dcrat | 2ebcbc7ecacf1e3398613aa73dc2bff59b0bc0cf2724b68a20fe071a054c2d80

Analysis

max time kernel
96s
max time network
127s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
30-11-2024 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NursultanCrack.exe
Size

1.7MB
MD5

062e3b4cd1878667da10f08bdd209dd6
SHA1

c6d785f9df07b202f2db280016c5773092dd111a
SHA256

2ebcbc7ecacf1e3398613aa73dc2bff59b0bc0cf2724b68a20fe071a054c2d80
SHA512

6e598e330cb1c9db77edca1ea51d8aaa1939278a3ba480e2eb922a8b0f17b28a768150dbdcf660ae51468967dd447580bc68bf428148ea1ccecec85c67719fd6
SSDEEP

49152:3BIjEaf0EC0bEvDC3B6Bo2UPjAgAecjJl/ud:xQEwvAC3oUPjuRlmd

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ProviderserverRuntimeperfcommon.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PortcomproviderMonitor\\Registry.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PortcomproviderMonitor\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\SearchHost.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PortcomproviderMonitor\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\SearchHost.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PortcomproviderMonitor\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\SearchHost.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Program Files\\dotnet\\host\\StartMenuExperienceHost.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PortcomproviderMonitor\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\SearchHost.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Program Files\\dotnet\\host\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default User\\conhost.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PortcomproviderMonitor\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\SearchHost.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Program Files\\dotnet\\host\\StartMenuExperienceHost.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\PortcomproviderMonitor\\ProviderserverRuntimeperfcommon.exe\""	ProviderserverRuntimeperfcommon.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	5000	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	5000	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	5000	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	5000	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	240	5000	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	5000	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	5000	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	5000	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	5000	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	5000	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	5000	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	5000	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	5000	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	5000	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	5000	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	5000	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	5000	schtasks.exe	81
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	5000	schtasks.exe	81

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3908	powershell.exe
3108	powershell.exe
2668	powershell.exe
5076	powershell.exe
3220	powershell.exe
740	powershell.exe

Executes dropped EXE 2 IoCs

Processes:

ProviderserverRuntimeperfcommon.exeSearchHost.exe

pid	Process
788	ProviderserverRuntimeperfcommon.exe
1108	SearchHost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ProviderserverRuntimeperfcommon.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\dotnet\\host\\StartMenuExperienceHost.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\ProviderserverRuntimeperfcommon = "\"C:\\PortcomproviderMonitor\\ProviderserverRuntimeperfcommon.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\PortcomproviderMonitor\\Registry.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchHost = "\"C:\\Recovery\\WindowsRE\\SearchHost.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\dotnet\\host\\StartMenuExperienceHost.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default User\\conhost.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ProviderserverRuntimeperfcommon = "\"C:\\PortcomproviderMonitor\\ProviderserverRuntimeperfcommon.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\PortcomproviderMonitor\\Registry.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchHost = "\"C:\\Recovery\\WindowsRE\\SearchHost.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	ProviderserverRuntimeperfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default User\\conhost.exe\""	ProviderserverRuntimeperfcommon.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\CSC2C1A888C94D34B19A5E91F3A49D2D48.TMP	csc.exe
File created	\??\c:\Windows\System32\j7xqt2.exe	csc.exe

Drops file in Program Files directory 2 IoCs

Processes:

ProviderserverRuntimeperfcommon.exe

description	ioc	Process
File created	C:\Program Files\dotnet\host\StartMenuExperienceHost.exe	ProviderserverRuntimeperfcommon.exe
File created	C:\Program Files\dotnet\host\55b276f4edf653	ProviderserverRuntimeperfcommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

NursultanCrack.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NursultanCrack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXE

pid	Process
5084	PING.EXE

Modifies registry class 2 IoCs

Processes:

NursultanCrack.exeProviderserverRuntimeperfcommon.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	NursultanCrack.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	ProviderserverRuntimeperfcommon.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
5084	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
1584	schtasks.exe
2288	schtasks.exe
1236	schtasks.exe
2460	schtasks.exe
2780	schtasks.exe
756	schtasks.exe
1980	schtasks.exe
2256	schtasks.exe
240	schtasks.exe
4408	schtasks.exe
1612	schtasks.exe
3212	schtasks.exe
2044	schtasks.exe
2536	schtasks.exe
4424	schtasks.exe
1648	schtasks.exe
3888	schtasks.exe
3164	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ProviderserverRuntimeperfcommon.exe

pid	Process
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe
788	ProviderserverRuntimeperfcommon.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

ProviderserverRuntimeperfcommon.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSearchHost.exe

description	pid	Process
Token: SeDebugPrivilege	788	ProviderserverRuntimeperfcommon.exe
Token: SeDebugPrivilege	3220	powershell.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	1108	SearchHost.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

NursultanCrack.exeWScript.execmd.exeProviderserverRuntimeperfcommon.execsc.execmd.exe

description	pid	Process	procid_target
PID 1900 wrote to memory of 3732	1900	NursultanCrack.exe	77
PID 1900 wrote to memory of 3732	1900	NursultanCrack.exe	77
PID 1900 wrote to memory of 3732	1900	NursultanCrack.exe	77
PID 3732 wrote to memory of 444	3732	WScript.exe	78
PID 3732 wrote to memory of 444	3732	WScript.exe	78
PID 3732 wrote to memory of 444	3732	WScript.exe	78
PID 444 wrote to memory of 788	444	cmd.exe	80
PID 444 wrote to memory of 788	444	cmd.exe	80
PID 788 wrote to memory of 3948	788	ProviderserverRuntimeperfcommon.exe	85
PID 788 wrote to memory of 3948	788	ProviderserverRuntimeperfcommon.exe	85
PID 3948 wrote to memory of 1884	3948	csc.exe	87
PID 3948 wrote to memory of 1884	3948	csc.exe	87
PID 788 wrote to memory of 3220	788	ProviderserverRuntimeperfcommon.exe	103
PID 788 wrote to memory of 3220	788	ProviderserverRuntimeperfcommon.exe	103
PID 788 wrote to memory of 5076	788	ProviderserverRuntimeperfcommon.exe	104
PID 788 wrote to memory of 5076	788	ProviderserverRuntimeperfcommon.exe	104
PID 788 wrote to memory of 740	788	ProviderserverRuntimeperfcommon.exe	105
PID 788 wrote to memory of 740	788	ProviderserverRuntimeperfcommon.exe	105
PID 788 wrote to memory of 3908	788	ProviderserverRuntimeperfcommon.exe	106
PID 788 wrote to memory of 3908	788	ProviderserverRuntimeperfcommon.exe	106
PID 788 wrote to memory of 2668	788	ProviderserverRuntimeperfcommon.exe	107
PID 788 wrote to memory of 2668	788	ProviderserverRuntimeperfcommon.exe	107
PID 788 wrote to memory of 3108	788	ProviderserverRuntimeperfcommon.exe	108
PID 788 wrote to memory of 3108	788	ProviderserverRuntimeperfcommon.exe	108
PID 788 wrote to memory of 1188	788	ProviderserverRuntimeperfcommon.exe	115
PID 788 wrote to memory of 1188	788	ProviderserverRuntimeperfcommon.exe	115
PID 1188 wrote to memory of 4988	1188	cmd.exe	117
PID 1188 wrote to memory of 4988	1188	cmd.exe	117
PID 1188 wrote to memory of 5084	1188	cmd.exe	118
PID 1188 wrote to memory of 5084	1188	cmd.exe	118
PID 1188 wrote to memory of 1108	1188	cmd.exe	119
PID 1188 wrote to memory of 1108	1188	cmd.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe
"C:\Users\Admin\AppData\Local\Temp\NursultanCrack.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\PortcomproviderMonitor\zdVRFS49Tu9N4LjG96hAtZRk1eAmIHAaUMcnxAd6hGdFMS5kR1nGpqidc.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\PortcomproviderMonitor\FJVItkObhEojrcNtEIv474jEh5t.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:444
  - - C:\PortcomproviderMonitor\ProviderserverRuntimeperfcommon.exe
      "C:\PortcomproviderMonitor/ProviderserverRuntimeperfcommon.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:788
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uzjqmssi\uzjqmssi.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3948
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED8C.tmp" "c:\Windows\System32\CSC2C1A888C94D34B19A5E91F3A49D2D48.TMP"
        6⤵
        
        PID:1884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PortcomproviderMonitor\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\dotnet\host\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PortcomproviderMonitor\ProviderserverRuntimeperfcommon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or8YCvotrQ.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1188
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4988
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5084
      - C:\Recovery\WindowsRE\SearchHost.exe
        
        "C:\Recovery\WindowsRE\SearchHost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\PortcomproviderMonitor\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\PortcomproviderMonitor\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\PortcomproviderMonitor\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\dotnet\host\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\host\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderserverRuntimeperfcommonP" /sc MINUTE /mo 9 /tr "'C:\PortcomproviderMonitor\ProviderserverRuntimeperfcommon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderserverRuntimeperfcommon" /sc ONLOGON /tr "'C:\PortcomproviderMonitor\ProviderserverRuntimeperfcommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ProviderserverRuntimeperfcommonP" /sc MINUTE /mo 12 /tr "'C:\PortcomproviderMonitor\ProviderserverRuntimeperfcommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortcomproviderMonitor\FJVItkObhEojrcNtEIv474jEh5t.bat

Filesize
106B

MD5
94909fd684f66eecfdac274e00d5a363

SHA1
fc11a50df025ba0328607f63d78faf777e5766d4

SHA256
4d93125e77e0240100adfd50d5599c0b65f3903a0df5e390361d9815458674af

SHA512
f79dd275cbb96ee0f1ff9a5df479adb300644ac26d28785d8ab17ae5d95670cf388cce2d9ea4ef8454f9287e3641fe5ad826fab3596c765d68af2301adb2a9f1

Download Submit
C:\PortcomproviderMonitor\ProviderserverRuntimeperfcommon.exe

Filesize
1.9MB

MD5
f03f8a942b3ec90eb92280717f3c7394

SHA1
fea40f92b76757c2259d486b0ea2d138e9efc02c

SHA256
4933a81b1bb2b13cda06a4941791b30d1f663ff9f47ec15b09cd34d7f0c1c92a

SHA512
a74dbc33a0c2e6c6043e148c539d4a63602ba646eb2830c604ea2b186fa9d235c7aebe440ff453c29220ed19b63665ebd9a83b8bb6c02383e14453eb1645fae8

Download Submit
C:\PortcomproviderMonitor\zdVRFS49Tu9N4LjG96hAtZRk1eAmIHAaUMcnxAd6hGdFMS5kR1nGpqidc.vbe

Filesize
228B

MD5
8f57fc07cea683f126f6a490d3e1f0c9

SHA1
9e28edb72eaeee5be52030dc9a99e9dbb6963cd7

SHA256
c3891378665c83eb627171ba132a9c4f596d3b3394765a75fe86636b4d50f63c

SHA512
a79a82e8c496758e1473fd7dc365d75ba2a638d9718de6a1dbb6249b2d87abe2461ad975bf9758fb2f04a84ced8820a2990b619180dbdee0504d8da714cbcaef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESED8C.tmp

Filesize
1KB

MD5
882fec56da59a794f9ec843311a970e0

SHA1
14772c3c3f35817652f795f4e0eeb033445c9e88

SHA256
95556ec9357ed7b4deff321a902e2c60cc017fc5b6e7eab3fc1c6c756aac156f

SHA512
8905276c8d21c79832832a19c058b48b8e156f39f17c38b121527e80520d2fa569d9141778fb466b9b419f464215298928eed813447a5f890a4fddb2f24dfc0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_32iane0g.dbk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\or8YCvotrQ.bat

Filesize
164B

MD5
5decfdfbd7d3251c0eeb3bb8583eeb5f

SHA1
1b8ebdf9b608e31266426b00bece1c7f8988ad18

SHA256
bbe29ce614c5b95e0e6a38bbcf96be7c29bc73f7e3e3e9c95793ba051b114ed5

SHA512
4c6f2af5783a08849f250c3aae4412d3adb680702d4967181e8d5325a52bd0be421a0d7e4af9c9c4e1c717241cf65bb35cd4845aac649409be7c21c41fc922f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uzjqmssi\uzjqmssi.0.cs

Filesize
370B

MD5
c975288c9ef3ba7a78871be68f3ae88c

SHA1
1d144da8d0cac469faa4a3ad1e2a27092b1a65b6

SHA256
59d5b94d365887b5364d808b74e368c8e2bd31d02b48a2d84938b2db90dc8275

SHA512
8165d01d0d9d315d921033f52e604ee866f1be038db3b83969d6557b22dbb119fa6b5e91cc10afd951e34a8fe8a9364caba635d0f93cddf38c798543472eabc6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uzjqmssi\uzjqmssi.cmdline

Filesize
235B

MD5
9fb879637eb74443a3a985278ae7b644

SHA1
c962f5ffe223c113bbcec7c555ff18a116664092

SHA256
55ae74045c04354471b11f7afba7117e21c46965cbf5febce00615257113fbbc

SHA512
88d13f0ac2fe7e3b2887f98d22630ad1eab9b86b39b5e6a5d63a3f313b9e5780ab07697fb83a8d1c4ffbfb21a88d2490a779204710fea330a7840272f31de590

Download Submit
\??\c:\Windows\System32\CSC2C1A888C94D34B19A5E91F3A49D2D48.TMP

Filesize
1KB

MD5
acfb6faeec3eb6e047a5a2e7fc46f7c4

SHA1
bd7ca4bf6c574dec440c891d55a541a4cc20c376

SHA256
003e0aa24c6b8e2110a735f67fbd04e8669846591a5b4e21fe065ccc61fd92b8

SHA512
8084ffb6db54d21d869eb4f3d24f5081e0c177bffc703f1717e30b71dbf4898cccef8ef405d634556ef0370ecf67c1715151ae3d47277dea9cf612f73fc1e767

Download Submit
memory/788-15-0x00000000024B0000-0x00000000024BE000-memory.dmp

Filesize
56KB

Download
memory/788-26-0x0000000002530000-0x000000000253C000-memory.dmp

Filesize
48KB

Download
memory/788-24-0x00000000024D0000-0x00000000024DE000-memory.dmp

Filesize
56KB

Download
memory/788-22-0x00000000024C0000-0x00000000024CE000-memory.dmp

Filesize
56KB

Download
memory/788-20-0x000000001BC40000-0x000000001BC58000-memory.dmp

Filesize
96KB

Download
memory/788-18-0x000000001BC90000-0x000000001BCE0000-memory.dmp

Filesize
320KB

Download
memory/788-17-0x000000001BC20000-0x000000001BC3C000-memory.dmp

Filesize
112KB

Download
memory/788-13-0x00000000001C0000-0x00000000003B0000-memory.dmp

Filesize
1.9MB

Download
memory/788-12-0x00007FFF1FA13000-0x00007FFF1FA15000-memory.dmp

Filesize
8KB

Download
memory/3220-63-0x000001D54FE30000-0x000001D54FE52000-memory.dmp

Filesize
136KB

Download