dcrat | 4fa025632546c9a5c346cde16c86c5d129d8381ace82e1a7d59ca865f948c533

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccd01051f9e8bf3301b3bdd406f0bc24.exe
Size

14.0MB
MD5

ccd01051f9e8bf3301b3bdd406f0bc24
SHA1

4e9f71953bd348261e9342f7dd230f274d808e4a
SHA256

4fa025632546c9a5c346cde16c86c5d129d8381ace82e1a7d59ca865f948c533
SHA512

93839aad8a1c533c48c9ef9cfa87c6b5e3abefe0054be20d7a0f1bd8affa2e1787b529ed4fc0371a6874ba7670b50270b554add56436540d4b197d14337455de
SSDEEP

24576:2TbBv5rUyXVnAkClP6KrD3UGYB2Ue9L35+2WcESjvGMJoIlT1sMNAje+Iv4dr6/n:IBJAhMsccEmgIT1sJjdIvqr4tI5E

Score

10^/10

dcrat discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files\\Internet Explorer\\TextInputHost.exe\", \"C:\\Windows\\it-IT\\upfc.exe\", \"C:\\Users\\All Users\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\ChainBroker\\bridgeServerFontSavesMonitor.exe\""	bridgeServerFontSavesMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\""	bridgeServerFontSavesMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files\\Internet Explorer\\TextInputHost.exe\""	bridgeServerFontSavesMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files\\Internet Explorer\\TextInputHost.exe\", \"C:\\Windows\\it-IT\\upfc.exe\""	bridgeServerFontSavesMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files\\Internet Explorer\\TextInputHost.exe\", \"C:\\Windows\\it-IT\\upfc.exe\", \"C:\\Users\\All Users\\StartMenuExperienceHost.exe\""	bridgeServerFontSavesMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files\\Internet Explorer\\TextInputHost.exe\", \"C:\\Windows\\it-IT\\upfc.exe\", \"C:\\Users\\All Users\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\""	bridgeServerFontSavesMonitor.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	4080	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	4080	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	4080	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	4080	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	4080	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	4080	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	4080	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	4080	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	4080	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	4080	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	4080	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	4080	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	4080	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	4080	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	4080	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	4080	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	4080	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	4080	schtasks.exe	86

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ccd01051f9e8bf3301b3bdd406f0bc24.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	bridgeServerFontSavesMonitor.exe

Executes dropped EXE 2 IoCs

pid	Process
3932	bridgeServerFontSavesMonitor.exe
1700	bridgeServerFontSavesMonitor.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\it-IT\\upfc.exe\""	bridgeServerFontSavesMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\""	bridgeServerFontSavesMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\""	bridgeServerFontSavesMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\""	bridgeServerFontSavesMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\it-IT\\upfc.exe\""	bridgeServerFontSavesMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Internet Explorer\\TextInputHost.exe\""	bridgeServerFontSavesMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\All Users\\StartMenuExperienceHost.exe\""	bridgeServerFontSavesMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\All Users\\StartMenuExperienceHost.exe\""	bridgeServerFontSavesMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeServerFontSavesMonitor = "\"C:\\ChainBroker\\bridgeServerFontSavesMonitor.exe\""	bridgeServerFontSavesMonitor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bridgeServerFontSavesMonitor = "\"C:\\ChainBroker\\bridgeServerFontSavesMonitor.exe\""	bridgeServerFontSavesMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\""	bridgeServerFontSavesMonitor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Internet Explorer\\TextInputHost.exe\""	bridgeServerFontSavesMonitor.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC77EDF692A16E43C5B7E0AC558AE83E6B.TMP	csc.exe
File created	\??\c:\Windows\System32\8zj1cq.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\TextInputHost.exe	bridgeServerFontSavesMonitor.exe
File created	C:\Program Files\Internet Explorer\22eafd247d37c3	bridgeServerFontSavesMonitor.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\it-IT\upfc.exe	bridgeServerFontSavesMonitor.exe
File created	C:\Windows\it-IT\ea1d8f6d871115	bridgeServerFontSavesMonitor.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccd01051f9e8bf3301b3bdd406f0bc24.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	ccd01051f9e8bf3301b3bdd406f0bc24.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	bridgeServerFontSavesMonitor.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1392	schtasks.exe
4464	schtasks.exe
4444	schtasks.exe
3856	schtasks.exe
2292	schtasks.exe
2224	schtasks.exe
4828	schtasks.exe
3048	schtasks.exe
4920	schtasks.exe
2148	schtasks.exe
5044	schtasks.exe
3128	schtasks.exe
3656	schtasks.exe
4008	schtasks.exe
1552	schtasks.exe
2348	schtasks.exe
4140	schtasks.exe
1592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
3932	bridgeServerFontSavesMonitor.exe
1700	bridgeServerFontSavesMonitor.exe
1700	bridgeServerFontSavesMonitor.exe
1700	bridgeServerFontSavesMonitor.exe
1700	bridgeServerFontSavesMonitor.exe
1700	bridgeServerFontSavesMonitor.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3932	bridgeServerFontSavesMonitor.exe
Token: SeDebugPrivilege	1700	bridgeServerFontSavesMonitor.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 4620	840	ccd01051f9e8bf3301b3bdd406f0bc24.exe	82
PID 840 wrote to memory of 4620	840	ccd01051f9e8bf3301b3bdd406f0bc24.exe	82
PID 840 wrote to memory of 4620	840	ccd01051f9e8bf3301b3bdd406f0bc24.exe	82
PID 4620 wrote to memory of 3824	4620	WScript.exe	87
PID 4620 wrote to memory of 3824	4620	WScript.exe	87
PID 4620 wrote to memory of 3824	4620	WScript.exe	87
PID 3824 wrote to memory of 3932	3824	cmd.exe	89
PID 3824 wrote to memory of 3932	3824	cmd.exe	89
PID 3932 wrote to memory of 4048	3932	bridgeServerFontSavesMonitor.exe	94
PID 3932 wrote to memory of 4048	3932	bridgeServerFontSavesMonitor.exe	94
PID 4048 wrote to memory of 4040	4048	csc.exe	96
PID 4048 wrote to memory of 4040	4048	csc.exe	96
PID 3932 wrote to memory of 2000	3932	bridgeServerFontSavesMonitor.exe	112
PID 3932 wrote to memory of 2000	3932	bridgeServerFontSavesMonitor.exe	112
PID 2000 wrote to memory of 1400	2000	cmd.exe	114
PID 2000 wrote to memory of 1400	2000	cmd.exe	114
PID 2000 wrote to memory of 4596	2000	cmd.exe	115
PID 2000 wrote to memory of 4596	2000	cmd.exe	115
PID 2000 wrote to memory of 1700	2000	cmd.exe	118
PID 2000 wrote to memory of 1700	2000	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ccd01051f9e8bf3301b3bdd406f0bc24.exe
"C:\Users\Admin\AppData\Local\Temp\ccd01051f9e8bf3301b3bdd406f0bc24.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ChainBroker\WiJ0Q2cIafyWfcOMJ8mrmlFuDvVbi9nZIDl7gyLiG4eFyDELulT2kNl2MWww.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\ChainBroker\IrbV6YakyWCvQIuALcoa2IhBwWZ19ItpwUlqov7vyFBfFx5s16nM.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\ChainBroker\bridgeServerFontSavesMonitor.exe
      "C:\ChainBroker/bridgeServerFontSavesMonitor.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q3gxww20\q3gxww20.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4048
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE474.tmp" "c:\Windows\System32\CSC77EDF692A16E43C5B7E0AC558AE83E6B.TMP"
        6⤵
        
        PID:4040
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WZqCqcFRCm.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2000
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1400
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4596
      - C:\ChainBroker\bridgeServerFontSavesMonitor.exe
        
        "C:\ChainBroker\bridgeServerFontSavesMonitor.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\it-IT\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeServerFontSavesMonitorb" /sc MINUTE /mo 9 /tr "'C:\ChainBroker\bridgeServerFontSavesMonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeServerFontSavesMonitor" /sc ONLOGON /tr "'C:\ChainBroker\bridgeServerFontSavesMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgeServerFontSavesMonitorb" /sc MINUTE /mo 7 /tr "'C:\ChainBroker\bridgeServerFontSavesMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ChainBroker\IrbV6YakyWCvQIuALcoa2IhBwWZ19ItpwUlqov7vyFBfFx5s16nM.bat

Filesize
101B

MD5
746d44098ab92e627cebe72cfa9c560d

SHA1
b51342547c4b9227df75ed19d60c462827f83204

SHA256
7ca477b6f171461fa1b2ae2350a938b518d4323a03d4acc95ded7b4f518d1147

SHA512
b5f3daa4bee7a3317c1bf23b0c0d12861742328478c31b7714798b5be7ecd7ac6cc799532103db9a8a2a0d90a347b553b92f9cbfad43b2e19e57a16029449b03

Download Submit
C:\ChainBroker\WiJ0Q2cIafyWfcOMJ8mrmlFuDvVbi9nZIDl7gyLiG4eFyDELulT2kNl2MWww.vbe

Filesize
241B

MD5
ee1d4dd46a1cb9b8dcf5841dae6bbc93

SHA1
7b5f9134a578673858b826c698dc0360db7d565f

SHA256
d2c34e5da842bf7ecb384880d6dbf05dffd1e59775961e017a281e3958f0b434

SHA512
9d1db891b0589e02812632d92ec297ae526abdeb7d37367728c0b6cfdeb0ff34acd9f5d8833654984fcec124c328eb41e4ac805fb1f6d9477e2933731eed02b3

Download Submit
C:\ChainBroker\bridgeServerFontSavesMonitor.exe

Filesize
13.7MB

MD5
39953acd4fd32884e6cad0d1e4688051

SHA1
31579801f012118285f1fd48ccf63b07ebe1594a

SHA256
5773e581ce59418ee4c3f205d4fa16ad74718d16d1d8e4dd37332bb4ecb850bf

SHA512
3823ad17c90ef4454a774e59d9b5e37b11abf451d6485c4bf7f54cf04738d01a3b6020346fc7817cb48b32cfcefbce46667b3b185baf44c0ff00ecb4e027df35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\bridgeServerFontSavesMonitor.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE474.tmp

Filesize
1KB

MD5
15900ed0e738ecbb3624d20ab1350ce7

SHA1
2dcc7d373142263e7fc9289f80f3cce7db0c2ff9

SHA256
f2d87189a362e63ccb1d780a71e6b7fd1485c0d4a3b30c98a1fef9ded670c174

SHA512
62a81aab5754f3c07b488223bf599077650b971bfa1703c63de5a4d49ba37bbd1f61c383ebbbf302875b6f9b56dc19248f60de358f44865b5cdbb23934830aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZqCqcFRCm.bat

Filesize
223B

MD5
de5529cd1c3d77f2951249b47a4ea6fc

SHA1
db648a56d3f8a41e50a4eab83861110fbf7d9de4

SHA256
7326f791d30f00ebe56e7c9fc9a0273c1e78b001ae93fb3d00bcfbd6619765a3

SHA512
7b36f616df0bfae26b2f37e29ea586d086a8bd5c61aa1e54ace9fa6e689fac7a5841e9dfd99be6a44d8bc73f5aa37ddf6a50a92026b8446626a8059adf62931c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3gxww20\q3gxww20.0.cs

Filesize
364B

MD5
472f7a4cfa9e05562b107c45f151a1c6

SHA1
6b8d66dc3dbdf77322ab57e56dbdd5f18f678150

SHA256
5f60128195f7b6c50125cd5e4a6921946b3537e3c409d480b2e85d74041cb8e2

SHA512
5221cc25137901394b6e81b705458ae4c41c7f842a050a6b4c8ad63b79c1350b469c0a980824c14a9478703f338dcdaa19ff15b5e9ce8553eecde7a13ea4cc61

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q3gxww20\q3gxww20.cmdline

Filesize
235B

MD5
06fec4ce40dba489d887256b12937719

SHA1
d3ea879a4f0dd3dc20130e91ec4c175c17085b92

SHA256
5cc28dd6f4de548c88fb781edb26b7b5b201732229c0002ef7db477916e922e9

SHA512
515a4f687ba9cb6e189d70cec3ec29ac698890004a511a6295ee62ef1b2f8823e3601fc13fabc63a3f9a00104accbd430d689a6015ae07b11217a47d63fc8301

Download Submit
\??\c:\Windows\System32\CSC77EDF692A16E43C5B7E0AC558AE83E6B.TMP

Filesize
1KB

MD5
d544bac668d308d2aba58ded2c13d82d

SHA1
e5dd50ef24d5c16629092f9290661a92387773b3

SHA256
84b05d56c45fd0382410fcd59e16aeef467ed0a455595dda88386dd5c87d7a02

SHA512
0826de2bc95d93dde2c540d2d768a0188481ee88f1da79f9c7d70d7ccd3c8715b8f1d62053f84d14f19e4d2b0a13e67084d970a158464e6223e340eb0733e1b0

Download Submit
memory/3932-13-0x0000000000C50000-0x0000000000E2A000-memory.dmp

Filesize
1.9MB

Download
memory/3932-22-0x0000000003010000-0x000000000301C000-memory.dmp

Filesize
48KB

Download
memory/3932-20-0x000000001BA80000-0x000000001BA98000-memory.dmp

Filesize
96KB

Download
memory/3932-18-0x000000001BAD0000-0x000000001BB20000-memory.dmp

Filesize
320KB

Download
memory/3932-17-0x0000000003040000-0x000000000305C000-memory.dmp

Filesize
112KB

Download
memory/3932-15-0x0000000003000000-0x000000000300E000-memory.dmp

Filesize
56KB

Download
memory/3932-12-0x00007FFC03A93000-0x00007FFC03A95000-memory.dmp

Filesize
8KB

Download