d84c651ae9e17a479165474226369d9187e612ab089
SHA5121c5deac84dc4c2a4676041307a54329902526b08a60a3fcf096916f196174f5c0f6cca3be15c9fa9855510f2bb21e742b466839c38160d59c9ea752ba2872db1
-
Filesize
409B
MD5059fdfbe03eeb2ad5f27dfcf1c12abb1
SHA1ca8ad47e65bfd50b53057763717097d99262d4e7
SHA2569b170c69338e1129fe6eec3cb01fe7935b9a28acf3163fb82a92b03b331e7570
SHA512f247daf154bb06b30c28c14a2c4aaec78c4b27856c9d3c42fa967a0bf69d8b43490da66315176525aeb33a4cf15410f2b5e87aa0231c92266726b1c408bea321
-
Filesize
235B
MD5fc439afbc15cf69a5937b3b7d753bf9f
SHA1c21d917d19345209aeaa387c592d0b6097de0dbf
SHA2561fd01beac4d0e0feea8f2e52e85ab67bfab1902598a7936a0ec355ce763e9343
SHA512bd7afbd55f3d9ec822f8ecd2bbe447a9572b64df6c0bccf2e522c6c1927278ac2b45c93a1996b984e6640ae1980a629f2c7971f794c1f3b73c220c953549a939
-
Filesize
1KB
MD51c519e4618f2b468d0f490d4a716da11
SHA11a693d0046e48fa813e4fa3bb94ccd20d43e3106
SHA2564dbf16e3b3bb06c98eeaf27d0a25d9f34ee0ceac51e6365218ef7cd09edb3438
SHA51299f293878a08b56db6ff2297f243f5f5b85864e6925a1d6af61a65369f7eb323ae1b75fe5f1465fac0b982ac9f49b9e0a295b5dac947da40f61991c4411233fd