dcrat | hxxps://goo[.]su/hw8j

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

pid	process
5592	schtasks.exe
5224	schtasks.exe
3004	schtasks.exe
5316	schtasks.exe
3092	schtasks.exe
6000	schtasks.exe
5192	schtasks.exe
3108	schtasks.exe
1556	schtasks.exe
4636	schtasks.exe
5260	schtasks.exe
3068	schtasks.exe
5636	schtasks.exe
3712	schtasks.exe
6072	schtasks.exe
1828	schtasks.exe
5808	schtasks.exe
1476	schtasks.exe
5924	schtasks.exe
492	schtasks.exe
2368	schtasks.exe
5516	schtasks.exe
4104	schtasks.exe
5656	schtasks.exe
5336	schtasks.exe
1300	schtasks.exe
5140	schtasks.exe
5804	schtasks.exe
472	schtasks.exe
3604	schtasks.exe
5368	schtasks.exe
3084	schtasks.exe
3112	schtasks.exe
236	schtasks.exe
1056	schtasks.exe
2632	schtasks.exe
5700	schtasks.exe
5704	schtasks.exe
2436	schtasks.exe
2360	schtasks.exe
6060	schtasks.exe
4808	schtasks.exe
4816	schtasks.exe
2380	schtasks.exe
1608	schtasks.exe
5476	schtasks.exe
5728	schtasks.exe
1832	schtasks.exe
5212	schtasks.exe
3292	schtasks.exe
1664	schtasks.exe
3528	schtasks.exe
5720	schtasks.exe
5860	schtasks.exe
5308	schtasks.exe
5664	schtasks.exe
1592	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133580948145359678"	chrome.exe

Modifies registry class 3 IoCs

Processes:

DCRatBuild.exebridgerefHost.exeDCRatBuild.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\Local Settings	bridgerefHost.exe
Key created	\REGISTRY\USER\S-1-5-21-801878912-692986033-442676226-1000_Classes\Local Settings	DCRatBuild.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\DCRatBuild.exe:Zone.Identifier chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\DCRatBuild.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exechrome.exebridgerefHost.exetaskmgr.exewinlogon.exe

pid	process
3612	msedge.exe
3612	msedge.exe
4928	msedge.exe
4928	msedge.exe
3892	msedge.exe
3892	msedge.exe
2908	identity_helper.exe
2908	identity_helper.exe
2432	chrome.exe
2432	chrome.exe
3892	bridgerefHost.exe
3892	bridgerefHost.exe
3892	bridgerefHost.exe
3892	bridgerefHost.exe
3892	bridgerefHost.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
3588	winlogon.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exetaskmgr.exe

pid process

3348 7zFM.exe
5564 taskmgr.exe

pid	process
3348	7zFM.exe
5564	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

Processes:

msedge.exechrome.exe

pid	process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEchrome.exe

description	pid	process
Token: 33	468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	468	AUDIODG.EXE
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe
Token: SeShutdownPrivilege	2432	chrome.exe
Token: SeCreatePagefilePrivilege	2432	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exechrome.exe

pid	process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exechrome.exetaskmgr.exe

pid	process
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
4928	msedge.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
2432	chrome.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe
5564	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4928 wrote to memory of 692	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 692	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 4064	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3612	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 3612	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe
PID 4928 wrote to memory of 5040	4928	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://goo.su/hw8j
1⤵
- DcRat
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe22443cb8,0x7ffe22443cc8,0x7ffe22443cd8
2⤵
PID:692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,6415226196055071714,5312056373667247857,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
2⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,6415226196055071714,5312056373667247857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,6415226196055071714,5312056373667247857,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
2⤵
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6415226196055071714,5312056373667247857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:2640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6415226196055071714,5312056373667247857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
2⤵
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6415226196055071714,5312056373667247857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
2⤵
PID:3016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6415226196055071714,5312056373667247857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
2⤵
PID:4784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6415226196055071714,5312056373667247857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
2⤵
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,6415226196055071714,5312056373667247857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,6415226196055071714,5312056373667247857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6415226196055071714,5312056373667247857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
2⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1904,6415226196055071714,5312056373667247857,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5272 /prefetch:8
2⤵
PID:3316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1904,6415226196055071714,5312056373667247857,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2460 /prefetch:8
2⤵
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6415226196055071714,5312056373667247857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
2⤵
PID:6052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6415226196055071714,5312056373667247857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2624 /prefetch:1
2⤵
PID:6060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6415226196055071714,5312056373667247857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
2⤵
PID:5868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,6415226196055071714,5312056373667247857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
2⤵
PID:5876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:72

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1772

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe0e09ab58,0x7ffe0e09ab68,0x7ffe0e09ab78
2⤵
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:2
2⤵
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1824 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:8
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:8
2⤵
PID:3688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:1
2⤵
PID:5136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3180 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:1
2⤵
PID:5148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4200 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:1
2⤵
PID:5552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4052 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:1
2⤵
PID:5680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:8
2⤵
PID:5912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3356 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:8
2⤵
PID:5920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4728 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:1
2⤵
PID:3924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2688 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:1
2⤵
PID:5152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4668 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:1
2⤵
PID:2220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4988 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:1
2⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2840 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:8
2⤵
PID:6140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3184 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:8
2⤵
PID:1300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4644 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:8
2⤵
PID:5272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:8
2⤵
PID:3952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3224 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:1
2⤵
PID:3420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4920 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:8
2⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5268 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:8
2⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2696 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:8
2⤵
- NTFS ADS
PID:4720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2876 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:8
2⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5312 --field-trial-handle=1932,i,9605049442897114232,329345824786997400,131072 /prefetch:8
2⤵
PID:5740

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:996

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1288

C:\Users\Admin\Desktop\DCRatBuild.exe
"C:\Users\Admin\Desktop\DCRatBuild.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:6096

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\comreview\c832ag.vbe"
2⤵
PID:5412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\comreview\lMSVD.bat" "
3⤵
PID:2824

C:\comreview\bridgerefHost.exe
"C:\comreview\bridgerefHost.exe"
4⤵
- DcRat
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0fdHlkGdCQ.bat"
5⤵
PID:3312

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:5208

C:\comreview\winlogon.exe
"C:\comreview\winlogon.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Saved Games\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\sihost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\sihost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk-1.8\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk-1.8\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\comreview\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\comreview\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\comreview\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\comreview\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\comreview\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\comreview\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\cmd.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\msedge.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\msedge.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgerefHostb" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\bridgerefHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgerefHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\bridgerefHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bridgerefHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\bridgerefHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\AccountPictures\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\comreview\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\comreview\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\comreview\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\chrome.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chrome" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\chrome.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chromec" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\chrome.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\comreview\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\comreview\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\comreview\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\comreview\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\comreview\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\comreview\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:5564

C:\Users\Admin\Desktop\DCRatBuild.exe
"C:\Users\Admin\Desktop\DCRatBuild.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:3676

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\comreview\c832ag.vbe"
2⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\comreview\lMSVD.bat" "
3⤵
PID:4052

C:\comreview\bridgerefHost.exe
"C:\comreview\bridgerefHost.exe"
4⤵
- Executes dropped EXE
PID:5672

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\DCRatBuild.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3348

C:\Users\Admin\Desktop\bridgerefHost.exe
"C:\Users\Admin\Desktop\bridgerefHost.exe"
1⤵
- Executes dropped EXE
PID:1696

C:\Users\Admin\Desktop\bridgerefHost.exe
"C:\Users\Admin\Desktop\bridgerefHost.exe"
1⤵
- Executes dropped EXE
PID:4736

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

System Information Discovery

Query Registry