dcrat | d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
Size

1.7MB
MD5

6307524bb031c6046e35387966560610
SHA1

d5d11bb96b66a4d6b918e80f9a35de9d131e2460
SHA256

d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0
SHA512

1a4cad8c180677a824015923de749b6529793a4da3447b18e5cabba9a55a9e15b46ee7468095d70321b37dfa3d8593876688a7aa84269497d091eaf668a94a4e
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	2412	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2412	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3412	2412	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	2412	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	2412	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	2412	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2412	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2412	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2412	schtasks.exe	83

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1668-1-0x0000000000480000-0x0000000000636000-memory.dmp	dcrat
behavioral2/files/0x0008000000023cb2-31.dat	dcrat
behavioral2/files/0x0009000000023cb2-40.dat	dcrat
behavioral2/files/0x0008000000023cad-222.dat	dcrat
behavioral2/memory/1916-225-0x0000000000730000-0x00000000008E6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3616	powershell.exe
3212	powershell.exe
4300	powershell.exe
3844	powershell.exe
3564	powershell.exe
728	powershell.exe
1216	powershell.exe
3672	powershell.exe
3380	powershell.exe
2052	powershell.exe
2164	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	TextInputHost.exe

Executes dropped EXE 2 IoCs

pid	Process
1916	TextInputHost.exe
5100	TextInputHost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Logs\sppsvc.exe	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
File created	C:\Windows\Logs\0a1fd5f707cd16	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
File opened for modification	C:\Windows\Logs\RCXC529.tmp	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
File opened for modification	C:\Windows\Logs\RCXC52A.tmp	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
File opened for modification	C:\Windows\Logs\sppsvc.exe	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	TextInputHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3448	schtasks.exe
4680	schtasks.exe
4136	schtasks.exe
3064	schtasks.exe
752	schtasks.exe
1388	schtasks.exe
3412	schtasks.exe
4764	schtasks.exe
2908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
2164	powershell.exe
2164	powershell.exe
4300	powershell.exe
4300	powershell.exe
3672	powershell.exe
3672	powershell.exe
3212	powershell.exe
3212	powershell.exe
3616	powershell.exe
3616	powershell.exe
3380	powershell.exe
3380	powershell.exe
1216	powershell.exe
1216	powershell.exe
3564	powershell.exe
3564	powershell.exe
2052	powershell.exe
2052	powershell.exe
728	powershell.exe
728	powershell.exe
3844	powershell.exe
3844	powershell.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
3212	powershell.exe
4300	powershell.exe
2052	powershell.exe
2164	powershell.exe
3672	powershell.exe
3380	powershell.exe
3616	powershell.exe
1216	powershell.exe
3564	powershell.exe
3844	powershell.exe
728	powershell.exe
1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
1916	TextInputHost.exe
1916	TextInputHost.exe
1916	TextInputHost.exe
1916	TextInputHost.exe
1916	TextInputHost.exe
1916	TextInputHost.exe
1916	TextInputHost.exe
1916	TextInputHost.exe
1916	TextInputHost.exe
1916	TextInputHost.exe
1916	TextInputHost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	3844	powershell.exe
Token: SeDebugPrivilege	1916	TextInputHost.exe
Token: SeDebugPrivilege	5100	TextInputHost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 4300	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	94
PID 1668 wrote to memory of 4300	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	94
PID 1668 wrote to memory of 3380	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	95
PID 1668 wrote to memory of 3380	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	95
PID 1668 wrote to memory of 3844	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	96
PID 1668 wrote to memory of 3844	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	96
PID 1668 wrote to memory of 2052	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	97
PID 1668 wrote to memory of 2052	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	97
PID 1668 wrote to memory of 2164	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	98
PID 1668 wrote to memory of 2164	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	98
PID 1668 wrote to memory of 728	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	99
PID 1668 wrote to memory of 728	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	99
PID 1668 wrote to memory of 3564	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	100
PID 1668 wrote to memory of 3564	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	100
PID 1668 wrote to memory of 3616	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	101
PID 1668 wrote to memory of 3616	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	101
PID 1668 wrote to memory of 1216	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	102
PID 1668 wrote to memory of 1216	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	102
PID 1668 wrote to memory of 3212	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	103
PID 1668 wrote to memory of 3212	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	103
PID 1668 wrote to memory of 3672	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	104
PID 1668 wrote to memory of 3672	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	104
PID 1668 wrote to memory of 1916	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	116
PID 1668 wrote to memory of 1916	1668	d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe	116
PID 1916 wrote to memory of 2216	1916	TextInputHost.exe	117
PID 1916 wrote to memory of 2216	1916	TextInputHost.exe	117
PID 1916 wrote to memory of 1664	1916	TextInputHost.exe	118
PID 1916 wrote to memory of 1664	1916	TextInputHost.exe	118
PID 2216 wrote to memory of 5100	2216	WScript.exe	124
PID 2216 wrote to memory of 5100	2216	WScript.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe
"C:\Users\Admin\AppData\Local\Temp\d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0N.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3672
- C:\Recovery\WindowsRE\TextInputHost.exe
  "C:\Recovery\WindowsRE\TextInputHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f520f33-3ac0-42cd-8629-a82ada9da2b3.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Recovery\WindowsRE\TextInputHost.exe
      C:\Recovery\WindowsRE\TextInputHost.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5100
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7ef7993-c487-4dfb-804e-d5fb6bda0bf9.vbs"
    3⤵
    PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Logs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\TextInputHost.exe

Filesize
1.7MB

MD5
7f0af0b92ba5e18174935e73e7f794f4

SHA1
1d52549b34b7323755bc87069157f97bfa0588d4

SHA256
f2883b271cf4ae1aca3e0633ae58837ebfe8db9fdc6cdfcbdbe6b0e33ebd1944

SHA512
5693f2c6be68106bc1c0ee220acded30f0dc8222acc6d4a8215ded820fb8c6e48b884aae4bcdfb9565b538c9a168a0b49fc9d1c5a1b5bd75787d2919eed5bee9

Download Submit
C:\Recovery\WindowsRE\dllhost.exe

Filesize
1.7MB

MD5
417f22153066e9252ffc3cbbdf0de0e4

SHA1
0750aa557b2a315fffff4f95b97c060a997c0d48

SHA256
a61d729784cd7635287574fb55fc538d5b841ca9f297a0079a65007007b26ba1

SHA512
d74ca3597d0623e74749d9860d20a4e3917cdc9930326c22ef01c47ea50f91f265effaf51d4ade79e96e59b6169eb56773185566b09b3eb73b82c81fd14021dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TextInputHost.exe.log

Filesize
1KB

MD5
3ad9a5252966a3ab5b1b3222424717be

SHA1
5397522c86c74ddbfb2585b9613c794f4b4c3410

SHA256
27525f5fc7871c6828ab5173315e95b5c7e918d2ee532781c562c378584b5249

SHA512
b1a745f7a0f33b777ffc34f74f42752144d9f2d06b8bc613e703570494762b3af87e153212c3274b18af14f17b8619e2f350b7c3cc11228f7d4208d4251e90e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
531f08ac3a06c5a3a09412a10fd95626

SHA1
ad756b5c27e710d81ece8a6d4fe865230cdc2bbf

SHA256
793902b936877a86b5d46d629a1c6d8c68ac8d42981788ddd4ede0f3381af6b0

SHA512
ac8c608fae29fa780400ac84e79b86c4a34ee7068f4f2c8056e4a2209a3ba62ae7716eaea2924e8412eab38ad003d59d4538d675019e50f15b3571e14c52fa73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f520f33-3ac0-42cd-8629-a82ada9da2b3.vbs

Filesize
715B

MD5
a91a659b384e04ed57b1a60778d2082e

SHA1
b9ab8e1f237ea7de9c241167c608d15d8bde4d7c

SHA256
aecd00a34aea5e957223ed0dd42a99f912c673c9c97047a1fcc3e6167ec4e4eb

SHA512
3ebea8d5de5f5166c0a0221029c3cb236ab52c31453484c74fcad2c45c1b6faaab6ca7aa5b5c3990156e86cf41b43a7a2149c740c954e50df4f08b2415a02095

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXC092.tmp

Filesize
1.7MB

MD5
6307524bb031c6046e35387966560610

SHA1
d5d11bb96b66a4d6b918e80f9a35de9d131e2460

SHA256
d3e9370dd204a209e52b46717cb80c7f54bd9ae353b2fea658b0261f81d30ad0

SHA512
1a4cad8c180677a824015923de749b6529793a4da3447b18e5cabba9a55a9e15b46ee7468095d70321b37dfa3d8593876688a7aa84269497d091eaf668a94a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tvgdprnb.yen.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7ef7993-c487-4dfb-804e-d5fb6bda0bf9.vbs

Filesize
491B

MD5
8674271a356d0be2e7ca7c6e2d4f5c8f

SHA1
a660d2e3280fec4bfe2334739e51f2df2634e8d2

SHA256
938fa9d78a655653e412655aea1a4dc0867bc01f3ec65ed135cbcd77259e61c4

SHA512
202752ca0362e22dd5791c0ba22829fa552d11bbf2acef085495271413d3c3a9ed03d1dadc371e834bfddeb983ce52f0cd3ac7f7cb6bc9a0cae28afe3f5eac8d

Download Submit
memory/728-266-0x000001C1BE8B0000-0x000001C1BEA1A000-memory.dmp

Filesize
1.4MB

Download
memory/1216-247-0x0000026564B40000-0x0000026564CAA000-memory.dmp

Filesize
1.4MB

Download
memory/1668-226-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

Filesize
10.8MB

Download
memory/1668-3-0x0000000002750000-0x000000000276C000-memory.dmp

Filesize
112KB

Download
memory/1668-0-0x00007FF8DF773000-0x00007FF8DF775000-memory.dmp

Filesize
8KB

Download
memory/1668-19-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

Filesize
10.8MB

Download
memory/1668-22-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

Filesize
10.8MB

Download
memory/1668-14-0x000000001B290000-0x000000001B29C000-memory.dmp

Filesize
48KB

Download
memory/1668-13-0x000000001B230000-0x000000001B23C000-memory.dmp

Filesize
48KB

Download
memory/1668-17-0x000000001B260000-0x000000001B26C000-memory.dmp

Filesize
48KB

Download
memory/1668-11-0x0000000002830000-0x0000000002838000-memory.dmp

Filesize
32KB

Download
memory/1668-9-0x000000001B220000-0x000000001B230000-memory.dmp

Filesize
64KB

Download
memory/1668-18-0x000000001B270000-0x000000001B27C000-memory.dmp

Filesize
48KB

Download
memory/1668-15-0x000000001B240000-0x000000001B24A000-memory.dmp

Filesize
40KB

Download
memory/1668-10-0x00000000027D0000-0x00000000027DC000-memory.dmp

Filesize
48KB

Download
memory/1668-8-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/1668-1-0x0000000000480000-0x0000000000636000-memory.dmp

Filesize
1.7MB

Download
memory/1668-7-0x00000000027A0000-0x00000000027B6000-memory.dmp

Filesize
88KB

Download
memory/1668-16-0x000000001B250000-0x000000001B258000-memory.dmp

Filesize
32KB

Download
memory/1668-5-0x0000000002770000-0x0000000002778000-memory.dmp

Filesize
32KB

Download
memory/1668-6-0x0000000002790000-0x00000000027A0000-memory.dmp

Filesize
64KB

Download
memory/1668-2-0x00007FF8DF770000-0x00007FF8E0231000-memory.dmp

Filesize
10.8MB

Download
memory/1668-4-0x00000000027E0000-0x0000000002830000-memory.dmp

Filesize
320KB

Download
memory/1916-225-0x0000000000730000-0x00000000008E6000-memory.dmp

Filesize
1.7MB

Download
memory/2052-238-0x000001BEB3560000-0x000001BEB36CA000-memory.dmp

Filesize
1.4MB

Download
memory/2164-125-0x000001CCABEC0000-0x000001CCABEE2000-memory.dmp

Filesize
136KB

Download
memory/2164-254-0x000001CCAC110000-0x000001CCAC27A000-memory.dmp

Filesize
1.4MB

Download
memory/3212-248-0x0000025FAB580000-0x0000025FAB6EA000-memory.dmp

Filesize
1.4MB

Download
memory/3380-264-0x0000023FD9A70000-0x0000023FD9BDA000-memory.dmp

Filesize
1.4MB

Download
memory/3564-269-0x0000028DF5680000-0x0000028DF57EA000-memory.dmp

Filesize
1.4MB

Download
memory/3616-265-0x0000015CCD460000-0x0000015CCD5CA000-memory.dmp

Filesize
1.4MB

Download
memory/3672-251-0x000001B2FABE0000-0x000001B2FAD4A000-memory.dmp

Filesize
1.4MB

Download
memory/3844-259-0x0000014875E80000-0x0000014875FEA000-memory.dmp

Filesize
1.4MB

Download
memory/4300-242-0x000002D426D80000-0x000002D426EEA000-memory.dmp

Filesize
1.4MB

Download
memory/5100-273-0x0000000002DF0000-0x0000000002E02000-memory.dmp

Filesize
72KB

Download