dcrat | d9dc76fcec48e47d8a10afa9ee40af17b856bff408bbc3eb36f5d362364a8d4c

Analysis

max time kernel
1800s
max time network
1800s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
26-06-2024 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Njrat.exe
Size

3.1MB
MD5

7bbb27a3b9ace5f7d403ba8d6ef58d28
SHA1

5effbe830a93770824ee60f65eac790dda1ee807
SHA256

d9dc76fcec48e47d8a10afa9ee40af17b856bff408bbc3eb36f5d362364a8d4c
SHA512

32774b5efc9a4c771ed74cb59d6e4221d4cfb92e05d18cf9d3ad53b957005cce84892ef9e563d2c4c932127dac595394e23d8bc3e2a6ab3a654acef5e24e0327
SSDEEP

49152:VbA3GVZoGDweuD4gWA7evLcjM3wwwZHFXIJ5nDWhVGUwwB3SNZts8zOqhsg:VbZDweuD4rcH9Vl65Dac7ssNj

Score

10^/10

dcrat discovery evasion execution infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3652	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	228	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	228	schtasks.exe	85

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral4/files/0x000300000002aa31-10.dat	dcrat
behavioral4/memory/2916-13-0x0000000000EF0000-0x00000000011D2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3064	powershell.exe
4044	powershell.exe
4404	powershell.exe
3804	powershell.exe
692	powershell.exe
3728	powershell.exe
3848	powershell.exe
2656	powershell.exe
2664	powershell.exe
4832	powershell.exe
3332	powershell.exe
2672	powershell.exe

Executes dropped EXE 37 IoCs

pid	Process
2916	Hyperblockport.exe
4500	csrss.exe
1060	dllhost.exe
4184	unsecapp.exe
4376	smss.exe
2680	csrss.exe
1948	dwm.exe
2036	StartMenuExperienceHost.exe
4604	RuntimeBroker.exe
4780	dllhost.exe
2444	explorer.exe
2368	unsecapp.exe
3016	SearchHost.exe
2436	fontdrvhost.exe
3960	smss.exe
4808	sihost.exe
4264	spoolsv.exe
3900	dllhost.exe
1428	csrss.exe
2136	dwm.exe
4484	unsecapp.exe
1112	StartMenuExperienceHost.exe
4048	RuntimeBroker.exe
2196	dllhost.exe
4824	smss.exe
1484	explorer.exe
336	unsecapp.exe
4548	csrss.exe
3696	SearchHost.exe
4596	dllhost.exe
3220	dwm.exe
1484	StartMenuExperienceHost.exe
4576	fontdrvhost.exe
2496	smss.exe
3696	sihost.exe
2192	spoolsv.exe
3324	unsecapp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hyperblockport.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ipinfo.io
6	ipinfo.io

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\CrashReports\dwm.exe	Hyperblockport.exe
File created	C:\Program Files (x86)\Google\CrashReports\6cb0b6c459d5d3	Hyperblockport.exe
File created	C:\Program Files (x86)\Windows Media Player\69ddcba757bf72	Hyperblockport.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\9e8d7a4ca61bd9	Hyperblockport.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	Hyperblockport.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\StartMenuExperienceHost.exe	Hyperblockport.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\55b276f4edf653	Hyperblockport.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\dwm.exe	Hyperblockport.exe
File created	C:\Program Files (x86)\Windows Media Player\smss.exe	Hyperblockport.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\sihost.exe	Hyperblockport.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\66fc9ff0ee96c2	Hyperblockport.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe	Hyperblockport.exe
File created	C:\Windows\DiagTrack\Settings\55b276f4edf653	Hyperblockport.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	Njrat.exe
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1016	schtasks.exe
3000	schtasks.exe
2368	schtasks.exe
1352	schtasks.exe
1788	schtasks.exe
4600	schtasks.exe
2980	schtasks.exe
5048	schtasks.exe
2784	schtasks.exe
3220	schtasks.exe
1676	schtasks.exe
1236	schtasks.exe
1984	schtasks.exe
1588	schtasks.exe
2928	schtasks.exe
2764	schtasks.exe
5104	schtasks.exe
4900	schtasks.exe
3780	schtasks.exe
4748	schtasks.exe
4304	schtasks.exe
4436	schtasks.exe
3748	schtasks.exe
1536	schtasks.exe
404	schtasks.exe
4516	schtasks.exe
3500	schtasks.exe
3652	schtasks.exe
4268	schtasks.exe
640	schtasks.exe
1132	schtasks.exe
3412	schtasks.exe
4308	schtasks.exe
5064	schtasks.exe
2428	schtasks.exe
1380	schtasks.exe
240	schtasks.exe
2856	schtasks.exe
2640	schtasks.exe
476	schtasks.exe
2700	schtasks.exe
480	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2916	Hyperblockport.exe
2916	Hyperblockport.exe
2916	Hyperblockport.exe
2916	Hyperblockport.exe
2916	Hyperblockport.exe
2916	Hyperblockport.exe
2916	Hyperblockport.exe
2916	Hyperblockport.exe
2916	Hyperblockport.exe
2916	Hyperblockport.exe
2916	Hyperblockport.exe
2916	Hyperblockport.exe
3728	powershell.exe
3728	powershell.exe
3848	powershell.exe
3848	powershell.exe
2672	powershell.exe
2672	powershell.exe
4832	powershell.exe
4832	powershell.exe
2664	powershell.exe
2664	powershell.exe
692	powershell.exe
692	powershell.exe
4404	powershell.exe
4404	powershell.exe
3804	powershell.exe
3804	powershell.exe
4044	powershell.exe
4044	powershell.exe
3064	powershell.exe
3064	powershell.exe
2656	powershell.exe
2656	powershell.exe
4832	powershell.exe
3332	powershell.exe
3332	powershell.exe
4044	powershell.exe
2672	powershell.exe
3728	powershell.exe
2656	powershell.exe
3848	powershell.exe
2664	powershell.exe
692	powershell.exe
4404	powershell.exe
3804	powershell.exe
3332	powershell.exe
3064	powershell.exe
4500	csrss.exe
4500	csrss.exe
4500	csrss.exe
4500	csrss.exe
4500	csrss.exe
4500	csrss.exe
4500	csrss.exe
4500	csrss.exe
4500	csrss.exe
4500	csrss.exe
4500	csrss.exe
4500	csrss.exe
4500	csrss.exe
4500	csrss.exe
4500	csrss.exe
4500	csrss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4500	csrss.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	Hyperblockport.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	4500	csrss.exe
Token: SeBackupPrivilege	2680	vssvc.exe
Token: SeRestorePrivilege	2680	vssvc.exe
Token: SeAuditPrivilege	2680	vssvc.exe
Token: SeDebugPrivilege	1060	dllhost.exe
Token: SeDebugPrivilege	4184	unsecapp.exe
Token: SeDebugPrivilege	4376	smss.exe
Token: SeDebugPrivilege	2680	csrss.exe
Token: SeDebugPrivilege	1948	dwm.exe
Token: SeDebugPrivilege	2036	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4604	RuntimeBroker.exe
Token: SeDebugPrivilege	4780	dllhost.exe
Token: SeDebugPrivilege	2444	explorer.exe
Token: SeDebugPrivilege	2368	unsecapp.exe
Token: SeDebugPrivilege	3016	SearchHost.exe
Token: SeDebugPrivilege	2436	fontdrvhost.exe
Token: SeDebugPrivilege	3960	smss.exe
Token: SeDebugPrivilege	4808	sihost.exe
Token: SeDebugPrivilege	4264	spoolsv.exe
Token: SeDebugPrivilege	3900	dllhost.exe
Token: SeDebugPrivilege	1428	csrss.exe
Token: SeDebugPrivilege	2136	dwm.exe
Token: SeDebugPrivilege	4484	unsecapp.exe
Token: SeDebugPrivilege	1112	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4048	RuntimeBroker.exe
Token: SeDebugPrivilege	2196	dllhost.exe
Token: SeDebugPrivilege	4824	smss.exe
Token: SeDebugPrivilege	1484	explorer.exe
Token: SeDebugPrivilege	336	unsecapp.exe
Token: SeDebugPrivilege	4548	csrss.exe
Token: SeDebugPrivilege	3696	SearchHost.exe
Token: SeDebugPrivilege	4596	dllhost.exe
Token: SeDebugPrivilege	3220	dwm.exe
Token: SeDebugPrivilege	1484	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4576	fontdrvhost.exe
Token: SeDebugPrivilege	2496	smss.exe
Token: SeDebugPrivilege	3696	sihost.exe
Token: SeDebugPrivilege	2192	spoolsv.exe
Token: SeDebugPrivilege	3324	unsecapp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4500	csrss.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 1904	5108	Njrat.exe	79
PID 5108 wrote to memory of 1904	5108	Njrat.exe	79
PID 5108 wrote to memory of 1904	5108	Njrat.exe	79
PID 1904 wrote to memory of 1516	1904	WScript.exe	82
PID 1904 wrote to memory of 1516	1904	WScript.exe	82
PID 1904 wrote to memory of 1516	1904	WScript.exe	82
PID 1516 wrote to memory of 2916	1516	cmd.exe	84
PID 1516 wrote to memory of 2916	1516	cmd.exe	84
PID 2916 wrote to memory of 3848	2916	Hyperblockport.exe	128
PID 2916 wrote to memory of 3848	2916	Hyperblockport.exe	128
PID 2916 wrote to memory of 3728	2916	Hyperblockport.exe	129
PID 2916 wrote to memory of 3728	2916	Hyperblockport.exe	129
PID 2916 wrote to memory of 3332	2916	Hyperblockport.exe	130
PID 2916 wrote to memory of 3332	2916	Hyperblockport.exe	130
PID 2916 wrote to memory of 4832	2916	Hyperblockport.exe	131
PID 2916 wrote to memory of 4832	2916	Hyperblockport.exe	131
PID 2916 wrote to memory of 692	2916	Hyperblockport.exe	133
PID 2916 wrote to memory of 692	2916	Hyperblockport.exe	133
PID 2916 wrote to memory of 3804	2916	Hyperblockport.exe	135
PID 2916 wrote to memory of 3804	2916	Hyperblockport.exe	135
PID 2916 wrote to memory of 4404	2916	Hyperblockport.exe	136
PID 2916 wrote to memory of 4404	2916	Hyperblockport.exe	136
PID 2916 wrote to memory of 4044	2916	Hyperblockport.exe	137
PID 2916 wrote to memory of 4044	2916	Hyperblockport.exe	137
PID 2916 wrote to memory of 3064	2916	Hyperblockport.exe	138
PID 2916 wrote to memory of 3064	2916	Hyperblockport.exe	138
PID 2916 wrote to memory of 2664	2916	Hyperblockport.exe	139
PID 2916 wrote to memory of 2664	2916	Hyperblockport.exe	139
PID 2916 wrote to memory of 2672	2916	Hyperblockport.exe	140
PID 2916 wrote to memory of 2672	2916	Hyperblockport.exe	140
PID 2916 wrote to memory of 2656	2916	Hyperblockport.exe	141
PID 2916 wrote to memory of 2656	2916	Hyperblockport.exe	141
PID 2916 wrote to memory of 4500	2916	Hyperblockport.exe	152
PID 2916 wrote to memory of 4500	2916	Hyperblockport.exe	152
PID 4500 wrote to memory of 3504	4500	csrss.exe	153
PID 4500 wrote to memory of 3504	4500	csrss.exe	153
PID 4500 wrote to memory of 1984	4500	csrss.exe	154
PID 4500 wrote to memory of 1984	4500	csrss.exe	154

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Hyperblockport.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Hyperblockport.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Njrat.exe
"C:\Users\Admin\AppData\Local\Temp\Njrat.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\containerperf\9nepdzd6Yg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\containerperf\MJF5L0LGrR45RopQV75MoqBbC.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\containerperf\Hyperblockport.exe
      "C:\containerperf\Hyperblockport.exe"
      4⤵
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/containerperf/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
    - - C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4500
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bdb5945-f0f8-4388-9e1c-1668e5d73ed5.vbs"
        6⤵
        
        PID:3504
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\950de2dc-137f-4452-ad98-ccd61c7f8a32.vbs"
        6⤵
        
        PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Public\Music\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\containerperf\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\containerperf\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\containerperf\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\DiagTrack\Settings\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\containerperf\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\containerperf\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\containerperf\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 14 /tr "'C:\containerperf\SearchHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\containerperf\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 12 /tr "'C:\containerperf\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\containerperf\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\containerperf\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\containerperf\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1412

C:\Recovery\WindowsRE\dllhost.exe
C:\Recovery\WindowsRE\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Users\Public\Music\unsecapp.exe
C:\Users\Public\Music\unsecapp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Program Files (x86)\Windows Media Player\smss.exe
"C:\Program Files (x86)\Windows Media Player\smss.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Recovery\WindowsRE\csrss.exe
C:\Recovery\WindowsRE\csrss.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Program Files (x86)\Google\CrashReports\dwm.exe
"C:\Program Files (x86)\Google\CrashReports\dwm.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\StartMenuExperienceHost.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\StartMenuExperienceHost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe
"C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Recovery\WindowsRE\dllhost.exe
C:\Recovery\WindowsRE\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Recovery\WindowsRE\explorer.exe
C:\Recovery\WindowsRE\explorer.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Users\Public\Music\unsecapp.exe
C:\Users\Public\Music\unsecapp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\containerperf\SearchHost.exe
C:\containerperf\SearchHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\containerperf\fontdrvhost.exe
C:\containerperf\fontdrvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Program Files (x86)\Windows Media Player\smss.exe
"C:\Program Files (x86)\Windows Media Player\smss.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\sihost.exe
"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\sihost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\containerperf\spoolsv.exe
C:\containerperf\spoolsv.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Recovery\WindowsRE\dllhost.exe
C:\Recovery\WindowsRE\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Recovery\WindowsRE\csrss.exe
C:\Recovery\WindowsRE\csrss.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Program Files (x86)\Google\CrashReports\dwm.exe
"C:\Program Files (x86)\Google\CrashReports\dwm.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Users\Public\Music\unsecapp.exe
C:\Users\Public\Music\unsecapp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\StartMenuExperienceHost.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\StartMenuExperienceHost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe
"C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Recovery\WindowsRE\dllhost.exe
C:\Recovery\WindowsRE\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Program Files (x86)\Windows Media Player\smss.exe
"C:\Program Files (x86)\Windows Media Player\smss.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Recovery\WindowsRE\explorer.exe
C:\Recovery\WindowsRE\explorer.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Users\Public\Music\unsecapp.exe
C:\Users\Public\Music\unsecapp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Recovery\WindowsRE\csrss.exe
C:\Recovery\WindowsRE\csrss.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\containerperf\SearchHost.exe
C:\containerperf\SearchHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Recovery\WindowsRE\dllhost.exe
C:\Recovery\WindowsRE\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4596

C:\Program Files (x86)\Google\CrashReports\dwm.exe
"C:\Program Files (x86)\Google\CrashReports\dwm.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\StartMenuExperienceHost.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\StartMenuExperienceHost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\containerperf\fontdrvhost.exe
C:\containerperf\fontdrvhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Program Files (x86)\Windows Media Player\smss.exe
"C:\Program Files (x86)\Windows Media Player\smss.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\sihost.exe
"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\sihost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\containerperf\spoolsv.exe
C:\containerperf\spoolsv.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Users\Public\Music\unsecapp.exe
C:\Users\Public\Music\unsecapp.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05b3cd21c1ec02f04caba773186ee8d0

SHA1
39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

SHA256
911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

SHA512
e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ae67abe49ef8ab8e76e1ca80d8344de1

SHA1
f2b538bbcd7097f414563e512eeef3c83d7963d6

SHA256
46cf691b4f643e595afd0d9647eab12b858918d679d82617c6609b687628a0a7

SHA512
101b5ef9d6f834fdc2983f3107bb241b9f5cafefdc7859a664fb569b7d592de70db5c8d16abdc29a430103d20d2f15a20b1b99a895d2c7f0d8e2250d87c8f29a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6903d57eed54e89b68ebb957928d1b99

SHA1
fade011fbf2e4bc044d41e380cf70bd6a9f73212

SHA256
36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

SHA512
c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1064c2dd154e6f6a99bb7fc3a260fec6

SHA1
907bbb9ae002bddedd14a76c5d4634a4d8e8b375

SHA256
9f375b5086cd6dc6e3493c77f5118c3807b6cd65a772a491da97a83ec2f09ab4

SHA512
25ca6eef27b942eb4c2d6defc6b9a2add1af97717445d4847971a50009735c7ea89723c6f3cc78d09d000d28de710ba501808349734ee651884ebefe43426066

Download Submit
C:\Users\Admin\AppData\Local\Temp\3bdb5945-f0f8-4388-9e1c-1668e5d73ed5.vbs

Filesize
707B

MD5
6388f2a6a5cc2aa5c02f922652cda33d

SHA1
88b4f0061c0e64ead72f6cf3ae13c7aa6fd362fa

SHA256
29ceca7d7286745a7b9195f15aa2978d4f0a0d456e31313f592caad9e92b918a

SHA512
18b68386ed6559ef6d55832b121698e173253e1c1c87ce5378a42e86b32030e2f04285a1a504ce20f573441e297356ec9bc50276dffa81c9fae119364a47c567

Download Submit
C:\Users\Admin\AppData\Local\Temp\950de2dc-137f-4452-ad98-ccd61c7f8a32.vbs

Filesize
483B

MD5
66ad77d6a8130386ebe65e436ceb6488

SHA1
4b190348d29167f86eae75283d29889251af6645

SHA256
507102978c339bd3a1133093d8cc0c6f3b5e4f68103bcd02938149aa8890206b

SHA512
7523a8d6311e4990691ac648340288d8af6a1797b9696198eb4c1fed33740500769174c73a94c3c1b388d9a4f4b164cbe50717a59b2d65e9d2a38fdd2750f356

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gl2zp40q.gl5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\containerperf\9nepdzd6Yg.vbe

Filesize
226B

MD5
fd73bba1ae261c1bde0a83ff425994c4

SHA1
7e9e51cef1374547c885b6e8bd62ed2a1dc6902b

SHA256
16f04c862e66dbdf8631baaa3c37e771281f59d68d60420d4dac89701c1fb732

SHA512
20644ded806f97cdd62b136fa4cd6bff7ed61d8c4f6d533dee3c71d3f12923243551e910f56d4504a0c67a89a3e50064fa8f53cb3b307150cf185c9016e004e4

Download Submit
C:\containerperf\Hyperblockport.exe

Filesize
2.9MB

MD5
a5eb91d9ffb09e43c86d3ac84354107f

SHA1
ab225fd443f3c209c4493e1dd823093c87364075

SHA256
13da0ed8f7f0cfbf7187ae5d3fe222a0aac5a0fad6e0c1f011f0ef3f8d126906

SHA512
3259e901d0347db552f658f89c11c711f328831a5da203b18e8383740a202b87aea4a2c84c33d3ca6d9a8200d1f933f8820379a7b77e094c005a004c9f3c59ee

Download Submit
C:\containerperf\MJF5L0LGrR45RopQV75MoqBbC.bat

Filesize
48B

MD5
7a122e2bf760c3ba657e5ba59337bce2

SHA1
e9ac1ad5c6b04628fdea1a0657f0e466a2a06261

SHA256
b9469f10268a8e4a44814d71f3eb6530f2a4970933b586f6dc5e3eebb2fe33f8

SHA512
89912e65857c9975e0c6ab2b3ea94f07547cba9e875b7db26dc87a6d2ec8ba79b9aa7421a78f8203587ffc70fe39df2c8fc95566c47d4681fa59f933129c6c64

Download Submit
memory/2672-92-0x000001F4559E0000-0x000001F455A02000-memory.dmp

Filesize
136KB

Download
memory/2916-19-0x000000001BF40000-0x000000001BF96000-memory.dmp

Filesize
344KB

Download
memory/2916-24-0x000000001BF90000-0x000000001BFA2000-memory.dmp

Filesize
72KB

Download
memory/2916-26-0x000000001BFA0000-0x000000001BFAC000-memory.dmp

Filesize
48KB

Download
memory/2916-28-0x000000001C5F0000-0x000000001C5FC000-memory.dmp

Filesize
48KB

Download
memory/2916-27-0x000000001C5E0000-0x000000001C5EC000-memory.dmp

Filesize
48KB

Download
memory/2916-29-0x000000001C840000-0x000000001C848000-memory.dmp

Filesize
32KB

Download
memory/2916-30-0x000000001C850000-0x000000001C85A000-memory.dmp

Filesize
40KB

Download
memory/2916-33-0x000000001C880000-0x000000001C88E000-memory.dmp

Filesize
56KB

Download
memory/2916-32-0x000000001C870000-0x000000001C878000-memory.dmp

Filesize
32KB

Download
memory/2916-31-0x000000001C860000-0x000000001C86E000-memory.dmp

Filesize
56KB

Download
memory/2916-34-0x000000001C890000-0x000000001C898000-memory.dmp

Filesize
32KB

Download
memory/2916-35-0x000000001CA60000-0x000000001CA68000-memory.dmp

Filesize
32KB

Download
memory/2916-36-0x000000001CA70000-0x000000001CA7C000-memory.dmp

Filesize
48KB

Download
memory/2916-25-0x000000001CB10000-0x000000001D038000-memory.dmp

Filesize
5.2MB

Download
memory/2916-23-0x0000000003500000-0x0000000003508000-memory.dmp

Filesize
32KB

Download
memory/2916-22-0x00000000034F0000-0x00000000034FC000-memory.dmp

Filesize
48KB

Download
memory/2916-21-0x00000000034E0000-0x00000000034E8000-memory.dmp

Filesize
32KB

Download
memory/2916-20-0x00000000034D0000-0x00000000034DC000-memory.dmp

Filesize
48KB

Download
memory/2916-18-0x00000000034C0000-0x00000000034CA000-memory.dmp

Filesize
40KB

Download
memory/2916-16-0x00000000034A0000-0x00000000034B6000-memory.dmp

Filesize
88KB

Download
memory/2916-17-0x0000000003310000-0x0000000003320000-memory.dmp

Filesize
64KB

Download
memory/2916-15-0x000000001BEF0000-0x000000001BF40000-memory.dmp

Filesize
320KB

Download
memory/2916-14-0x0000000003480000-0x000000000349C000-memory.dmp

Filesize
112KB

Download
memory/2916-13-0x0000000000EF0000-0x00000000011D2000-memory.dmp

Filesize
2.9MB

Download
memory/2916-12-0x00007FFC056F3000-0x00007FFC056F5000-memory.dmp

Filesize
8KB

Download
memory/4500-244-0x0000000020400000-0x00000000205B3000-memory.dmp

Filesize
1.7MB

Download
memory/4500-205-0x000000001F5C0000-0x000000001F782000-memory.dmp

Filesize
1.8MB

Download