Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-07-2024 10:36

General

  • Target

    DCRatBuild.exe

  • Size

    1.6MB

  • MD5

    01d84e6b9068bb3e5be23ead859dad8e

  • SHA1

    4942abe76919a4eb917336dc6ab2fa446c76acae

  • SHA256

    6a0ee90b6f1dd76a6269315104c2de7a060efc8001cda6339f29096daf59b61d

  • SHA512

    d7e72c2fb6df83f54eae57a2da350f9e5e3e38d3c9fc659d3e3c275a87374b2697eb130877f0e73dd9e4f29c88122206da5ab3ee45861582429c88d588633e7b

  • SSDEEP

    24576:U2G/nvxW3Ww0thQZoR7lLU0J5/PFiTVfHkOXYsFn2NGPxSRPl2NCd:UbA30hQZoQ0HFmYsB2x

Score
10/10

Malware Config

Signatures

  • DcRat 58 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Bridgecrt\sZWlDJX899JKJ.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Bridgecrt\HCQUFaJMLZKomKKlWK1JJBtaf0zX.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2384
        • C:\Bridgecrt\RefdhcpSvc.exe
          "C:\Bridgecrt\RefdhcpSvc.exe"
          4⤵
          • DcRat
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3348
          • C:\Bridgecrt\RefdhcpSvc.exe
            "C:\Bridgecrt\RefdhcpSvc.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:836
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JTkIfO6e00.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:944
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:516
                • C:\Bridgecrt\lsass.exe
                  "C:\Bridgecrt\lsass.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1716
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http:///
                    8⤵
                    • Enumerates system info in registry
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of WriteProcessMemory
                    PID:4464
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa89d446f8,0x7ffa89d44708,0x7ffa89d44718
                      9⤵
                        PID:4560
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
                        9⤵
                          PID:3448
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
                          9⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2500
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
                          9⤵
                            PID:3544
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
                            9⤵
                              PID:4472
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
                              9⤵
                                PID:4196
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
                                9⤵
                                  PID:4856
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
                                  9⤵
                                    PID:3216
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:8
                                    9⤵
                                      PID:2176
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:8
                                      9⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:2928
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
                                      9⤵
                                        PID:4016
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
                                        9⤵
                                          PID:3760
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,8093623809158206340,4485559321866158720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
                                          9⤵
                                            PID:2296
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\SearchApp.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3560
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\SearchApp.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:936
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\SearchApp.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4852
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Services\TextInputHost.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:812
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\TextInputHost.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1736
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Services\TextInputHost.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4880
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\host\Idle.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1400
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\Idle.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3592
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\dotnet\host\Idle.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4348
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Bridgecrt\taskhostw.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:628
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Bridgecrt\taskhostw.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4456
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Bridgecrt\taskhostw.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1568
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4864
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1688
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:740
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4724
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2248
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2152
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4856
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:5048
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4180
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\smss.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4540
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Downloads\smss.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:220
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\smss.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3540
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\SearchApp.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4284
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Downloads\SearchApp.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1504
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\SearchApp.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2644
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Bridgecrt\lsass.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3156
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Bridgecrt\lsass.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4340
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Bridgecrt\lsass.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2004
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\WmiPrvSE.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4036
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Fonts\WmiPrvSE.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3012
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\WmiPrvSE.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:924
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RefdhcpSvcR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\RefdhcpSvc.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2652
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RefdhcpSvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\RefdhcpSvc.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4468
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RefdhcpSvcR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\RefdhcpSvc.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:984
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\csrss.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3416
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2320
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4512
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\OfficeClickToRun.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2792
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\Pictures\OfficeClickToRun.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3792
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\OfficeClickToRun.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3740
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Bridgecrt\WaaSMedicAgent.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4572
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Bridgecrt\WaaSMedicAgent.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3768
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Bridgecrt\WaaSMedicAgent.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1896
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\Registry.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4088
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\Registry.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4292
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\Registry.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4712
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\sysmon.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1980
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sysmon.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:732
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\sysmon.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1724
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\spoolsv.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:624
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\spoolsv.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1040
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\spoolsv.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3756
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4480
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4328

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Bridgecrt\HCQUFaJMLZKomKKlWK1JJBtaf0zX.bat

                                Filesize

                                29B

                                MD5

                                f8f274a07f5224a3f69091f043af146c

                                SHA1

                                2513dccda5f12624dbb9a13052a2e629936bbab6

                                SHA256

                                8a6e165c22056fc26e710ade51ec3f299e8aca3c4e43b53cc77b9be60bb3cb24

                                SHA512

                                0c559ea5231d80976bb21b6ba1f8d788112cf89a8c7c32bb268557711a4d945f718616f9324997b5e59980956b736a1c59fb93ec17280cc7b8ccf3cf81ac298f

                              • C:\Bridgecrt\RefdhcpSvc.exe

                                Filesize

                                1.3MB

                                MD5

                                a343cf9f611cf1f2ef2a2d373cbdfd2f

                                SHA1

                                f8ede9731b42eeeaabd25860daf7a15191a7110d

                                SHA256

                                c4673884aade477ec758af7be2636fac36cf2d41d5e4993968923c01c50f35ba

                                SHA512

                                c2a1eb1aa23444862c97a3d36761e1d88dd209ddc97d40ca48198492521d56101658603fca769262bbb8bf69b464a29c32f21993566750670d723d531a1acfb9

                              • C:\Bridgecrt\sZWlDJX899JKJ.vbe

                                Filesize

                                214B

                                MD5

                                285bb3888130afca5f0d63c7a7ddb141

                                SHA1

                                00c513275ea59c5a70cd1918d3338e307d976e2c

                                SHA256

                                02eebeb58e57999fcff710e124688a73e0cbd54fbe7d1e8a8ec52c14388944f8

                                SHA512

                                9b2bd6b921bc0a286a6ad691b64109406e2f2a3bcd8ace294e5b095cb373bd8df463c133cb470674d9bba8db15efabfb7310aa67a93ba89aff010bbddbf5c5d2

                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RefdhcpSvc.exe.log

                                Filesize

                                1KB

                                MD5

                                c6ecc3bc2cdd7883e4f2039a5a5cf884

                                SHA1

                                20c9dd2a200e4b0390d490a7a76fa184bfc78151

                                SHA256

                                b3d90663a46ee5333f8f99df4d43c0c76bf3902e3ba3ab36c0903027176d340d

                                SHA512

                                892a8f8e50ff350e790e1543032c64b3e1c050198b1810f89b6ce8a23de947a3e8299e880f0e79da7e4b5373a6b95e7dd7814cd5d7406a1553ef104ff2ff091e

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                54f1b76300ce15e44e5cc1a3947f5ca9

                                SHA1

                                c978bfaa6ec6dae05464c6426eaa6cb3c3e2f3b7

                                SHA256

                                43dec5d87b7ee892a3d99cb61f772ba403882ac0772423f36034e84244c1ca24

                                SHA512

                                ac26e5676c675be329eb62b5d5a36a0e6014ab8a6366684b0fc2a59ae5f061f596f462b82eb4e9f135d2235a0cbd4af96680d234eecc873a8397fd81507d277a

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                Filesize

                                152B

                                MD5

                                c00b0d6e0f836dfa596c6df9d3b2f8f2

                                SHA1

                                69ad27d9b4502630728f98917f67307e9dd12a30

                                SHA256

                                578481cd359c669455e24983b13723c25584f58925b47283cb580019ef3142b1

                                SHA512

                                0e098ab5f5772fec17880e228a0dccbbaa06dc1af14e0fd827f361599c61899fe07d612a7f7b049ff6661d27fdc495566dd20fc28ceed022b87c212bf00be5da

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                5KB

                                MD5

                                68e22ffe0625466dd79690f728b8e8da

                                SHA1

                                be9b35b7a3be1c7c07fcd33190b643ea6c68f420

                                SHA256

                                73139ca3cd031e8cf23df3e26c27daf41c6c034a61aff012ceba1cc7b1b314df

                                SHA512

                                19f7b3e6478ecba1431ced8cfbd3fbc95d062ac01bfc274750b11b954ea7f7e6c15d6844e3164b4a39eaea60fefe983130cae591f833fbc1d4e1fa69f1ed0d8b

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                Filesize

                                6KB

                                MD5

                                2e2569b251394f24e94cca39cf312041

                                SHA1

                                6db5a1c572ece8bbb00146edc07b7e8901dfb6ac

                                SHA256

                                9e772b9e7fa83522a86530f2bacacbd5dedec4e68122313dd9a5c932879a7611

                                SHA512

                                75fcbd0379f80bbb935f14df1c026492efcef0557a3f60960027d629c089aab288d49283bdec3315f08e444454243d7637671610a3afabe612150c468dce12e0

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                206702161f94c5cd39fadd03f4014d98

                                SHA1

                                bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                SHA256

                                1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                SHA512

                                0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                Filesize

                                16B

                                MD5

                                46295cac801e5d4857d09837238a6394

                                SHA1

                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                SHA256

                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                SHA512

                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                Filesize

                                11KB

                                MD5

                                8188e68a3814cd5d0eae119579a298a5

                                SHA1

                                8d430f8a7a3ed51ab34191db5b2c3f641dbf7a47

                                SHA256

                                4335e186695aeadeadd952ab97004d28d2755ec9d998a110af4e23ffa1407db8

                                SHA512

                                bdc13918e8298d936fbc55ad7adc2bd24ea180e632cf561216cd0a2c848d9a83a7766e2120596401cd0545fd602fba0c7a88a6e928f1e32e292c612c669bd5fe

                              • C:\Users\Admin\AppData\Local\Temp\JTkIfO6e00.bat

                                Filesize

                                187B

                                MD5

                                f6f19116529f9f369214bed5fb5f9d0d

                                SHA1

                                75014bc551ece0d8d4cdaca673b7543c76184a49

                                SHA256

                                ff3b9f43a2c2c639bb39b7ed12538a33c1b8ebd9b89ed239267428ffe0f106a4

                                SHA512

                                95b3e3d34f2c25f6b6b9369260670f5def3be7e51c4a37b91da21174e2cb4f7fd582442c99a648542cf78e21784d23a7cea202f547bb01d944a2adcd1ad5bfe5

                              • \??\pipe\LOCAL\crashpad_4464_YYIXWIFDHFHPPCNY

                                MD5

                                d41d8cd98f00b204e9800998ecf8427e

                                SHA1

                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                SHA256

                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                SHA512

                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                              • memory/3348-16-0x0000000003010000-0x0000000003060000-memory.dmp

                                Filesize

                                320KB

                              • memory/3348-13-0x0000000000C00000-0x0000000000D4A000-memory.dmp

                                Filesize

                                1.3MB

                              • memory/3348-12-0x00007FFA78973000-0x00007FFA78975000-memory.dmp

                                Filesize

                                8KB

                              • memory/3348-14-0x0000000001630000-0x000000000163E000-memory.dmp

                                Filesize

                                56KB

                              • memory/3348-15-0x00000000016F0000-0x000000000170C000-memory.dmp

                                Filesize

                                112KB

                              • memory/3348-18-0x0000000001640000-0x0000000001650000-memory.dmp

                                Filesize

                                64KB

                              • memory/3348-17-0x0000000002FC0000-0x0000000002FD6000-memory.dmp

                                Filesize

                                88KB