dcrat | d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CE2EC4539435DFEAC7E246FE5565C521.exe
Size

2.9MB
MD5

ce2ec4539435dfeac7e246fe5565c521
SHA1

59f3da006005a109914c31b5d5cd94dc4c93309c
SHA256

d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562
SHA512

408a1db2cd98702bca3811e124d78a56cbca79a1d200593759bde1947a4a599f8cd40cd8dbb2e7be7dec416e3f5de0c4466f98ddea1daf6d313671695f25a7ba
SSDEEP

49152:6h/814lignPl1s5Cp5+tOCiqgc8I7uBiYUtGGirMn0JkH4SwiLwRktMtL+CsA7Z:6h/8Hgn9u4P+l8I7uB6db0JhAw6tMtLr

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Steam\\steamclient.exe\""	CE2EC4539435DFEAC7E246FE5565C521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Steam\\steamclient.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\CE2EC4539435DFEAC7E246FE5565C521.exe\""	CE2EC4539435DFEAC7E246FE5565C521.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	3484	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	3484	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	3484	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	3484	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	3484	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	3484	schtasks.exe	85

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4728	powershell.exe
3324	powershell.exe
2332	powershell.exe
3456	powershell.exe
1356	powershell.exe
2016	powershell.exe
2876	powershell.exe
3996	powershell.exe
2568	powershell.exe
2232	powershell.exe
3680	powershell.exe
4188	powershell.exe
3272	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	CE2EC4539435DFEAC7E246FE5565C521.exe

Executes dropped EXE 1 IoCs

pid	Process
1756	steamclient.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\steamclient = "\"C:\\Program Files (x86)\\Steam\\steamclient.exe\""	CE2EC4539435DFEAC7E246FE5565C521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\steamclient = "\"C:\\Program Files (x86)\\Steam\\steamclient.exe\""	CE2EC4539435DFEAC7E246FE5565C521.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CE2EC4539435DFEAC7E246FE5565C521 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CE2EC4539435DFEAC7E246FE5565C521.exe\""	CE2EC4539435DFEAC7E246FE5565C521.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CE2EC4539435DFEAC7E246FE5565C521 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CE2EC4539435DFEAC7E246FE5565C521.exe\""	CE2EC4539435DFEAC7E246FE5565C521.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC25CF56DF4B4B47429A5CD87DA385AC20.TMP	csc.exe
File created	\??\c:\Windows\System32\xqt5sk.exe	csc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\steamclient.exe	CE2EC4539435DFEAC7E246FE5565C521.exe
File opened for modification	C:\Program Files (x86)\Steam\steamclient.exe	CE2EC4539435DFEAC7E246FE5565C521.exe
File created	C:\Program Files (x86)\Steam\fcafd258929766	CE2EC4539435DFEAC7E246FE5565C521.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	CE2EC4539435DFEAC7E246FE5565C521.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2272	schtasks.exe
1676	schtasks.exe
1060	schtasks.exe
4192	schtasks.exe
3296	schtasks.exe
3200	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe
1072	CE2EC4539435DFEAC7E246FE5565C521.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1072	CE2EC4539435DFEAC7E246FE5565C521.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1756	steamclient.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 3876	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	89
PID 1072 wrote to memory of 3876	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	89
PID 3876 wrote to memory of 5100	3876	csc.exe	95
PID 3876 wrote to memory of 5100	3876	csc.exe	95
PID 1072 wrote to memory of 2016	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	99
PID 1072 wrote to memory of 2016	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	99
PID 1072 wrote to memory of 2876	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	100
PID 1072 wrote to memory of 2876	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	100
PID 1072 wrote to memory of 1356	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	101
PID 1072 wrote to memory of 1356	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	101
PID 1072 wrote to memory of 3456	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	102
PID 1072 wrote to memory of 3456	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	102
PID 1072 wrote to memory of 2332	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	103
PID 1072 wrote to memory of 2332	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	103
PID 1072 wrote to memory of 4728	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	104
PID 1072 wrote to memory of 4728	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	104
PID 1072 wrote to memory of 3996	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	105
PID 1072 wrote to memory of 3996	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	105
PID 1072 wrote to memory of 2568	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	106
PID 1072 wrote to memory of 2568	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	106
PID 1072 wrote to memory of 3272	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	107
PID 1072 wrote to memory of 3272	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	107
PID 1072 wrote to memory of 4188	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	108
PID 1072 wrote to memory of 4188	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	108
PID 1072 wrote to memory of 3680	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	109
PID 1072 wrote to memory of 3680	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	109
PID 1072 wrote to memory of 2232	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	110
PID 1072 wrote to memory of 2232	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	110
PID 1072 wrote to memory of 3324	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	112
PID 1072 wrote to memory of 3324	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	112
PID 1072 wrote to memory of 2504	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	124
PID 1072 wrote to memory of 2504	1072	CE2EC4539435DFEAC7E246FE5565C521.exe	124
PID 2504 wrote to memory of 668	2504	cmd.exe	131
PID 2504 wrote to memory of 668	2504	cmd.exe	131
PID 2504 wrote to memory of 2304	2504	cmd.exe	128
PID 2504 wrote to memory of 2304	2504	cmd.exe	128
PID 2504 wrote to memory of 1756	2504	cmd.exe	136
PID 2504 wrote to memory of 1756	2504	cmd.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe
"C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l0naid3u\l0naid3u.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A6.tmp" "c:\Windows\System32\CSC25CF56DF4B4B47429A5CD87DA385AC20.TMP"
    3⤵
    PID:5100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Steam\steamclient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cEtYnqFhvN.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:668
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2304
- - C:\Program Files (x86)\Steam\steamclient.exe
    "C:\Program Files (x86)\Steam\steamclient.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "steamclients" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Steam\steamclient.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "steamclient" /sc ONLOGON /tr "'C:\Program Files (x86)\Steam\steamclient.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "steamclients" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Steam\steamclient.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CE2EC4539435DFEAC7E246FE5565C521C" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CE2EC4539435DFEAC7E246FE5565C521" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CE2EC4539435DFEAC7E246FE5565C521C" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\CE2EC4539435DFEAC7E246FE5565C521.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Steam\steamclient.exe

Filesize
2.9MB

MD5
ce2ec4539435dfeac7e246fe5565c521

SHA1
59f3da006005a109914c31b5d5cd94dc4c93309c

SHA256
d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562

SHA512
408a1db2cd98702bca3811e124d78a56cbca79a1d200593759bde1947a4a599f8cd40cd8dbb2e7be7dec416e3f5de0c4466f98ddea1daf6d313671695f25a7ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8A6.tmp

Filesize
1KB

MD5
ba4260534fd00e8ef3b0bfb020858cb4

SHA1
4f3e35ccbbf21acf9deafb50b218fc725d153a2d

SHA256
6b121476509a55ea835df63636769a5ac4498924ae010c1cd0f289c00bb78448

SHA512
1c81ca357ec6173fca7b55e0bfdf647fcc4407726cb82c18fe692b52015d0f255458b50ce85974501212805f4adf3319cf1e8631970d11d828bbf37b9af1d752

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_apw5ofct.btz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEtYnqFhvN.bat

Filesize
220B

MD5
8fbef8264a342aed2482a4ed6d75e25b

SHA1
d9aac267bfbd1633574006719d3c9da0bf792bcf

SHA256
ebea9bd8d6008a471d6d5f7d1e6a4ab7bdebd4f5eef1f3b96afeaee9bd15ee30

SHA512
b90d43d3daa66d351dc9b719986bd5b481bbe0aec5e4f3bb0187df3fc2bcafee97c25b315856b616f0c604abd0315b0b7ed8afde856d30efca527cc4f6b83cb9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l0naid3u\l0naid3u.0.cs

Filesize
376B

MD5
9ff04ca2269b402ccb198797dc904627

SHA1
917e01b71c6f55968a9533c9dc0d5fdc82950112

SHA256
4939c1ca33b8e49e3eee6a05c3e658cc091a349b582d25258f3bb4a41fae0e97

SHA512
b8981a4681698bf93a9dc813eab4ad18f8dcedb05fde9db635adda9377465e63f438e6f49728367cb067fc1cc5a99fe2b8c595c3f7daf5096ac4ad786d8acb4c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l0naid3u\l0naid3u.cmdline

Filesize
235B

MD5
5cb67fb0eecbf3b1b4baade383c0f613

SHA1
adaa53ec1013dae28091a7d9b489b0369c037470

SHA256
0a7b51a7174fbd03f1fe3e3310fa0b69eade83f659883f26556203bae34b1ffc

SHA512
446b7fc495e6203d16689ee0a38b9051b03d8a3c73884eeeddc3ab7506676e9a33e39d9012bf7a8a5cf91ec5cbe5d60c97cbcc486e8b104f618470b57165d075

Download Submit
\??\c:\Windows\System32\CSC25CF56DF4B4B47429A5CD87DA385AC20.TMP

Filesize
1KB

MD5
ad61927912f86c7c9f1e72720f4ef0ef

SHA1
dbb61d9d5c7310c85716fe9f445fee2151cef437

SHA256
bf2696fc2183af293d74c988add5772c1c7257c2e85ae754e43cbe0e1d105a1e

SHA512
33b6f9f93672bd0ecb68e553de0ce92dd6b773c62da7721c9544171df7de8b8588e9ba42e13836db5d5ffc078ca656993f8d06a857dda5a27e1d639d5a6fb3ee

Download Submit
memory/1072-3562-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/1072-3570-0x0000000002E50000-0x0000000002E5E000-memory.dmp

Filesize
56KB

Download
memory/1072-61-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-59-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-57-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-55-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-53-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-63-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-49-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-47-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-44-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/1072-40-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-38-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-36-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-34-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-32-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-26-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-24-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-28-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-20-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-18-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-16-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-14-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-10-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-8-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-6-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-4-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-12-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-3-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-1902-0x00007FFEB3DF3000-0x00007FFEB3DF5000-memory.dmp

Filesize
8KB

Download
memory/1072-2228-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/1072-65-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-3563-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/1072-3564-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/1072-3566-0x000000001BB40000-0x000000001BB66000-memory.dmp

Filesize
152KB

Download
memory/1072-3567-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/1072-3568-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/1072-67-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-3571-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/1072-3573-0x000000001BB70000-0x000000001BB8C000-memory.dmp

Filesize
112KB

Download
memory/1072-3574-0x000000001C9B0000-0x000000001CA00000-memory.dmp

Filesize
320KB

Download
memory/1072-3576-0x000000001B7C0000-0x000000001B7D0000-memory.dmp

Filesize
64KB

Download
memory/1072-3578-0x000000001C960000-0x000000001C978000-memory.dmp

Filesize
96KB

Download
memory/1072-3580-0x000000001B7D0000-0x000000001B7E0000-memory.dmp

Filesize
64KB

Download
memory/1072-3582-0x000000001B7E0000-0x000000001B7F0000-memory.dmp

Filesize
64KB

Download
memory/1072-3583-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/1072-3585-0x000000001BB90000-0x000000001BB9E000-memory.dmp

Filesize
56KB

Download
memory/1072-3587-0x000000001CA00000-0x000000001CA12000-memory.dmp

Filesize
72KB

Download
memory/1072-3589-0x000000001C980000-0x000000001C98C000-memory.dmp

Filesize
48KB

Download
memory/1072-3591-0x000000001C990000-0x000000001C9A0000-memory.dmp

Filesize
64KB

Download
memory/1072-3593-0x000000001CA40000-0x000000001CA56000-memory.dmp

Filesize
88KB

Download
memory/1072-3595-0x000000001CA60000-0x000000001CA72000-memory.dmp

Filesize
72KB

Download
memory/1072-3596-0x000000001CFB0000-0x000000001D4D8000-memory.dmp

Filesize
5.2MB

Download
memory/1072-3599-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/1072-3601-0x000000001CA20000-0x000000001CA30000-memory.dmp

Filesize
64KB

Download
memory/1072-3598-0x000000001C9A0000-0x000000001C9AE000-memory.dmp

Filesize
56KB

Download
memory/1072-3603-0x000000001CA30000-0x000000001CA40000-memory.dmp

Filesize
64KB

Download
memory/1072-3605-0x000000001CAE0000-0x000000001CB3A000-memory.dmp

Filesize
360KB

Download
memory/1072-3608-0x000000001CA80000-0x000000001CA8E000-memory.dmp

Filesize
56KB

Download
memory/1072-3606-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/1072-3610-0x000000001CA90000-0x000000001CAA0000-memory.dmp

Filesize
64KB

Download
memory/1072-3612-0x000000001CAA0000-0x000000001CAAE000-memory.dmp

Filesize
56KB

Download
memory/1072-3613-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/1072-3615-0x000000001CAB0000-0x000000001CAB8000-memory.dmp

Filesize
32KB

Download
memory/1072-3617-0x000000001CB40000-0x000000001CB58000-memory.dmp

Filesize
96KB

Download
memory/1072-3619-0x000000001CAC0000-0x000000001CACC000-memory.dmp

Filesize
48KB

Download
memory/1072-3642-0x00007FFEB3DF0000-0x00007FFEB48B1000-memory.dmp

Filesize
10.8MB

Download
memory/1072-51-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-45-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-42-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-30-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-23-0x000000001B800000-0x000000001BB36000-memory.dmp

Filesize
3.2MB

Download
memory/1072-2-0x000000001B800000-0x000000001BB3C000-memory.dmp

Filesize
3.2MB

Download
memory/1072-1-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

Filesize
32KB

Download
memory/1072-0-0x00007FFEB3DF3000-0x00007FFEB3DF5000-memory.dmp

Filesize
8KB

Download
memory/1356-3652-0x000001CCB0390000-0x000001CCB03B2000-memory.dmp

Filesize
136KB

Download