dcrat | 82e3832d52413d37e20a7dc822ed59bbec29927716f5a9c8e90f1e710c744b82

Analysis

max time kernel
120s
max time network
147s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
27/03/2025, 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

1.9MB
MD5

fc06b895d807fd63de36914ddf278cd9
SHA1

3fc5e6bfaba1adfb44a5e2af8f6350b0f292b57c
SHA256

82e3832d52413d37e20a7dc822ed59bbec29927716f5a9c8e90f1e710c744b82
SHA512

fbf1b1a0c0a3175f4162e89b7285ead314770934767333bae5c60db0ecf0799e9ee3667ddb966b27367b45a2a4151ea4d4af43efdcfbf84828b86ef0fc3867a0
SSDEEP

49152:4p5fMbCt/PzfzpLzE+0X4XncPdQfukH7W9GHI/Dd5B5:8f+C1PzLpEnIXndG27iV/DHB

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Favorites\\conhost.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Favorites\\conhost.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Favorites\\conhost.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\Users\\All Users\\Documents\\WmiPrvSE.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Favorites\\conhost.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\Users\\All Users\\Documents\\WmiPrvSE.exe\", \"C:\\msWebfontCommonsvc\\cmd.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Favorites\\conhost.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\Users\\All Users\\Documents\\WmiPrvSE.exe\", \"C:\\msWebfontCommonsvc\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\WMIADAP.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Favorites\\conhost.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\Users\\All Users\\Documents\\WmiPrvSE.exe\", \"C:\\msWebfontCommonsvc\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\WMIADAP.exe\", \"C:\\msWebfontCommonsvc\\ContainerAgentBrowserSession.exe\""	ContainerAgentBrowserSession.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	600	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	600	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	600	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	600	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	600	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	600	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	600	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	600	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	600	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	600	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	600	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	600	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	600	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	600	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	600	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	600	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	600	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	600	schtasks.exe	33

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1528	powershell.exe
2052	powershell.exe
2044	powershell.exe
1264	powershell.exe
912	powershell.exe
968	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2992	Lcwlqtdj.exe
2484	Wgpdo.exe
2724	ContainerAgentBrowserSession.exe
2540	ContainerAgentBrowserSession.exe

Loads dropped DLL 2 IoCs

pid	Process
2928	cmd.exe
2928	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\WMIADAP.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ContainerAgentBrowserSession = "\"C:\\msWebfontCommonsvc\\ContainerAgentBrowserSession.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Public\\Favorites\\conhost.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Offline Web Pages\\csrss.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\All Users\\Documents\\WmiPrvSE.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\msWebfontCommonsvc\\cmd.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ContainerAgentBrowserSession = "\"C:\\msWebfontCommonsvc\\ContainerAgentBrowserSession.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Public\\Favorites\\conhost.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Offline Web Pages\\csrss.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\All Users\\Documents\\WmiPrvSE.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\msWebfontCommonsvc\\cmd.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Program Files (x86)\\Microsoft SQL Server Compact Edition\\v3.5\\Desktop\\WMIADAP.exe\""	ContainerAgentBrowserSession.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC59A8D4589E734210AFDB792EA85F640.TMP	csc.exe
File created	\??\c:\Windows\System32\_f1q_j.exe	csc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WMIADAP.exe	ContainerAgentBrowserSession.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WMIADAP.exe	ContainerAgentBrowserSession.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\75a57c1bdf437c	ContainerAgentBrowserSession.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Offline Web Pages\csrss.exe	ContainerAgentBrowserSession.exe
File created	C:\Windows\Offline Web Pages\886983d96e3d3e	ContainerAgentBrowserSession.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wgpdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1628	schtasks.exe
2300	schtasks.exe
1764	schtasks.exe
1140	schtasks.exe
1832	schtasks.exe
856	schtasks.exe
1560	schtasks.exe
1744	schtasks.exe
2744	schtasks.exe
3024	schtasks.exe
2492	schtasks.exe
1952	schtasks.exe
2956	schtasks.exe
1884	schtasks.exe
2208	schtasks.exe
1824	schtasks.exe
1816	schtasks.exe
2808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe
2724	ContainerAgentBrowserSession.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	ContainerAgentBrowserSession.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	2540	ContainerAgentBrowserSession.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2992	2308	Launcher.exe	31
PID 2308 wrote to memory of 2992	2308	Launcher.exe	31
PID 2308 wrote to memory of 2992	2308	Launcher.exe	31
PID 2308 wrote to memory of 2484	2308	Launcher.exe	32
PID 2308 wrote to memory of 2484	2308	Launcher.exe	32
PID 2308 wrote to memory of 2484	2308	Launcher.exe	32
PID 2308 wrote to memory of 2484	2308	Launcher.exe	32
PID 2484 wrote to memory of 2980	2484	Wgpdo.exe	34
PID 2484 wrote to memory of 2980	2484	Wgpdo.exe	34
PID 2484 wrote to memory of 2980	2484	Wgpdo.exe	34
PID 2484 wrote to memory of 2980	2484	Wgpdo.exe	34
PID 2980 wrote to memory of 2928	2980	WScript.exe	35
PID 2980 wrote to memory of 2928	2980	WScript.exe	35
PID 2980 wrote to memory of 2928	2980	WScript.exe	35
PID 2980 wrote to memory of 2928	2980	WScript.exe	35
PID 2928 wrote to memory of 2724	2928	cmd.exe	37
PID 2928 wrote to memory of 2724	2928	cmd.exe	37
PID 2928 wrote to memory of 2724	2928	cmd.exe	37
PID 2928 wrote to memory of 2724	2928	cmd.exe	37
PID 2724 wrote to memory of 2156	2724	ContainerAgentBrowserSession.exe	41
PID 2724 wrote to memory of 2156	2724	ContainerAgentBrowserSession.exe	41
PID 2724 wrote to memory of 2156	2724	ContainerAgentBrowserSession.exe	41
PID 2156 wrote to memory of 1632	2156	csc.exe	43
PID 2156 wrote to memory of 1632	2156	csc.exe	43
PID 2156 wrote to memory of 1632	2156	csc.exe	43
PID 2724 wrote to memory of 1528	2724	ContainerAgentBrowserSession.exe	59
PID 2724 wrote to memory of 1528	2724	ContainerAgentBrowserSession.exe	59
PID 2724 wrote to memory of 1528	2724	ContainerAgentBrowserSession.exe	59
PID 2724 wrote to memory of 2052	2724	ContainerAgentBrowserSession.exe	60
PID 2724 wrote to memory of 2052	2724	ContainerAgentBrowserSession.exe	60
PID 2724 wrote to memory of 2052	2724	ContainerAgentBrowserSession.exe	60
PID 2724 wrote to memory of 2044	2724	ContainerAgentBrowserSession.exe	61
PID 2724 wrote to memory of 2044	2724	ContainerAgentBrowserSession.exe	61
PID 2724 wrote to memory of 2044	2724	ContainerAgentBrowserSession.exe	61
PID 2724 wrote to memory of 1264	2724	ContainerAgentBrowserSession.exe	62
PID 2724 wrote to memory of 1264	2724	ContainerAgentBrowserSession.exe	62
PID 2724 wrote to memory of 1264	2724	ContainerAgentBrowserSession.exe	62
PID 2724 wrote to memory of 912	2724	ContainerAgentBrowserSession.exe	63
PID 2724 wrote to memory of 912	2724	ContainerAgentBrowserSession.exe	63
PID 2724 wrote to memory of 912	2724	ContainerAgentBrowserSession.exe	63
PID 2724 wrote to memory of 968	2724	ContainerAgentBrowserSession.exe	64
PID 2724 wrote to memory of 968	2724	ContainerAgentBrowserSession.exe	64
PID 2724 wrote to memory of 968	2724	ContainerAgentBrowserSession.exe	64
PID 2724 wrote to memory of 2248	2724	ContainerAgentBrowserSession.exe	71
PID 2724 wrote to memory of 2248	2724	ContainerAgentBrowserSession.exe	71
PID 2724 wrote to memory of 2248	2724	ContainerAgentBrowserSession.exe	71
PID 2248 wrote to memory of 2788	2248	cmd.exe	73
PID 2248 wrote to memory of 2788	2248	cmd.exe	73
PID 2248 wrote to memory of 2788	2248	cmd.exe	73
PID 2248 wrote to memory of 2916	2248	cmd.exe	74
PID 2248 wrote to memory of 2916	2248	cmd.exe	74
PID 2248 wrote to memory of 2916	2248	cmd.exe	74
PID 2248 wrote to memory of 2540	2248	cmd.exe	75
PID 2248 wrote to memory of 2540	2248	cmd.exe	75
PID 2248 wrote to memory of 2540	2248	cmd.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\Lcwlqtdj.exe
  "C:\Users\Admin\AppData\Local\Temp\Lcwlqtdj.exe"
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Users\Admin\AppData\Local\Temp\Wgpdo.exe
  "C:\Users\Admin\AppData\Local\Temp\Wgpdo.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\msWebfontCommonsvc\1Pqb55993gaAnMOQKOP1Zx4Ywr074Tyvs.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\msWebfontCommonsvc\xOY2DcV2ToDeh.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe
        
        "C:\msWebfontCommonsvc/ContainerAgentBrowserSession.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o2ie2kxp\o2ie2kxp.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF25A.tmp" "c:\Windows\System32\CSC59A8D4589E734210AFDB792EA85F640.TMP"
        7⤵
        
        PID:1632
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msWebfontCommonsvc\cmd.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WMIADAP.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E55DMivBxd.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2916
        
        C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe
        
        "C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Favorites\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Favorites\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Favorites\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Documents\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\msWebfontCommonsvc\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\msWebfontCommonsvc\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\msWebfontCommonsvc\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ContainerAgentBrowserSessionC" /sc MINUTE /mo 7 /tr "'C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ContainerAgentBrowserSession" /sc ONLOGON /tr "'C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ContainerAgentBrowserSessionC" /sc MINUTE /mo 7 /tr "'C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E55DMivBxd.bat

Filesize
230B

MD5
818fa6686f6a60070cb33e779d7bc6f9

SHA1
a79f2ba39f80c39d343d5f52ecd9cf2dc1bb4aec

SHA256
6944ba530ba4e18f3163f21018f5e396037417da16d92149553768d572930175

SHA512
fe499e77f2bb773998939192275b02c60158742eb8e70f78b5829c7510d0c74eafa8528ae8176730afd2fd8220db71690b994c18a57dc5c57b96895441293b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lcwlqtdj.exe

Filesize
568KB

MD5
3547673370be6c843ebbe4ddb8e089b8

SHA1
de077a872cc8a932205e5c5b61984bf6e50f5d17

SHA256
c52244696cfefabb23cfebcae3cc134e2c0fd03a1175755cf867dd3e87a900b4

SHA512
7a87fad7872e6dfabb7aeb91790a7b2eb778ddeecb102406d4465a1c6661c89ee772624d54f7d47169564e935141c1f5ec90f09118dc59ba1f72b462e4d460bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF25A.tmp

Filesize
1KB

MD5
2e85caa105fe89253ad562c0d4d483e9

SHA1
70f29e1b96913ae849b740ae451ba4d2eb9098d2

SHA256
1ae23534619e78d40e525ae7db95370faec220d7502c95d1b030fdd077c283e3

SHA512
eca6c952e83a2f77bdc5c2753e62139d71e07bd982e2dc247eed0fbf29b78d29914fa608ddfb1c047c29ed020da3f36abae72ab594ba404651efc94588035869

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wgpdo.exe

Filesize
2.1MB

MD5
fa7058193e55dcf22576be1d81ee4ec9

SHA1
7ac5c2aeff7da77ea0ea71e9e4244dec68ee7a18

SHA256
27beae1aeb07d9aa24f6f4f13d247c7f69d8c412ed9150ac0e13c36de80d159a

SHA512
fbb538fa4d26bd3c554f9e837b134c119a6acff43b0a8cc0b805bcb9a0acfa54d4b0ca18d745f7f167ba9bc9642d8e14e783c38ad7207d55389d8ea7dd1af74e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2c32c134a51bb9eb349ccdefb77995ea

SHA1
f88cccdeb8006a4be21f656530e0425eaf961dd0

SHA256
e00d63d6ff1b5c8d8b8eeda74dbb4967ba90b3dfda494efcf4d54863f9de72e2

SHA512
e71910c68195647299db0c1614817c693b5b28b597afbbafeb67c754ff76ceddcb81269b45137b164a195542a6cdb630844fbf9b4f8358758c8711ca0d7402e7

Download Submit
C:\msWebfontCommonsvc\1Pqb55993gaAnMOQKOP1Zx4Ywr074Tyvs.vbe

Filesize
209B

MD5
7456528d87fdbbf7380081612a878945

SHA1
91a8b74ee56e559e664e7e41bc9c9d0cd7a1e344

SHA256
274fd47fcfe3c642aaed07e9d94fe524e1680020d5b63e0eff71e7155973a961

SHA512
4fa8dbfb2aa1c1117bcbd3d1de7bcbc4140efa1eddbada9652304d136b71cdb5de633ac8d48d68e58d0bb6317c7132b1e140003a6dd564e8114a6ab0501f7877

Download Submit
C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe

Filesize
1.8MB

MD5
4b48b143e95e5292b1700bd25ba63c76

SHA1
3b321290b54028f94d2b1736173d18ce16bcc260

SHA256
3b1888daacc09277d0f3daca114f05613f708d260e2950ee5620d77881c584cb

SHA512
f8fb811150f81f9636193506451445b77634b27ad36884bfaa4454887666bbcc7f88ff190e912e3a3f7bf8ed82080280075ad753041d5d9bb50717b22b71bcb0

Download Submit
C:\msWebfontCommonsvc\xOY2DcV2ToDeh.bat

Filesize
105B

MD5
d9b64ed326c6cfceaa29ddbee358a8e2

SHA1
42b494e3ffa836f173e1a2b1e3da8a93ffe39561

SHA256
576041699b52e2a3eddb04819000376696a1ad869711dc5d786473e9b9f3c2de

SHA512
32c74021848f6d9b5dc6d38287fe992299c8e1a12113203e1dbcab5f5d2abe922fa9fdf62e6ba0d6dac8c3d5ea5e66af5deca42fa51f2b0b699e90a89cd82e67

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o2ie2kxp\o2ie2kxp.0.cs

Filesize
369B

MD5
7e85713265c58e47c432fd5f25c6552b

SHA1
2922183e331df53623b5e237b73a7ac532685da8

SHA256
8975b783f76a8daceb5c33e4047a2ac5abef97e7adf064065b0425722f6e09d6

SHA512
dc548927c44a801245b176462d3ef98a7ee27504deb628d66932a664f7360d5a7a8504bfbf39b93f0cfae1e23242b9f9d5ba1b47b35907530e9be59daefd9935

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o2ie2kxp\o2ie2kxp.cmdline

Filesize
235B

MD5
fe928f7fcec3c6aaf5b0de46c386a67c

SHA1
65fa9e821eb7aa2734479c62326f72e3bb5ea599

SHA256
7ed2cf48adc170761d13f44a6dd162f47655a15ffc588ed13039ce0f08fcc96d

SHA512
0c6fc3b74f12c7ea890ca95b6944ae8d4762b6ba20dba87d0f65722f972052bf75d0239c4068639724a682dd5ecdc21d4f1e033fd5862492fe6be882695385bd

Download Submit
\??\c:\Windows\System32\CSC59A8D4589E734210AFDB792EA85F640.TMP

Filesize
1KB

MD5
fccbcfaf29fdccaabada579f7aaf3ae7

SHA1
f9b179b6aab6b96908d89b35aab3f503478a956d

SHA256
e70bc8ad14a70d490fe92ed86e79c40fc133a64428a2781e14514b16d83a9b02

SHA512
ac047b4ba060e72e224c1afdebbdafecbfd705a67cb8f0cd5c82bf7980c2baa23bdb5bf5d821836bc0c426069a61d8e112b45239887d2d81b8a6d4fa839c1e10

Download Submit
memory/1264-94-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2044-93-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2308-2-0x000007FEF60B0000-0x000007FEF6A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2308-0-0x000007FEF60B3000-0x000007FEF60B4000-memory.dmp

Filesize
4KB

Download
memory/2308-15-0x000007FEF60B0000-0x000007FEF6A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2308-1-0x00000000012B0000-0x000000000149C000-memory.dmp

Filesize
1.9MB

Download
memory/2540-97-0x0000000001270000-0x000000000144A000-memory.dmp

Filesize
1.9MB

Download
memory/2724-35-0x0000000000760000-0x000000000077C000-memory.dmp

Filesize
112KB

Download
memory/2724-37-0x0000000000A30000-0x0000000000A48000-memory.dmp

Filesize
96KB

Download
memory/2724-39-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2724-33-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/2724-31-0x0000000001070000-0x000000000124A000-memory.dmp

Filesize
1.9MB

Download
memory/2992-11-0x000007FEF60B0000-0x000007FEF6A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2992-23-0x000007FEF60B0000-0x000007FEF6A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2992-8-0x00000000001C0000-0x0000000000246000-memory.dmp

Filesize
536KB

Download