dcrat | 714c3946e5b2691b37a20d47af5323e96e6d1ecc9976f9df841f1d5674d44b03

Analysis

max time kernel
1199s
max time network
1156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-12-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nursultan-Alpha-main/NursultanAlpha.exe
Size

1.1MB
MD5

04d47663369ae93c8a2325d1fdafd7da
SHA1

d47262b1d1f8d938e44e98d96fbba35233166b53
SHA256

11b323227ec42ebc937299ac946582c13253b8a707c371adeadd225ec14f2eee
SHA512

78896538afd82ef2fe524502456510b3fc5dd0819bee92aaf0d002231b8bd11beee59f3a78d1bbbf2a33e6ab613f1b431cbf26fe8733b6ac70b69b2a47e92e1f
SSDEEP

24576:S2G/nvxW3Wu0Toe7NtsNN4rnw4P1DtV5ffUAU0X:SbA3G8ehWGH5T

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	3992	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	3992	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000a000000023b81-10.dat	dcrat
behavioral1/memory/2160-13-0x0000000000750000-0x0000000000826000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	ServerperfDhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	NursultanAlpha.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 20 IoCs

pid	Process
2160	ServerperfDhcp.exe
1152	SearchApp.exe
3200	SearchApp.exe
3956	dllhost.exe
4068	dwm.exe
3416	System.exe
1016	sysmon.exe
4524	TextInputHost.exe
5004	SearchApp.exe
4864	dllhost.exe
4860	ServerperfDhcp.exe
2484	Registry.exe
3516	services.exe
3960	dwm.exe
3224	SearchApp.exe
1016	System.exe
8	dllhost.exe
228	sysmon.exe
2084	TextInputHost.exe
1516	SearchApp.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\fr\5940a34987c991	ServerperfDhcp.exe
File created	C:\Windows\System32\fr\dllhost.exe	ServerperfDhcp.exe
File opened for modification	C:\Windows\System32\fr\dllhost.exe	ServerperfDhcp.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\c5b4cb5e9653cc	ServerperfDhcp.exe
File created	C:\Program Files\Uninstall Information\SearchApp.exe	ServerperfDhcp.exe
File created	C:\Program Files\Uninstall Information\38384e6a620884	ServerperfDhcp.exe
File created	C:\Program Files\Windows Defender\de-DE\ServerperfDhcp.exe	ServerperfDhcp.exe
File created	C:\Program Files\Windows Defender\de-DE\b3b000bb924035	ServerperfDhcp.exe
File created	C:\Program Files\Windows Mail\services.exe	ServerperfDhcp.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\IdentityCRL\production\Registry.exe	ServerperfDhcp.exe
File created	C:\Windows\IdentityCRL\production\ee2ad38f3d4382	ServerperfDhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NursultanAlpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	NursultanAlpha.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	ServerperfDhcp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3276	schtasks.exe
2900	schtasks.exe
1400	schtasks.exe
324	schtasks.exe
1960	schtasks.exe
1968	schtasks.exe
552	schtasks.exe
868	schtasks.exe
1656	schtasks.exe
3252	schtasks.exe
2316	schtasks.exe
2076	schtasks.exe
1260	schtasks.exe
4784	schtasks.exe
4644	schtasks.exe
1368	schtasks.exe
2056	schtasks.exe
1460	schtasks.exe
1932	schtasks.exe
1272	schtasks.exe
3068	schtasks.exe
3080	schtasks.exe
3036	schtasks.exe
1304	schtasks.exe
2632	schtasks.exe
2896	schtasks.exe
4552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2160	ServerperfDhcp.exe
2160	ServerperfDhcp.exe
2160	ServerperfDhcp.exe
2160	ServerperfDhcp.exe
2160	ServerperfDhcp.exe
2160	ServerperfDhcp.exe
2160	ServerperfDhcp.exe
2160	ServerperfDhcp.exe
2160	ServerperfDhcp.exe
2160	ServerperfDhcp.exe
2160	ServerperfDhcp.exe
2160	ServerperfDhcp.exe
2160	ServerperfDhcp.exe
1152	SearchApp.exe
3200	SearchApp.exe
3956	dllhost.exe
4068	dwm.exe
3416	System.exe
1016	sysmon.exe
5004	SearchApp.exe
4864	dllhost.exe
3516	services.exe
3960	dwm.exe
3224	SearchApp.exe
1016	System.exe
8	dllhost.exe
1516	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	ServerperfDhcp.exe
Token: SeDebugPrivilege	1152	SearchApp.exe
Token: SeDebugPrivilege	3200	SearchApp.exe
Token: SeDebugPrivilege	3956	dllhost.exe
Token: SeDebugPrivilege	4068	dwm.exe
Token: SeDebugPrivilege	3416	System.exe
Token: SeDebugPrivilege	1016	sysmon.exe
Token: SeDebugPrivilege	4524	TextInputHost.exe
Token: SeDebugPrivilege	5004	SearchApp.exe
Token: SeDebugPrivilege	4864	dllhost.exe
Token: SeDebugPrivilege	4860	ServerperfDhcp.exe
Token: SeDebugPrivilege	2484	Registry.exe
Token: SeDebugPrivilege	3516	services.exe
Token: SeDebugPrivilege	3960	dwm.exe
Token: SeDebugPrivilege	3224	SearchApp.exe
Token: SeDebugPrivilege	1016	System.exe
Token: SeDebugPrivilege	8	dllhost.exe
Token: SeDebugPrivilege	228	sysmon.exe
Token: SeDebugPrivilege	2084	TextInputHost.exe
Token: SeDebugPrivilege	1516	SearchApp.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3220 wrote to memory of 1552	3220	NursultanAlpha.exe	82
PID 3220 wrote to memory of 1552	3220	NursultanAlpha.exe	82
PID 3220 wrote to memory of 1552	3220	NursultanAlpha.exe	82
PID 1552 wrote to memory of 1040	1552	WScript.exe	83
PID 1552 wrote to memory of 1040	1552	WScript.exe	83
PID 1552 wrote to memory of 1040	1552	WScript.exe	83
PID 1040 wrote to memory of 2160	1040	cmd.exe	85
PID 1040 wrote to memory of 2160	1040	cmd.exe	85
PID 2160 wrote to memory of 1992	2160	ServerperfDhcp.exe	116
PID 2160 wrote to memory of 1992	2160	ServerperfDhcp.exe	116
PID 1992 wrote to memory of 1976	1992	cmd.exe	118
PID 1992 wrote to memory of 1976	1992	cmd.exe	118
PID 1992 wrote to memory of 1152	1992	cmd.exe	121
PID 1992 wrote to memory of 1152	1992	cmd.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Nursultan-Alpha-main\NursultanAlpha.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan-Alpha-main\NursultanAlpha.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3220
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\bridgeReviewintoCommon\q48d35.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\bridgeReviewintoCommon\KPrICBKXTXtcR2zQA74oF3h.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\bridgeReviewintoCommon\ServerperfDhcp.exe
      "C:\bridgeReviewintoCommon\ServerperfDhcp.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45GEZxNSz3.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1976
      - C:\Program Files\Uninstall Information\SearchApp.exe
        
        "C:\Program Files\Uninstall Information\SearchApp.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\fr\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\fr\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\fr\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Pictures\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Pictures\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerperfDhcpS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\de-DE\ServerperfDhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerperfDhcp" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\ServerperfDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ServerperfDhcpS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\de-DE\ServerperfDhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\bridgeReviewintoCommon\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\bridgeReviewintoCommon\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 9 /tr "'C:\bridgeReviewintoCommon\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Windows\IdentityCRL\production\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\production\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Windows\IdentityCRL\production\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Program Files\Uninstall Information\SearchApp.exe
"C:\Program Files\Uninstall Information\SearchApp.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\System32\fr\dllhost.exe
C:\Windows\System32\fr\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Recovery\WindowsRE\dwm.exe
C:\Recovery\WindowsRE\dwm.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Users\Public\Documents\My Pictures\sysmon.exe
"C:\Users\Public\Documents\My Pictures\sysmon.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\bridgeReviewintoCommon\TextInputHost.exe
C:\bridgeReviewintoCommon\TextInputHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Program Files\Uninstall Information\SearchApp.exe
"C:\Program Files\Uninstall Information\SearchApp.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004

C:\Windows\System32\fr\dllhost.exe
C:\Windows\System32\fr\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Program Files\Windows Defender\de-DE\ServerperfDhcp.exe
"C:\Program Files\Windows Defender\de-DE\ServerperfDhcp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\IdentityCRL\production\Registry.exe
C:\Windows\IdentityCRL\production\Registry.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Program Files\Windows Mail\services.exe
"C:\Program Files\Windows Mail\services.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Recovery\WindowsRE\dwm.exe
C:\Recovery\WindowsRE\dwm.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Program Files\Uninstall Information\SearchApp.exe
"C:\Program Files\Uninstall Information\SearchApp.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\System32\fr\dllhost.exe
C:\Windows\System32\fr\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Users\Public\Documents\My Pictures\sysmon.exe
"C:\Users\Public\Documents\My Pictures\sysmon.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\bridgeReviewintoCommon\TextInputHost.exe
C:\bridgeReviewintoCommon\TextInputHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Program Files\Uninstall Information\SearchApp.exe
"C:\Program Files\Uninstall Information\SearchApp.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ServerperfDhcp.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Temp\45GEZxNSz3.bat

Filesize
217B

MD5
a17d4903dfc98d2a0630c4ab90646387

SHA1
d197693abe47b6cfaa23e6b94e2fb9c96258872d

SHA256
e1c5075b9696196a88eb0897dff064a4d1d0f36384b322bf3a8a6297cf07abd3

SHA512
1b8643eca86e1c27dcd641477ac77de335aec4f6349851e02eb046ee662e17288c7362fbd94dcfb2fdc8ed5b4edb7ea8bef9c28a55c3872b57f14ed703561825

Download Submit
C:\bridgeReviewintoCommon\KPrICBKXTXtcR2zQA74oF3h.bat

Filesize
46B

MD5
e41e1eaeb38aaaf5f6faf47d84758997

SHA1
36a485ab4eed2b99b85975909b5a3e050c3e6477

SHA256
29cb59c43d4a211ecba7d832c97c54a8c546bcc55d7df79ba1a4b6f227ecb404

SHA512
9218604ee28e76dc8528d4e1e70382bafbc028c97e39e95428ad62a92481e8ed46358630b535183fd35db7e91be8224ae78bfdb7de1ba862b4d523b2acad3c37

Download Submit
C:\bridgeReviewintoCommon\ServerperfDhcp.exe

Filesize
826KB

MD5
e2431fe3e9df46296c5172812bf43714

SHA1
d10efe8c25dc94b8f03deb224a321b93b30d0689

SHA256
c98b9c9410ff7194e6c06f5c697dbf2ce1a7dfddb022c44cf549ca348155bc58

SHA512
73e0786d5eb595c413155b00806d972d01a626e6a95958f270e5d4ffba5cbf73f6b7370a9af30f0bbaad974ce00dc2722634978e30593e6b71e5ebda983f612d

Download Submit
C:\bridgeReviewintoCommon\q48d35.vbe

Filesize
223B

MD5
5adff5d24c943847d902dd7d8f4c8a76

SHA1
4f18d31eb01bcbf1b1d48580ce544a2f85073f69

SHA256
590143e99e94677b9194f9c4ac1e9a820de37b1a9d4ba9689c0cddb315877808

SHA512
908484d614e89b1c3df9c2dd1847f42da64cb4a8cf6e47535325591f7d9bb414c7caf7d93e88d49d048c34b506f5f8f8c3ddaeab38a8a689880baa0b7389bde2

Download Submit
memory/2160-12-0x00007FFEC5E13000-0x00007FFEC5E15000-memory.dmp

Filesize
8KB

Download
memory/2160-13-0x0000000000750000-0x0000000000826000-memory.dmp

Filesize
856KB

Download