Analysis

  • max time kernel
    102s
  • max time network
    128s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-06-2024 18:40

General

  • Target

    DCRatBuild.exe

  • Size

    1.2MB

  • MD5

    6dee040a3c47aa2adb89705eb28bd394

  • SHA1

    13c5a360b9e8e30258512a403c6f78faf075571d

  • SHA256

    3e1e599e07cd53bc658e035ebbb7a18948d43c246c6fdcbc72f834f57d94ab7e

  • SHA512

    e22380cd2055f1baca4b021fde7f7ab5b85fb8544d0826ed7a93a0aa42cb8e01cc9d283a30747b005886f190f3065d699667bc81fd1a20269a536d26733909c9

  • SSDEEP

    24576:U2G/nvxW3Ww0tCtqhWfawiFH/AFoMbmMi5QeAOZLoiw9zMZGtXT:UbA30OqhWofYbPGbLrG5

Malware Config

Signatures

  • DcRat 16 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 5 IoCs
  • Process spawned unexpected child process 15 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 16 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • DcRat
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4568
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2272
        • C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
          "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4524
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:896
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/Admin/AppData/Local/\agentrefNet.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4748
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NkfdZ2sUBf.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2752
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4784
              • C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
                "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"
                6⤵
                • Modifies WinLogon for persistence
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:760
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2164
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/Admin/AppData/Local/\StartMenuExperienceHost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4464
                • C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
                  "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"
                  7⤵
                  • Modifies WinLogon for persistence
                  • Executes dropped EXE
                  • Adds Run key to start application
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3052
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2208
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/Admin/AppData/Local/\SppExtComObj.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3312
                  • C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
                    "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"
                    8⤵
                    • Modifies WinLogon for persistence
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1748
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe'
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1076
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/Admin/AppData/Local/\unsecapp.exe'
                      9⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1232
                    • C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
                      "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"
                      9⤵
                      • Modifies WinLogon for persistence
                      • Executes dropped EXE
                      • Adds Run key to start application
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3268
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe'
                        10⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2128
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/Admin/AppData/Local/\OfficeClickToRun.exe'
                        10⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3288
                      • C:\Users\Admin\AppData\Local\OfficeClickToRun.exe
                        "C:\Users\Admin\AppData\Local\OfficeClickToRun.exe"
                        10⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1552
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "agentrefNeta" /sc MINUTE /mo 13 /tr "'C:/Users/Admin/AppData/Local/\agentrefNet.exe'" /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2028
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "agentrefNet" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\agentrefNet.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2532
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "agentrefNeta" /sc MINUTE /mo 5 /tr "'C:/Users/Admin/AppData/Local/\agentrefNet.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Process spawned unexpected child process
      • Scheduled Task/Job: Scheduled Task
      PID:2836
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
      1⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff71ce3cb8,0x7fff71ce3cc8,0x7fff71ce3cd8
        2⤵
          PID:544
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
          2⤵
            PID:3840
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:5084
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
            2⤵
              PID:1324
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
              2⤵
                PID:1872
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
                2⤵
                  PID:3380
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
                  2⤵
                    PID:2956
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
                    2⤵
                      PID:1264
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,6167650874041531722,6520823635656398096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3416 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1824
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:3716
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:2212
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:/Users/Admin/AppData/Local/\StartMenuExperienceHost.exe'" /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2932
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4504
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:/Users/Admin/AppData/Local/\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3320
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:/Users/Admin/AppData/Local/\SppExtComObj.exe'" /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4840
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\SppExtComObj.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3296
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:/Users/Admin/AppData/Local/\SppExtComObj.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:1780
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:/Users/Admin/AppData/Local/\unsecapp.exe'" /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:2096
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\unsecapp.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4800
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:/Users/Admin/AppData/Local/\unsecapp.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3288
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:/Users/Admin/AppData/Local/\OfficeClickToRun.exe'" /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:4660
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:/Users/Admin/AppData/Local/\OfficeClickToRun.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3516
                      • C:\Windows\system32\schtasks.exe
                        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:/Users/Admin/AppData/Local/\OfficeClickToRun.exe'" /rl HIGHEST /f
                        1⤵
                        • DcRat
                        • Process spawned unexpected child process
                        • Scheduled Task/Job: Scheduled Task
                        PID:3428
                      • C:\Windows\System32\rundll32.exe
                        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                        1⤵
                          PID:1496
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe"
                          1⤵
                            PID:4616
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "
                              2⤵
                                PID:5068
                                • C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
                                  "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"
                                  3⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1276
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "
                              1⤵
                                PID:4408
                                • C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
                                  "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"
                                  2⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2272
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe"
                                1⤵
                                  PID:4780
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "
                                    2⤵
                                      PID:540
                                      • C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
                                        "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2676
                                  • C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
                                    "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4508
                                  • C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
                                    "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4068
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"
                                    1⤵
                                      PID:1132
                                      • C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
                                        "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"
                                        2⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1704
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe" C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
                                      1⤵
                                        PID:4756
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "
                                          2⤵
                                            PID:3700
                                            • C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
                                              "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"
                                              3⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3568
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe"
                                          1⤵
                                            PID:1884
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "
                                              2⤵
                                                PID:3380
                                                • C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
                                                  "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"
                                                  3⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:3340
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe"
                                              1⤵
                                                PID:2468
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat" "
                                                  2⤵
                                                    PID:4800
                                                    • C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
                                                      "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"
                                                      3⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2028
                                                • C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
                                                  "C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe"
                                                  1⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1876

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\agentrefNet.exe.log
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  400b532c938aca538f01c5616cf318cd

                                                  SHA1

                                                  598a59a9434e51a6416f91a4c83bd02505ecb846

                                                  SHA256

                                                  28e57db6d7535775b5e65c90ab208c7fe392e373056db5d35e76854270ecd05d

                                                  SHA512

                                                  b15583323c457d389b873eb31b8e59fef450c0c0e684b0f797231e8d0abace9227b15d4e45b45f4c79ad044a28cc3d79f9f7c2a81bd38e43b0c09f07aaa95b73

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                  Filesize

                                                  2KB

                                                  MD5

                                                  627073ee3ca9676911bee35548eff2b8

                                                  SHA1

                                                  4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                                  SHA256

                                                  85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                                  SHA512

                                                  3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                  Filesize

                                                  152B

                                                  MD5

                                                  a74887034b3a720c50e557d5b1c790bf

                                                  SHA1

                                                  fb245478258648a65aa189b967590eef6fb167be

                                                  SHA256

                                                  f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250

                                                  SHA512

                                                  888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                  Filesize

                                                  152B

                                                  MD5

                                                  64f055a833e60505264595e7edbf62f6

                                                  SHA1

                                                  dad32ce325006c1d094b7c07550aca28a8dac890

                                                  SHA256

                                                  7172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99

                                                  SHA512

                                                  86644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                  Filesize

                                                  5KB

                                                  MD5

                                                  95cb61d0d9dfc51efef505e228a90e09

                                                  SHA1

                                                  6d72a0daf995b0828c04e425c4cd0aca1f98ee20

                                                  SHA256

                                                  bd29fea6831484c6d1f02b7c505b5664cbbea4123d7e648bdadb6e2db6e2f8c9

                                                  SHA512

                                                  48e729cfcd8232ab2952f824887acd643f3b87a150973d6109bebc81d833d8c50997865a8a2c2e2ccef786ddd63d75a21050e2c13d200d185ef5d964cb463ff2

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                  Filesize

                                                  5KB

                                                  MD5

                                                  9722286a8dfaab8ad9d004d4726802ba

                                                  SHA1

                                                  50eb845681df413a613a39e536a1b1e1763c52cc

                                                  SHA256

                                                  f421d9c15e564799e655ba14f56a2993bfc08b36a1a76a3f26586b1a0f841974

                                                  SHA512

                                                  183b088cabccf60cdc95df768724311d5987a7569c622036055e775fb4d8e05b1fa241bf7e5fae5f541eb74c948847b327525936e7b901ecd3fb6a150ff18328

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                  Filesize

                                                  11KB

                                                  MD5

                                                  9d0810010298365a363449d20b60d776

                                                  SHA1

                                                  6da75acccf66f2d154fbc99c1428e4e8b4133755

                                                  SHA256

                                                  632e1c862997c0ab530441a83b76320120a58945d9a598f5be8c4296ae46c6aa

                                                  SHA512

                                                  010ed4fc685814bcf46757aad7e860758c6fe8c41f8532693d4b85ff803a9ece98267584a1a4ee9cee976216554f972fd390c24e246909b61e17726cceb06bb0

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                                                  Filesize

                                                  264KB

                                                  MD5

                                                  f50f89a0a91564d0b8a211f8921aa7de

                                                  SHA1

                                                  112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                  SHA256

                                                  b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                  SHA512

                                                  bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  6f0e62045515b66d0a0105abc22dbf19

                                                  SHA1

                                                  894d685122f3f3c9a3457df2f0b12b0e851b394c

                                                  SHA256

                                                  529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319

                                                  SHA512

                                                  f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  cef328ddb1ee8916e7a658919323edd8

                                                  SHA1

                                                  a676234d426917535e174f85eabe4ef8b88256a5

                                                  SHA256

                                                  a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

                                                  SHA512

                                                  747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  e2a31e1252ec9fb5e5070e76e8382730

                                                  SHA1

                                                  29d9f01cd687fc8f80ff5126cddd7cf5a8d288e4

                                                  SHA256

                                                  49b6791b42702b8590eb28190ad1bc5c74c1c106bf17a1807276f09912d43b2b

                                                  SHA512

                                                  098c9d26d3745ac9b34099c47a7189adcdb01777196244dd5bf35ebb67e33cc31cc2357089f50c6fec512eddaa55bfda2cb4b30f4a5d0ed44df2933a0fbbf1c7

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  051a74485331f9d9f5014e58ec71566c

                                                  SHA1

                                                  4ed0256a84f2e95609a0b4d5c249bca624db8fe4

                                                  SHA256

                                                  3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

                                                  SHA512

                                                  1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  944B

                                                  MD5

                                                  2e8eb51096d6f6781456fef7df731d97

                                                  SHA1

                                                  ec2aaf851a618fb43c3d040a13a71997c25bda43

                                                  SHA256

                                                  96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

                                                  SHA512

                                                  0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

                                                • C:\Users\Admin\AppData\Local\Temp\NkfdZ2sUBf.bat
                                                  Filesize

                                                  240B

                                                  MD5

                                                  40a3ffae092138ca6e9e3774cd3f7034

                                                  SHA1

                                                  2ce950a91eab477a604411b3414d8b0bd3fcf16d

                                                  SHA256

                                                  994e933d75a5ffb6ed0a4f55491d6d75b65e447b228a1db35f6a46a86fc61608

                                                  SHA512

                                                  cb360c62a3eb6c48407e3676e9c757a6f865fb627fa90c9c810ec5b39ba26115f2311c3330536d21e763c8313bfa3f21b07b7880e99f94a7d68efd0f958516d1

                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ssu2x5r0.5rm.ps1
                                                  Filesize

                                                  60B

                                                  MD5

                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                  SHA1

                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                  SHA256

                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                  SHA512

                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                • C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\EI35eA743vE.bat
                                                  Filesize

                                                  56B

                                                  MD5

                                                  a0c7b9d5468ff24c5ea978a787696f1b

                                                  SHA1

                                                  b73256c51fa5fc886f28b6f1193c6fe543d0d176

                                                  SHA256

                                                  7309215c384623f6224c82c86e2138e05f68853db94d0051ad8f2981a37ef7ac

                                                  SHA512

                                                  2e8c66c2774c6c0672c29ebc994f5d948592930efb779d3a278a4ca7480ffed45b459540f606e00bf697a5d800eb9daff545d522bca0c606e0fe4831e864c374

                                                • C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\Lp39mz9Ejhm.vbe
                                                  Filesize

                                                  223B

                                                  MD5

                                                  075e93b781fb11ad83e20a08f3bf47d5

                                                  SHA1

                                                  6cfa7422a59ee90266d454e8f31814ed7c2c50e4

                                                  SHA256

                                                  39e13b9cae5ee397eadd2c65f7f587da89f7f2c3e113a914ffc08d6463d8afd0

                                                  SHA512

                                                  1876cb1d7ca0b25f0e4b3f664d83c19635fc16d99a21408e85a7f22791483850a94c721beb11e7fb32ef1fe048169548ac3ef7e8eb04256683b34b0687ba5a38

                                                • C:\Users\Admin\AppData\Roaming\BlockServerComponenthostdhcp\agentrefNet.exe
                                                  Filesize

                                                  955KB

                                                  MD5

                                                  db30e8a595616d8f8bd597700cdfdf7b

                                                  SHA1

                                                  8a80a3e7744d57dff703f2ea5dc809725cf72f3e

                                                  SHA256

                                                  edaf46b5f4a8014a979f695fb6282131a5c31a5976827a263ea89b2bab44374c

                                                  SHA512

                                                  a51ff764fa4dbc347f379247896440e4eb1e2601386fa44a1a197ab620584d5baa02ad020298be5c79c0a4b530828b3e41d174b9518aa28ddd065857c6450f94

                                                • \??\pipe\LOCAL\crashpad_2176_HTYZHXSOQQXCGZUH
                                                  MD5

                                                  d41d8cd98f00b204e9800998ecf8427e

                                                  SHA1

                                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                  SHA256

                                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                  SHA512

                                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                • memory/4524-15-0x0000000002700000-0x000000000270E000-memory.dmp
                                                  Filesize

                                                  56KB

                                                • memory/4524-14-0x00000000026F0000-0x00000000026F8000-memory.dmp
                                                  Filesize

                                                  32KB

                                                • memory/4524-13-0x0000000000260000-0x0000000000356000-memory.dmp
                                                  Filesize

                                                  984KB

                                                • memory/4524-12-0x00007FFF5FEF3000-0x00007FFF5FEF5000-memory.dmp
                                                  Filesize

                                                  8KB

                                                • memory/4524-16-0x0000000002710000-0x000000000271C000-memory.dmp
                                                  Filesize

                                                  48KB

                                                • memory/4748-28-0x00000213F8670000-0x00000213F8692000-memory.dmp
                                                  Filesize

                                                  136KB