dcrat | e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908

Analysis

max time kernel
138s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38924c8184bf5944da2ac3e5cd987da2.exe
Size

2.0MB
MD5

38924c8184bf5944da2ac3e5cd987da2
SHA1

1af0d4b729dd9c3a42c197a4ec961cab5722adda
SHA256

e767887e30b91919d5dc1dd2bf79ed277c2778363732e7c84f42f1f1808e5908
SHA512

225e25eb08a1abe529a4fc5eb435eb800145a782e3dbdd6ba1c28925f84d758c18111ed181649bd222d50fd4a44f1ede7e43c630a58ae9a92fd2074d3d306a61
SSDEEP

24576:FcBmS1nneRYZwoKBU7ArlQUCeYIxerW33/XfV6jx9aP5VR/z0WcBS4bppmHVSqyW:9S4/ST6xijxsBEmHVSqFHOHqnCgXu8

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\lua\\meta\\reader\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Esl\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\explorer.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\csrss.exe\""	decC0DF.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\lua\\meta\\reader\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Esl\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\explorer.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\csrss.exe\", \"C:\\Windows\\SysWOW64\\ru-RU\\decC0DF.tmp.exe\""	decC0DF.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\lua\\meta\\reader\\csrss.exe\""	decC0DF.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\lua\\meta\\reader\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Esl\\wininit.exe\""	decC0DF.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\VideoLAN\\VLC\\lua\\meta\\reader\\csrss.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Esl\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\explorer.exe\""	decC0DF.tmp

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2836	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2836	schtasks.exe	31

DCRat payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000012117-4.dat	family_dcrat_v2
behavioral1/memory/2392-7-0x00000000003D0000-0x0000000000586000-memory.dmp	family_dcrat_v2
behavioral1/memory/2312-104-0x0000000000FD0000-0x0000000001186000-memory.dmp	family_dcrat_v2

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1084	powershell.exe
1896	powershell.exe
1372	powershell.exe
1696	powershell.exe
2844	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2392	decC0DF.tmp
2312	explorer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Esl\\wininit.exe\""	decC0DF.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Esl\\wininit.exe\""	decC0DF.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Portable Devices\\explorer.exe\""	decC0DF.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\csrss.exe\""	decC0DF.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\decC0DF.tmp = "\"C:\\Windows\\SysWOW64\\ru-RU\\decC0DF.tmp.exe\""	decC0DF.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\decC0DF.tmp = "\"C:\\Windows\\SysWOW64\\ru-RU\\decC0DF.tmp.exe\""	decC0DF.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\meta\\reader\\csrss.exe\""	decC0DF.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\VideoLAN\\VLC\\lua\\meta\\reader\\csrss.exe\""	decC0DF.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Windows Portable Devices\\explorer.exe\""	decC0DF.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\csrss.exe\""	decC0DF.tmp

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ru-RU\decC0DF.tmp.exe	decC0DF.tmp
File created	C:\Windows\SysWOW64\ru-RU\4c8e66b7fdb86e	decC0DF.tmp
File created	\??\c:\Windows\System32\CSC810439AD69634059B3EDF1A5FAE2DB7C.TMP	csc.exe
File created	\??\c:\Windows\System32\1woi1z.exe	csc.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\csrss.exe	decC0DF.tmp
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\886983d96e3d3e	decC0DF.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\56085415360792	decC0DF.tmp
File created	C:\Program Files\Windows Portable Devices\explorer.exe	decC0DF.tmp
File created	C:\Program Files\Reference Assemblies\Microsoft\886983d96e3d3e	decC0DF.tmp
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\csrss.exe	decC0DF.tmp
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\wininit.exe	decC0DF.tmp
File created	C:\Program Files\Windows Portable Devices\7a0fd90576e088	decC0DF.tmp
File created	C:\Program Files\Reference Assemblies\Microsoft\csrss.exe	decC0DF.tmp

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1072	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1072	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
628	schtasks.exe
1724	schtasks.exe
2608	schtasks.exe
1964	schtasks.exe
2708	schtasks.exe
2788	schtasks.exe
1528	schtasks.exe
1208	schtasks.exe
864	schtasks.exe
2964	schtasks.exe
876	schtasks.exe
788	schtasks.exe
1900	schtasks.exe
2012	schtasks.exe
620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp
2392	decC0DF.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2312	explorer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	decC0DF.tmp
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	2312	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2312	explorer.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2392	2372	38924c8184bf5944da2ac3e5cd987da2.exe	30
PID 2372 wrote to memory of 2392	2372	38924c8184bf5944da2ac3e5cd987da2.exe	30
PID 2372 wrote to memory of 2392	2372	38924c8184bf5944da2ac3e5cd987da2.exe	30
PID 2392 wrote to memory of 2664	2392	decC0DF.tmp	36
PID 2392 wrote to memory of 2664	2392	decC0DF.tmp	36
PID 2392 wrote to memory of 2664	2392	decC0DF.tmp	36
PID 2664 wrote to memory of 2300	2664	csc.exe	38
PID 2664 wrote to memory of 2300	2664	csc.exe	38
PID 2664 wrote to memory of 2300	2664	csc.exe	38
PID 2392 wrote to memory of 1896	2392	decC0DF.tmp	51
PID 2392 wrote to memory of 1896	2392	decC0DF.tmp	51
PID 2392 wrote to memory of 1896	2392	decC0DF.tmp	51
PID 2392 wrote to memory of 1084	2392	decC0DF.tmp	52
PID 2392 wrote to memory of 1084	2392	decC0DF.tmp	52
PID 2392 wrote to memory of 1084	2392	decC0DF.tmp	52
PID 2392 wrote to memory of 1372	2392	decC0DF.tmp	54
PID 2392 wrote to memory of 1372	2392	decC0DF.tmp	54
PID 2392 wrote to memory of 1372	2392	decC0DF.tmp	54
PID 2392 wrote to memory of 1696	2392	decC0DF.tmp	55
PID 2392 wrote to memory of 1696	2392	decC0DF.tmp	55
PID 2392 wrote to memory of 1696	2392	decC0DF.tmp	55
PID 2392 wrote to memory of 2844	2392	decC0DF.tmp	56
PID 2392 wrote to memory of 2844	2392	decC0DF.tmp	56
PID 2392 wrote to memory of 2844	2392	decC0DF.tmp	56
PID 2392 wrote to memory of 2812	2392	decC0DF.tmp	60
PID 2392 wrote to memory of 2812	2392	decC0DF.tmp	60
PID 2392 wrote to memory of 2812	2392	decC0DF.tmp	60
PID 2812 wrote to memory of 1880	2812	cmd.exe	63
PID 2812 wrote to memory of 1880	2812	cmd.exe	63
PID 2812 wrote to memory of 1880	2812	cmd.exe	63
PID 2812 wrote to memory of 1072	2812	cmd.exe	64
PID 2812 wrote to memory of 1072	2812	cmd.exe	64
PID 2812 wrote to memory of 1072	2812	cmd.exe	64
PID 2812 wrote to memory of 2312	2812	cmd.exe	65
PID 2812 wrote to memory of 2312	2812	cmd.exe	65
PID 2812 wrote to memory of 2312	2812	cmd.exe	65

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\38924c8184bf5944da2ac3e5cd987da2.exe
"C:\Users\Admin\AppData\Local\Temp\38924c8184bf5944da2ac3e5cd987da2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\decC0DF.tmp
  C:\Users\Admin\AppData\Local\Temp\decC0DF.tmp
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h4oe2hkt\h4oe2hkt.cmdline"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE28.tmp" "c:\Windows\System32\CSC810439AD69634059B3EDF1A5FAE2DB7C.TMP"
      4⤵
      PID:2300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\meta\reader\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\ru-RU\decC0DF.tmp.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LCuvcuulc7.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1880
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1072
  - - C:\Program Files\Windows Portable Devices\explorer.exe
      "C:\Program Files\Windows Portable Devices\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\lua\meta\reader\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\meta\reader\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\lua\meta\reader\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "decC0DF.tmpd" /sc MINUTE /mo 8 /tr "'C:\Windows\SysWOW64\ru-RU\decC0DF.tmp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "decC0DF.tmp" /sc ONLOGON /tr "'C:\Windows\SysWOW64\ru-RU\decC0DF.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "decC0DF.tmpd" /sc MINUTE /mo 13 /tr "'C:\Windows\SysWOW64\ru-RU\decC0DF.tmp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LCuvcuulc7.bat

Filesize
182B

MD5
5392819d5fcf8229528998e8c6fda192

SHA1
c3c6b968535b8c10e8df95a8a6d06507642f5538

SHA256
6bec1fce33f3096feda3fde7340c544a127ef7915c9cb7c40c4fb6714e25ad6c

SHA512
76ed132243704314ff27957545a393540cb50a89105eefb5ee535b6f3d6fae2911e5652c0603e073120c02956d2663d1d8104ed75331fe3d1689fd3816bacfb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCE28.tmp

Filesize
1KB

MD5
e48f6c2486367b49c1da19499080ea65

SHA1
51d144dbe983c83cb5b572c79c13de7c3cac2bee

SHA256
67d2f8d3eb1cac12d796bd0e3916828ece7501d9fa910913655a830d99a066ed

SHA512
c2eb1dd4b971891a45286a122ff5a632949b42884c6e4066d4814bf955802663dfdc985be97accd6eb62f5d85ec7fdbd934d5230d105c1cabd1ac174f35b2131

Download Submit
C:\Users\Admin\AppData\Local\Temp\decC0DF.tmp

Filesize
1.7MB

MD5
37d00592110ca3cc53b7f6ca6ab1c82a

SHA1
86e13c84c33969081fe59d123e3cf81e9b3e5674

SHA256
5acd08cc77f1cebd2cb95f88b37edf94b9e72b9b1c965af7ea2766e9ddc5afb9

SHA512
618eeaec0ac5390184a3b6195634cb16d3def1d2ac8ab3664b3128a4e4776dda7777e6c2aedf138a6f8e9b7f6f84fc58c38f89d9178b220443567e0c55e0bbcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3cf9a3e2f5e7d5e13a3f3b7eba8eca63

SHA1
9dfc65908b532333d5e5e0be159f9faf55db2e5d

SHA256
c822634de56f010f197f0fc9619443cd9ed1c77b52eb41c1994c673dfece085c

SHA512
73f1bcbecb72bbcdb570b6b7b2db03633dcfd8699c956c5527e180254995422426e785c43bfb0518ba6a344c38b76a604dcd9d5f6eed7c0210763c5e77c595dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h4oe2hkt\h4oe2hkt.0.cs

Filesize
387B

MD5
3a2fc4174f03a03fc440dce4467ac6a8

SHA1
f601342c2aac33fa02bf5d2bef63fc12f966c24f

SHA256
fa02bb090f93482f1285838f56504d79934b7600cd87235930847a7274354bf3

SHA512
443fd2c8251ab2632a7762a87bd6a43d10c050b503fe0a9a27326d956df5c91ab83d612e8057374ebf7a5f55199e275c62ed2eee6931495e9467c082e6c2b407

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h4oe2hkt\h4oe2hkt.cmdline

Filesize
235B

MD5
f743638c62922c729b7f051e00d183dc

SHA1
5237d333c94470e7031be4b3455ad7a2fdf0db8e

SHA256
b953411cbb8a9921b83912a5436b83a152863609ac1cb053355dd3210b2cbbf7

SHA512
2d5ddee7683f7da67cbe450956cd4ed7bf9ba3dc6c7d857fb5dd05f7031583ccbc2bbb9f8ddf43db31d82c5e489cb1425d3815889d2cc3a2308b71737b7eb81a

Download Submit
\??\c:\Windows\System32\CSC810439AD69634059B3EDF1A5FAE2DB7C.TMP

Filesize
1KB

MD5
dcd286f3a69cfd0292a8edbc946f8553

SHA1
4d347ac1e8c1d75fc139878f5646d3a0b083ef17

SHA256
29e03364271673f4b388131b7773d016df859bb0b1c5e6c3ad6914a632600596

SHA512
4b9546033bd4957263854fbb0a87aa1d57ce3afbce7bf03b12b05b78f97c5a27c52c1d73e34b6a5ba2c395e26ec9c474a32609441b99cf78ea707113fca96f77

Download Submit
memory/1372-87-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/1896-88-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2312-104-0x0000000000FD0000-0x0000000001186000-memory.dmp

Filesize
1.7MB

Download
memory/2372-101-0x0000000000400000-0x000000000060C000-memory.dmp

Filesize
2.0MB

Download
memory/2392-19-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

Filesize
9.9MB

Download
memory/2392-43-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/2392-27-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

Filesize
9.9MB

Download
memory/2392-26-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/2392-32-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/2392-24-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

Filesize
9.9MB

Download
memory/2392-23-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2392-30-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

Filesize
9.9MB

Download
memory/2392-33-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

Filesize
9.9MB

Download
memory/2392-35-0x0000000000390000-0x000000000039E000-memory.dmp

Filesize
56KB

Download
memory/2392-37-0x0000000000790000-0x000000000079C000-memory.dmp

Filesize
48KB

Download
memory/2392-39-0x00000000007A0000-0x00000000007B0000-memory.dmp

Filesize
64KB

Download
memory/2392-41-0x00000000021C0000-0x000000000221A000-memory.dmp

Filesize
360KB

Download
memory/2392-29-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2392-45-0x00000000007E0000-0x00000000007EE000-memory.dmp

Filesize
56KB

Download
memory/2392-47-0x0000000000810000-0x0000000000828000-memory.dmp

Filesize
96KB

Download
memory/2392-49-0x00000000007F0000-0x00000000007FC000-memory.dmp

Filesize
48KB

Download
memory/2392-21-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/2392-15-0x0000000000350000-0x0000000000368000-memory.dmp

Filesize
96KB

Download
memory/2392-17-0x0000000000300000-0x000000000030E000-memory.dmp

Filesize
56KB

Download
memory/2392-18-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

Filesize
9.9MB

Download
memory/2392-13-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

Filesize
9.9MB

Download
memory/2392-12-0x0000000000330000-0x000000000034C000-memory.dmp

Filesize
112KB

Download
memory/2392-10-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/2392-100-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

Filesize
9.9MB

Download
memory/2392-8-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

Filesize
9.9MB

Download
memory/2392-7-0x00000000003D0000-0x0000000000586000-memory.dmp

Filesize
1.7MB

Download
memory/2392-6-0x000007FEF57A3000-0x000007FEF57A4000-memory.dmp

Filesize
4KB

Download