Overview

overview

10

Static

static

10

97a026b442...4d.exe

windows7-x64

10

97a026b442...4d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2025 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97a026b442f5d5739ea3d8565f3a044d.exe

  • Size

    2.6MB

  • MD5

    97a026b442f5d5739ea3d8565f3a044d

  • SHA1

    dd409fa09eede943173f5aed10542f378062dcb1

  • SHA256

    37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72

  • SHA512

    007b12f6c721ad9681c2013ac0038a23b1dc4bc2fb87c779e85970e820d5f4735c962f05a378ece3a0f23e4288172ccc43b634dffdc12a636673852884dd297d

  • SSDEEP

    49152:cVtVRFA8evMabRZgEVjPW8bfBodneUXBXw7YKdy2043sjkH:cNR/eUab3W8todenPJcjk

Score
10/10
dcratevasionexecutioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat 55 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 18 IoCs
    persistence
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 15 IoCs
    evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 36 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 10 IoCs
    evasiontrojan
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 55 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • System policy modification 1 TTPs 15 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\97a026b442f5d5739ea3d8565f3a044d.exe
    "C:\Users\Admin\AppData\Local\Temp\97a026b442f5d5739ea3d8565f3a044d.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4044
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:400
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:976
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3664
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1460
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1084
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1900
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2976
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:884
    • C:\Program Files (x86)\Windows Mail\dllhost.exe
      "C:\Program Files (x86)\Windows Mail\dllhost.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2128
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9d0ac34-9f7c-4612-8888-dc5dd99848fa.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1844
        • C:\Program Files (x86)\Windows Mail\dllhost.exe
          "C:\Program Files (x86)\Windows Mail\dllhost.exe"
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4860
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37c470f0-bf29-44bc-b352-dc550b0ffb13.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2272
            • C:\Program Files (x86)\Windows Mail\dllhost.exe
              "C:\Program Files (x86)\Windows Mail\dllhost.exe"
              6⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:4516
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\217c774c-ebc9-4d7c-881c-6ba57e3449cd.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:3584
                • C:\Program Files (x86)\Windows Mail\dllhost.exe
                  "C:\Program Files (x86)\Windows Mail\dllhost.exe"
                  8⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:3016
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00e8b4d7-e00a-44f2-bf7a-9fadb79b3e3e.vbs"
                    9⤵
                      PID:1640
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8829dee-6be3-48d3-92a0-ca20bac81a33.vbs"
                      9⤵
                        PID:1972
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03c3b149-cf2a-4fde-9db1-7a633028e21e.vbs"
                    7⤵
                      PID:2448
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68c298b6-b611-4c5f-8503-906f66e613d5.vbs"
                  5⤵
                    PID:876
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e98bdc47-bc15-42a3-b149-a9a716759bcf.vbs"
                3⤵
                  PID:228
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2428
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3160
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2664
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\OfficeClickToRun.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4900
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\Templates\OfficeClickToRun.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3936
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\OfficeClickToRun.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3068
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\PackageManifests\taskhostw.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2028
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\taskhostw.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1004
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\PackageManifests\taskhostw.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2832
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:220
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2432
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2260
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2200
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3820
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:212
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\smss.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3540
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\smss.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4864
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\smss.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2948
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\lsass.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4456
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\lsass.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4984
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\lsass.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4956
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3944
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2892
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3084
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1416
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4732
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\fontdrvhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1500
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WindowsHolographicDevices\spoolsv.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3508
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4844
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\WindowsHolographicDevices\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1904
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4244
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4440
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\dllhost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1984
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2724
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3612
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2308
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\TextInputHost.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3980
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\TextInputHost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:5088
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\TextInputHost.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:452
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:1516
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:776
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3984
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\System.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3792
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\System.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4608
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\System.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2984
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\csrss.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4944
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4784
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\csrss.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2280
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "97a026b442f5d5739ea3d8565f3a044d9" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\97a026b442f5d5739ea3d8565f3a044d.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4924
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "97a026b442f5d5739ea3d8565f3a044d" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\97a026b442f5d5739ea3d8565f3a044d.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4516
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "97a026b442f5d5739ea3d8565f3a044d9" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\97a026b442f5d5739ea3d8565f3a044d.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4796
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:2444
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:3036
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Process spawned unexpected child process
              • Scheduled Task/Job: Scheduled Task
              PID:4060

            Network

            MITRE ATT&CK Enterprise v15

            Reconnaissance

            Resource Development

            Initial Access

            Execution

            Command and Scripting Interpreter

            1
            T1059

            PowerShell

            1
            T1059.001

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Persistence

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Privilege Escalation

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Boot or Logon Autostart Execution

            2
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Winlogon Helper DLL

            1
            T1547.004

            Scheduled Task/Job

            1
            T1053

            Scheduled Task

            1
            T1053.005

            Defense Evasion

            Abuse Elevation Control Mechanism

            1
            T1548

            Bypass User Account Control

            1
            T1548.002

            Impair Defenses

            1
            T1562

            Disable or Modify Tools

            1
            T1562.001

            Modify Registry

            4
            T1112

            Credential Access

            Discovery

            Query Registry

            2
            T1012

            System Information Discovery

            3
            T1082

            Lateral Movement

            Collection

            Command and Control

            Exfiltration

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Recovery\WindowsRE\upfc.exe
              Filesize

              2.6MB

              MD5

              97a026b442f5d5739ea3d8565f3a044d

              SHA1

              dd409fa09eede943173f5aed10542f378062dcb1

              SHA256

              37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72

              SHA512

              007b12f6c721ad9681c2013ac0038a23b1dc4bc2fb87c779e85970e820d5f4735c962f05a378ece3a0f23e4288172ccc43b634dffdc12a636673852884dd297d

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log
              Filesize

              1KB

              MD5

              49b64127208271d8f797256057d0b006

              SHA1

              b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

              SHA256

              2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

              SHA512

              f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
              Filesize

              2KB

              MD5

              d85ba6ff808d9e5444a4b369f5bc2730

              SHA1

              31aa9d96590fff6981b315e0b391b575e4c0804a

              SHA256

              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

              SHA512

              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              2e907f77659a6601fcc408274894da2e

              SHA1

              9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

              SHA256

              385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

              SHA512

              34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              d28a889fd956d5cb3accfbaf1143eb6f

              SHA1

              157ba54b365341f8ff06707d996b3635da8446f7

              SHA256

              21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

              SHA512

              0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              62623d22bd9e037191765d5083ce16a3

              SHA1

              4a07da6872672f715a4780513d95ed8ddeefd259

              SHA256

              95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

              SHA512

              9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              944B

              MD5

              cadef9abd087803c630df65264a6c81c

              SHA1

              babbf3636c347c8727c35f3eef2ee643dbcc4bd2

              SHA256

              cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

              SHA512

              7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\00e8b4d7-e00a-44f2-bf7a-9fadb79b3e3e.vbs
              Filesize

              723B

              MD5

              c6918144142a9d707b41ed9d00035a11

              SHA1

              d772ff27e3c46038fe56893ec9dad00c13a7fc6c

              SHA256

              57420dec9e219d3d6c5f61f26fa0478a9b3418507623dd99e347314bb08a19f8

              SHA512

              227537304e9d79789151a25b90e1f2390feb64a3f3b10c75a75068425c391edf865d716cb74a5e5f0286af4f48018d3df7ee839f4ca934d89a2033c70d05a4aa

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\217c774c-ebc9-4d7c-881c-6ba57e3449cd.vbs
              Filesize

              723B

              MD5

              935b59c19b2b9b15c6b4da2a8189f748

              SHA1

              c58cb64d6401befbf04b2547b416acab048ea52c

              SHA256

              f3198c814c658697c2961553333cd41b8cf55463457cf4bbdfd820a0aef1df3a

              SHA512

              afbbc396a0935f4b6a9f812c961440f36c0b402303cd970ec797de19c09b359a699ed6ae73b274b3eb47e74cac3295d9c2a3ee350b03bb708db4c1d29bb92bc0

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\37c470f0-bf29-44bc-b352-dc550b0ffb13.vbs
              Filesize

              723B

              MD5

              fcdff3b4d6ff7e817a0a7b6788ca20fa

              SHA1

              ac71bb403a1269692ea30dcc85a3308245e5eafd

              SHA256

              d4fed2b5e30e1c72a8eef7b2ffbe594d33a454dfa78d2acff62dcc85e4d65107

              SHA512

              07d1e62543ea40c16a44769948cd098e2b65fd98f321c8185dec638d078071c48e933fb4f1931fae52a7f2769dc84938af16cdb2246e2d758503e25653bf96a5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vcjg5abt.po5.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\e98bdc47-bc15-42a3-b149-a9a716759bcf.vbs
              Filesize

              499B

              MD5

              d3c2c73415e339b62495f5e2cc019302

              SHA1

              06c29501145788459d9cb38418c4cb8253d8199a

              SHA256

              1df82d1740f15f866042d3e19df4467a85fb077fa547cb8b06964c1c0f60da02

              SHA512

              af956c163c9b70f3ae6cbf1daec85d44466b7534679104c6054782ca269ba4394c897b27b332cf032894d974c739a8f5c830bfd5ccc3ee8c974df9539a2e4846

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\f9d0ac34-9f7c-4612-8888-dc5dd99848fa.vbs
              Filesize

              723B

              MD5

              7933806078eb35b40290e926e7eedfa2

              SHA1

              0c92ba3f8f23892e89a325552fcd512587beaa21

              SHA256

              563de16c9fdf2e590381243d794b45db57851b8762333a338096dc290214ec1b

              SHA512

              bf379abc888721ef16917b8e5990dd4bb6c8f3de3fa69f6c3e544293417edac8fc3cae7a817a4301b1785350bcbe47c86901db569763c6b4b61c6d5eaadef7ce

              Download Submit

            • memory/2016-77-0x000001DC5A090000-0x000001DC5A0B2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4044-8-0x000000001AFD0000-0x000000001AFDA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4044-10-0x000000001BFA0000-0x000000001C4C8000-memory.dmp

              Filesize

              5.2MB

              Download

            • memory/4044-15-0x000000001B700000-0x000000001B70A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4044-17-0x000000001B600000-0x000000001B608000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4044-18-0x000000001B690000-0x000000001B69A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4044-19-0x000000001B6A0000-0x000000001B6AC000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4044-14-0x000000001B5F0000-0x000000001B5F8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4044-67-0x00007FFB34540000-0x00007FFB35001000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4044-13-0x000000001B5A0000-0x000000001B5F6000-memory.dmp

              Filesize

              344KB

              Download

            • memory/4044-12-0x000000001B030000-0x000000001B038000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4044-11-0x000000001B020000-0x000000001B02C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4044-16-0x000000001B710000-0x000000001B71E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4044-9-0x000000001AFF0000-0x000000001B002000-memory.dmp

              Filesize

              72KB

              Download

            • memory/4044-0-0x00007FFB34543000-0x00007FFB34545000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4044-7-0x000000001AFB0000-0x000000001AFC6000-memory.dmp

              Filesize

              88KB

              Download

            • memory/4044-6-0x00000000025C0000-0x00000000025C8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/4044-5-0x000000001B040000-0x000000001B090000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4044-4-0x00000000025A0000-0x00000000025BC000-memory.dmp

              Filesize

              112KB

              Download

            • memory/4044-3-0x0000000002590000-0x000000000259E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/4044-2-0x00007FFB34540000-0x00007FFB35001000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/4044-1-0x00000000000E0000-0x0000000000378000-memory.dmp

              Filesize

              2.6MB

              Download