dcrat | 841ac24e73d5991bc0e7249257bda26329a9242829cf0e502e267725816fa2cb

Analysis

max time kernel
150s
max time network
154s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02-02-2025 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88ElUKogRKGiq.exe
Size

1.1MB
MD5

98bc6986b35fa731860febb8f60de8fb
SHA1

b985bdb9d2f2d6ac3085ca5f176f0a0d880bb31e
SHA256

841ac24e73d5991bc0e7249257bda26329a9242829cf0e502e267725816fa2cb
SHA512

92724f813370fffa7fe60ba35547e1282f2b1b521a45e6bac9bd42943c5a64519863b0c78fc9a0a38d71577b1e5e5d7a61754f6c921ec962c6b4b84e76db8e7c
SSDEEP

24576:P2G/nvxW3WB0A5wH9WpcT5neONb8GM2IgYg:PbA3TA5kWIzM2P

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3884	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	2016	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	2016	schtasks.exe	84

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral4/files/0x000b000000027ca0-13.dat	dcrat
behavioral4/memory/3372-16-0x0000000000B50000-0x0000000000C26000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	reviewCrtsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	88ElUKogRKGiq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
3372	reviewCrtsvc.exe
1288	System.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe	reviewCrtsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\5940a34987c991	reviewCrtsvc.exe
File created	C:\Program Files\Windows NT\Accessories\uk-UA\csrss.exe	reviewCrtsvc.exe
File created	C:\Program Files\Windows NT\Accessories\uk-UA\886983d96e3d3e	reviewCrtsvc.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\TextInputHost.exe	reviewCrtsvc.exe
File created	C:\Program Files\Windows NT\Accessories\ja-JP\22eafd247d37c3	reviewCrtsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\bcastdvr\System.exe	reviewCrtsvc.exe
File created	C:\Windows\bcastdvr\27d1bcfc3c54e0	reviewCrtsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88ElUKogRKGiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	88ElUKogRKGiq.exe
Key created	\REGISTRY\USER\S-1-5-21-950679536-2019665560-1662069516-1000_Classes\Local Settings	reviewCrtsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
856	schtasks.exe
4976	schtasks.exe
4700	schtasks.exe
1700	schtasks.exe
4612	schtasks.exe
4936	schtasks.exe
4044	schtasks.exe
3884	schtasks.exe
2712	schtasks.exe
328	schtasks.exe
2292	schtasks.exe
3288	schtasks.exe
4860	schtasks.exe
1552	schtasks.exe
3400	schtasks.exe
2532	schtasks.exe
4324	schtasks.exe
4888	schtasks.exe
2036	schtasks.exe
2236	schtasks.exe
1632	schtasks.exe
3408	schtasks.exe
4248	schtasks.exe
2576	schtasks.exe
964	schtasks.exe
4508	schtasks.exe
2384	schtasks.exe
2456	schtasks.exe
4548	schtasks.exe
392	schtasks.exe
4728	schtasks.exe
2132	schtasks.exe
2904	schtasks.exe
1440	schtasks.exe
4712	schtasks.exe
4272	schtasks.exe
4880	schtasks.exe
2452	schtasks.exe
4264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3372	reviewCrtsvc.exe
3372	reviewCrtsvc.exe
3372	reviewCrtsvc.exe
3372	reviewCrtsvc.exe
3372	reviewCrtsvc.exe
3372	reviewCrtsvc.exe
3372	reviewCrtsvc.exe
3372	reviewCrtsvc.exe
3372	reviewCrtsvc.exe
1288	System.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3372	reviewCrtsvc.exe
Token: SeDebugPrivilege	1288	System.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 4404	1732	88ElUKogRKGiq.exe	80
PID 1732 wrote to memory of 4404	1732	88ElUKogRKGiq.exe	80
PID 1732 wrote to memory of 4404	1732	88ElUKogRKGiq.exe	80
PID 4404 wrote to memory of 2932	4404	WScript.exe	81
PID 4404 wrote to memory of 2932	4404	WScript.exe	81
PID 4404 wrote to memory of 2932	4404	WScript.exe	81
PID 2932 wrote to memory of 3372	2932	cmd.exe	83
PID 2932 wrote to memory of 3372	2932	cmd.exe	83
PID 3372 wrote to memory of 3732	3372	reviewCrtsvc.exe	124
PID 3372 wrote to memory of 3732	3372	reviewCrtsvc.exe	124
PID 3732 wrote to memory of 4140	3732	cmd.exe	126
PID 3732 wrote to memory of 4140	3732	cmd.exe	126
PID 3732 wrote to memory of 1288	3732	cmd.exe	127
PID 3732 wrote to memory of 1288	3732	cmd.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\88ElUKogRKGiq.exe
"C:\Users\Admin\AppData\Local\Temp\88ElUKogRKGiq.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\hyperBrowserBrokerHostdll\hqtgty6IfA4McJT.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\hyperBrowserBrokerHostdll\QZQrYx5okPQ1f3mC3Fq9VHqmR.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\hyperBrowserBrokerHostdll\reviewCrtsvc.exe
      "C:\hyperBrowserBrokerHostdll\reviewCrtsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3372
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iopuafvAUR.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3732
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4140
      - C:\Windows\bcastdvr\System.exe
        
        "C:\Windows\bcastdvr\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewCrtsvcr" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\reviewCrtsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewCrtsvc" /sc ONLOGON /tr "'C:\Users\Admin\reviewCrtsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewCrtsvcr" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\reviewCrtsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\bcastdvr\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\bcastdvr\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\bcastdvr\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\hyperBrowserBrokerHostdll\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\hyperBrowserBrokerHostdll\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\hyperBrowserBrokerHostdll\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Documents\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Music\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Music\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\uk-UA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewCrtsvcr" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\reviewCrtsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewCrtsvc" /sc ONLOGON /tr "'C:\Users\Default User\reviewCrtsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewCrtsvcr" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\reviewCrtsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iopuafvAUR.bat

Filesize
195B

MD5
2c3f3f6d257f7f03b19b712595f9365b

SHA1
602aa8bdef7445c7959d775f92ae735dc30cbd76

SHA256
efda9365afeec59f6938deef6a4a6cc54705907362e881fb955a77a6de608f56

SHA512
4dae951cdd2ee895ae44496b7898afff7bf4712e67e10975948cefe1102f52721e48a89f2968f9bf62ad107abe73a8b98f7364501f37acba68bda02529279355

Download Submit
C:\hyperBrowserBrokerHostdll\QZQrYx5okPQ1f3mC3Fq9VHqmR.bat

Filesize
47B

MD5
d67d10f75b7b4e28c503707953b32fb3

SHA1
6eaaf8c76c19aef7dd0df0845bed1f875f5f012d

SHA256
968eefb7861382be8c5f2cb8d9174862fd64bd021f9fcffa729c811dc458a762

SHA512
f02de49c0812fafd965fffa99fff8c380f8d08293742e8dd611b5cb4702797673c9ff9d60a0047b2b22574ea00618b995241ec6d977b8fe7a67e11d88282cf78

Download Submit
C:\hyperBrowserBrokerHostdll\hqtgty6IfA4McJT.vbe

Filesize
227B

MD5
84b41cd7fb87e8363ba0d99f69a603d5

SHA1
785000ebb18ea91e258d5519989dba717dea19fd

SHA256
cc3bfde414a2dc3ff114cd64e135853553a477cfd8eba0240e4b3ba36edc3029

SHA512
33c7b363a21cb1c4802012b007a42ec1566c7978b29f01233ba1365168478c00672749688d3c1a156816695ebc3eeeda98c48ac9b784b258580b32ad0175682e

Download Submit
C:\hyperBrowserBrokerHostdll\reviewCrtsvc.exe

Filesize
827KB

MD5
0ca5ff2ae7c8e10ad70a298713d4b1ac

SHA1
85c10fc211d92759b5782961ad31b536386d778b

SHA256
e071281f0960acaaf5ec5d8c1607355420ef969e1231b530659328b46d640ef5

SHA512
6c7fac54a64f1bf81413a5bed75086096be3308ae0d90e2d8def19819d88598389db2da9296b7231056acd95cc1dee5ff167798a830189684faafc401319291d

Download Submit
memory/3372-15-0x00007FFBF3713000-0x00007FFBF3715000-memory.dmp

Filesize
8KB

Download
memory/3372-16-0x0000000000B50000-0x0000000000C26000-memory.dmp

Filesize
856KB

Download