dcrat | 848feeb5b4b55aef6fbd560d0800ee2370d4cb935495abb82f2870169c42aae5

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
07-02-2025 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e7538073640e94a8d277d5c455e88d8.exe
Size

1.7MB
MD5

0e7538073640e94a8d277d5c455e88d8
SHA1

23320607446a750d0f0b79b75facd0e15c881e85
SHA256

848feeb5b4b55aef6fbd560d0800ee2370d4cb935495abb82f2870169c42aae5
SHA512

225a5d1863ada9d82d51ee9b4f073ca1d964b237fa1994970adb07b0b16ba3c6c759ce11f2f0806f96be75f688ac4674e33cba0de39ea40ab96d64654323d844
SSDEEP

49152:aLUbMVuHF+xDNs7Y8R7mY58jJlMUwgUK:agbCvxDNIY8hujEJK

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\Favorites\\MicrosoftEdgeUpdate.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\MicrosoftEdgeUpdate.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\Favorites\\MicrosoftEdgeUpdate.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\MicrosoftEdgeUpdate.exe\", \"C:\\Recovery\\WindowsRE\\MicrosoftEdgeUpdate.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\Favorites\\MicrosoftEdgeUpdate.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\MicrosoftEdgeUpdate.exe\", \"C:\\Recovery\\WindowsRE\\MicrosoftEdgeUpdate.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\0e7538073640e94a8d277d5c455e88d8.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\unsecapp.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\Favorites\\MicrosoftEdgeUpdate.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\unsecapp.exe\", \"C:\\Users\\Default\\Favorites\\MicrosoftEdgeUpdate.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\fontdrvhost.exe\""	0e7538073640e94a8d277d5c455e88d8.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	3248	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	3248	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	3248	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	3248	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	3248	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	3248	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	3248	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	3248	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	3248	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	3248	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	3248	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	3248	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	3248	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	3248	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	3248	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	3248	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	3248	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	3248	schtasks.exe	89

Downloads MZ/PE file 1 IoCs

flow	pid	Process
39	1968	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	0e7538073640e94a8d277d5c455e88d8.exe

Executes dropped EXE 1 IoCs

pid	Process
4384	unsecapp.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Recovery\\WindowsRE\\unsecapp.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpdate = "\"C:\\Users\\Default\\Favorites\\MicrosoftEdgeUpdate.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpdate = "\"C:\\Program Files\\Windows Multimedia Platform\\MicrosoftEdgeUpdate.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpdate = "\"C:\\Recovery\\WindowsRE\\MicrosoftEdgeUpdate.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpdate = "\"C:\\Recovery\\WindowsRE\\MicrosoftEdgeUpdate.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0e7538073640e94a8d277d5c455e88d8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0e7538073640e94a8d277d5c455e88d8.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0e7538073640e94a8d277d5c455e88d8 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0e7538073640e94a8d277d5c455e88d8.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Recovery\\WindowsRE\\unsecapp.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpdate = "\"C:\\Users\\Default\\Favorites\\MicrosoftEdgeUpdate.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\fontdrvhost.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Esl\\fontdrvhost.exe\""	0e7538073640e94a8d277d5c455e88d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpdate = "\"C:\\Program Files\\Windows Multimedia Platform\\MicrosoftEdgeUpdate.exe\""	0e7538073640e94a8d277d5c455e88d8.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCB8E502E7B2744BC5891EAE5B9C89F67B.TMP	csc.exe
File created	\??\c:\Windows\System32\n4se4d.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Multimedia Platform\MicrosoftEdgeUpdate.exe	0e7538073640e94a8d277d5c455e88d8.exe
File created	C:\Program Files\Windows Multimedia Platform\cab239ce0bfa3a	0e7538073640e94a8d277d5c455e88d8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe	0e7538073640e94a8d277d5c455e88d8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\5b884080fd4f94	0e7538073640e94a8d277d5c455e88d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4940	MicrosoftEdgeUpdate.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000_Classes\Local Settings	0e7538073640e94a8d277d5c455e88d8.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3284	schtasks.exe
3916	schtasks.exe
5048	schtasks.exe
3736	schtasks.exe
3356	schtasks.exe
4212	schtasks.exe
1560	schtasks.exe
2560	schtasks.exe
4944	schtasks.exe
2156	schtasks.exe
1748	schtasks.exe
4860	schtasks.exe
4176	schtasks.exe
4568	schtasks.exe
4844	schtasks.exe
4396	schtasks.exe
4772	schtasks.exe
4968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4572	0e7538073640e94a8d277d5c455e88d8.exe
4384	unsecapp.exe
4384	unsecapp.exe
4384	unsecapp.exe
4384	unsecapp.exe
4384	unsecapp.exe
4384	unsecapp.exe
4384	unsecapp.exe
4384	unsecapp.exe
4384	unsecapp.exe
4384	unsecapp.exe
4384	unsecapp.exe
4384	unsecapp.exe
4384	unsecapp.exe
4384	unsecapp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4572	0e7538073640e94a8d277d5c455e88d8.exe
Token: SeDebugPrivilege	4384	unsecapp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 4168	4572	0e7538073640e94a8d277d5c455e88d8.exe	93
PID 4572 wrote to memory of 4168	4572	0e7538073640e94a8d277d5c455e88d8.exe	93
PID 4168 wrote to memory of 1660	4168	csc.exe	95
PID 4168 wrote to memory of 1660	4168	csc.exe	95
PID 4572 wrote to memory of 4464	4572	0e7538073640e94a8d277d5c455e88d8.exe	111
PID 4572 wrote to memory of 4464	4572	0e7538073640e94a8d277d5c455e88d8.exe	111
PID 4464 wrote to memory of 1772	4464	cmd.exe	113
PID 4464 wrote to memory of 1772	4464	cmd.exe	113
PID 4464 wrote to memory of 2756	4464	cmd.exe	114
PID 4464 wrote to memory of 2756	4464	cmd.exe	114
PID 4464 wrote to memory of 4384	4464	cmd.exe	115
PID 4464 wrote to memory of 4384	4464	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0e7538073640e94a8d277d5c455e88d8.exe
"C:\Users\Admin\AppData\Local\Temp\0e7538073640e94a8d277d5c455e88d8.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dkgp1gvd\dkgp1gvd.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E07.tmp" "c:\Windows\System32\CSCB8E502E7B2744BC5891EAE5B9C89F67B.TMP"
    3⤵
    PID:1660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hvyXQbI46M.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1772
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2756
- - C:\Recovery\WindowsRE\unsecapp.exe
    "C:\Recovery\WindowsRE\unsecapp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MicrosoftEdgeUpdateM" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Favorites\MicrosoftEdgeUpdate.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MicrosoftEdgeUpdate" /sc ONLOGON /tr "'C:\Users\Default\Favorites\MicrosoftEdgeUpdate.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MicrosoftEdgeUpdateM" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\MicrosoftEdgeUpdate.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MicrosoftEdgeUpdateM" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Multimedia Platform\MicrosoftEdgeUpdate.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MicrosoftEdgeUpdate" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\MicrosoftEdgeUpdate.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MicrosoftEdgeUpdateM" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\MicrosoftEdgeUpdate.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MicrosoftEdgeUpdateM" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\MicrosoftEdgeUpdate.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MicrosoftEdgeUpdate" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MicrosoftEdgeUpdate.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MicrosoftEdgeUpdateM" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\MicrosoftEdgeUpdate.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0e7538073640e94a8d277d5c455e88d80" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\0e7538073640e94a8d277d5c455e88d8.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0e7538073640e94a8d277d5c455e88d8" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\0e7538073640e94a8d277d5c455e88d8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "0e7538073640e94a8d277d5c455e88d80" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\0e7538073640e94a8d277d5c455e88d8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTQ0RjdFQjItQkIwNy00RjMyLTlEMDEtRUQxQTc2MThCMjFDfSIgdXNlcmlkPSJ7NEM3NEQ3NzAtRDc4NC00Q0E3LTgwMjMtNUY4RDcxRTRGODYxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RkEwNUJFMEItNjZFNi00NTExLUI2NDUtRDBCOEMwQzc2N0REfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTcxMzg4MzM0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\unsecapp.exe

Filesize
1.7MB

MD5
0e7538073640e94a8d277d5c455e88d8

SHA1
23320607446a750d0f0b79b75facd0e15c881e85

SHA256
848feeb5b4b55aef6fbd560d0800ee2370d4cb935495abb82f2870169c42aae5

SHA512
225a5d1863ada9d82d51ee9b4f073ca1d964b237fa1994970adb07b0b16ba3c6c759ce11f2f0806f96be75f688ac4674e33cba0de39ea40ab96d64654323d844

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8E07.tmp

Filesize
1KB

MD5
96aec67071d59f7fcaa3ab4bb6a967f8

SHA1
8de4b27b42277c44e63c508df85134fd0bf52712

SHA256
03e27a1f71f0d46bef2cd0e8b4d5fb09becc041fbacefa1f818a10384e6318e8

SHA512
cf66b2911af6824d08bdf600940908ca4884970fa704500f73ea610bf72904a4efb03caf3ea30f334b052caa708e0df884abebe667b6cf9c5e9e1f25e0bfab2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvyXQbI46M.bat

Filesize
210B

MD5
284b95b3de8a27eba4bdc9b7c69a3fbe

SHA1
c0e8c9649c79b0e38f91a78e927e698dc345d351

SHA256
e525e22da78c48782f54fc7a9ec318f8ad08f37c38c36f072f57dd357e165347

SHA512
ffa1be003a46f00c44b2ea495215b286a68e5c7cd2b96094bae3ed025497578b2e513d255db5405de1e636898bc2e4cdc9b4d356ea624bfccb9152d02989e70d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dkgp1gvd\dkgp1gvd.0.cs

Filesize
366B

MD5
b142ab094e55225291da6e33a7d743d5

SHA1
9e27744939858337a5a76b60cce4f9db8c263007

SHA256
0f0ef851a1dc2b5307af5d9bf167a35bb1dba9b2566e73ada663f162880cb463

SHA512
81b3e697589de54256c6987ef1730483799ddccd7eccd00b447e8f575e2c2be89d8e0769221c4d4da517ff075320bacd145275d347324aae022575ef3bbc3b8c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dkgp1gvd\dkgp1gvd.cmdline

Filesize
235B

MD5
5a28f4570db49d26fd71e9688346cb5b

SHA1
c904bf50b378efaed24017cdb225608cca27e0ec

SHA256
3476a51647b18e31fd04450e7b81819f3b0182153ed538c2dccac69e159bf149

SHA512
e1d11dca2110f376f3e8e449edd1e30ffb7768efc7e1be224031cb9d45456fb994561582e55ad3fcac552f951e4444c3fb53ef0b6716d91a2b88f6bdf381fedc

Download Submit
\??\c:\Windows\System32\CSCB8E502E7B2744BC5891EAE5B9C89F67B.TMP

Filesize
1KB

MD5
a46bad305812412e2715e26d8f5667fb

SHA1
dfbdf015cc5d89cf9f95276aeb4e48f29d19e4d2

SHA256
7a1b50d57164011126e4bcb8a30910139979fd95e4c10b14a03a722a95ffd621

SHA512
3e1c21d77900def18daf878575ba8dbbf0b947d816d27f4ac84eb5d97d77e0aef66c174c1388413e5b18365744fb3a155606fa6c2c7a16a5b264f36e41eb273e

Download Submit
memory/4572-14-0x00007FF8D9D10000-0x00007FF8DA7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-26-0x00007FF8D9D10000-0x00007FF8DA7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-11-0x000000001BC80000-0x000000001BC8C000-memory.dmp

Filesize
48KB

Download
memory/4572-12-0x00007FF8D9D10000-0x00007FF8DA7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-0-0x00007FF8D9D13000-0x00007FF8D9D15000-memory.dmp

Filesize
8KB

Download
memory/4572-7-0x00007FF8D9D10000-0x00007FF8DA7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-25-0x00007FF8D9D10000-0x00007FF8DA7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-9-0x000000001BCA0000-0x000000001BCB8000-memory.dmp

Filesize
96KB

Download
memory/4572-27-0x00007FF8D9D10000-0x00007FF8DA7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-31-0x00007FF8D9D10000-0x00007FF8DA7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-6-0x000000001B970000-0x000000001B97E000-memory.dmp

Filesize
56KB

Download
memory/4572-4-0x00007FF8D9D10000-0x00007FF8DA7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-3-0x00007FF8D9D10000-0x00007FF8DA7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-2-0x00007FF8D9D10000-0x00007FF8DA7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-47-0x00007FF8D9D10000-0x00007FF8DA7D1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-1-0x0000000000BB0000-0x0000000000D70000-memory.dmp

Filesize
1.8MB

Download