Overview

overview

10

Static

static

10

37afdc0779...72.exe

windows7-x64

10

37afdc0779...72.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2025 02:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72.exe

  • Size

    2.6MB

  • MD5

    97a026b442f5d5739ea3d8565f3a044d

  • SHA1

    dd409fa09eede943173f5aed10542f378062dcb1

  • SHA256

    37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72

  • SHA512

    007b12f6c721ad9681c2013ac0038a23b1dc4bc2fb87c779e85970e820d5f4735c962f05a378ece3a0f23e4288172ccc43b634dffdc12a636673852884dd297d

  • SSDEEP

    49152:cVtVRFA8evMabRZgEVjPW8bfBodneUXBXw7YKdy2043sjkH:cNR/eUab3W8todenPJcjk

Score
10/10
dcratevasionexecutioninfostealerpersistencerattrojan

Malware Config

Signatures

  • DcRat 43 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 14 IoCs
    persistence
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 21 IoCs
    evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 28 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 14 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 52 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs
  • System policy modification 1 TTPs 21 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72.exe
    "C:\Users\Admin\AppData\Local\Temp\37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1864
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4580
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:64
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1808
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3368
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4856
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1216
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iZI5hhwLa0.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4384
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4944
        • C:\Recovery\WindowsRE\dllhost.exe
          "C:\Recovery\WindowsRE\dllhost.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1816
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32604370-3b14-454c-b783-f6934e9f9496.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:376
            • C:\Recovery\WindowsRE\dllhost.exe
              C:\Recovery\WindowsRE\dllhost.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3364
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a204c96-a3ea-475b-ae77-b333ab689cbf.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4712
                • C:\Recovery\WindowsRE\dllhost.exe
                  C:\Recovery\WindowsRE\dllhost.exe
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1876
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\114f95a5-f247-46b6-aec6-a231840001e3.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:928
                    • C:\Recovery\WindowsRE\dllhost.exe
                      C:\Recovery\WindowsRE\dllhost.exe
                      9⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:3180
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11dbbc77-a67f-4a75-9582-429196cf64b2.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1856
                        • C:\Recovery\WindowsRE\dllhost.exe
                          C:\Recovery\WindowsRE\dllhost.exe
                          11⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:2392
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4844ac91-9cc3-4cfc-814e-e3a5fce2b9b5.vbs"
                            12⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2284
                            • C:\Recovery\WindowsRE\dllhost.exe
                              C:\Recovery\WindowsRE\dllhost.exe
                              13⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:3476
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58c68841-6154-4814-a98f-08e06c3f42b8.vbs"
                                14⤵
                                  PID:2124
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0be0253b-2bbf-42a2-92f4-a6bbe6b6f613.vbs"
                                  14⤵
                                    PID:4880
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\976fea0f-0e0e-4c7f-9667-e8775f1404e5.vbs"
                                12⤵
                                  PID:220
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80ee9958-eb8f-48ec-9308-1a805a3bb895.vbs"
                              10⤵
                                PID:4920
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\976422e7-997a-430d-8e9b-1a6f736b2354.vbs"
                            8⤵
                              PID:2820
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5efe288-9006-4bb4-8e7a-88179ad9137f.vbs"
                          6⤵
                            PID:2380
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22dcbcef-e26d-491a-babd-92c79fa0efaa.vbs"
                        4⤵
                          PID:4228
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:648
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4464
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2932
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3428
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3080
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\backgroundTaskHost.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4832
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4788
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:628
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2788
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\spoolsv.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4340
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\SysWOW64\spoolsv.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2360
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\SysWOW64\spoolsv.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1764
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\smss.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2984
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\smss.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:440
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\smss.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1400
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\sysmon.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2176
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\sysmon.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3948
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\sysmon.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:116
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\SppExtComObj.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4372
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Public\SppExtComObj.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4380
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\SppExtComObj.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4836
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\explorer.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2728
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\explorer.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2568
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\explorer.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3076
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\en-US\dllhost.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2148
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\dllhost.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4976
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\en-US\dllhost.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4228
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1716
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:320
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1156
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b723" /sc MINUTE /mo 12 /tr "'C:\Users\Default\37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:852
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72" /sc ONLOGON /tr "'C:\Users\Default\37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2596
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b723" /sc MINUTE /mo 13 /tr "'C:\Users\Default\37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4204
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\sppsvc.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2172
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\sppsvc.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4356
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\sppsvc.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4844
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\smss.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:644
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4544
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4056
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4712
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:856
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
                    1⤵
                    • DcRat
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2060

                  Network

                  MITRE ATT&CK Enterprise v15

                  Reconnaissance

                  Resource Development

                  Initial Access

                  Execution

                  Command and Scripting Interpreter

                  1
                  T1059

                  PowerShell

                  1
                  T1059.001

                  Scheduled Task/Job

                  1
                  T1053

                  Scheduled Task

                  1
                  T1053.005

                  Persistence

                  Boot or Logon Autostart Execution

                  2
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Winlogon Helper DLL

                  1
                  T1547.004

                  Scheduled Task/Job

                  1
                  T1053

                  Scheduled Task

                  1
                  T1053.005

                  Privilege Escalation

                  Abuse Elevation Control Mechanism

                  1
                  T1548

                  Bypass User Account Control

                  1
                  T1548.002

                  Boot or Logon Autostart Execution

                  2
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Winlogon Helper DLL

                  1
                  T1547.004

                  Scheduled Task/Job

                  1
                  T1053

                  Scheduled Task

                  1
                  T1053.005

                  Defense Evasion

                  Abuse Elevation Control Mechanism

                  1
                  T1548

                  Bypass User Account Control

                  1
                  T1548.002

                  Impair Defenses

                  1
                  T1562

                  Disable or Modify Tools

                  1
                  T1562.001

                  Modify Registry

                  4
                  T1112

                  Credential Access

                  Discovery

                  Query Registry

                  2
                  T1012

                  System Information Discovery

                  3
                  T1082

                  Lateral Movement

                  Collection

                  Command and Control

                  Exfiltration

                  Impact

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files\MSBuild\smss.exe
                    Filesize

                    2.6MB

                    MD5

                    97a026b442f5d5739ea3d8565f3a044d

                    SHA1

                    dd409fa09eede943173f5aed10542f378062dcb1

                    SHA256

                    37afdc07792fe92b790bd6ba935889cef87b699d9f1a8f86336076f8cf6e4b72

                    SHA512

                    007b12f6c721ad9681c2013ac0038a23b1dc4bc2fb87c779e85970e820d5f4735c962f05a378ece3a0f23e4288172ccc43b634dffdc12a636673852884dd297d

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log
                    Filesize

                    1KB

                    MD5

                    49b64127208271d8f797256057d0b006

                    SHA1

                    b99bd7e2b4e9ed24de47fb3341ea67660b84cca1

                    SHA256

                    2a5d403a2e649d8eceef8f785eeb0f6d33888ec6bbf251b3c347e34cb32b1e77

                    SHA512

                    f7c728923c893dc9bc88ad2159e0abcda41e1b40ff7e7756e6252d135ed238a2248a2662b3392449836dd1b0b580f0c866cc33e409527484fe4602e3d3f10e3e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    Filesize

                    2KB

                    MD5

                    d85ba6ff808d9e5444a4b369f5bc2730

                    SHA1

                    31aa9d96590fff6981b315e0b391b575e4c0804a

                    SHA256

                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                    SHA512

                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    77d622bb1a5b250869a3238b9bc1402b

                    SHA1

                    d47f4003c2554b9dfc4c16f22460b331886b191b

                    SHA256

                    f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                    SHA512

                    d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    d28a889fd956d5cb3accfbaf1143eb6f

                    SHA1

                    157ba54b365341f8ff06707d996b3635da8446f7

                    SHA256

                    21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                    SHA512

                    0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    5f0ddc7f3691c81ee14d17b419ba220d

                    SHA1

                    f0ef5fde8bab9d17c0b47137e014c91be888ee53

                    SHA256

                    a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

                    SHA512

                    2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    e243a38635ff9a06c87c2a61a2200656

                    SHA1

                    ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                    SHA256

                    af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                    SHA512

                    4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    2e907f77659a6601fcc408274894da2e

                    SHA1

                    9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                    SHA256

                    385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                    SHA512

                    34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\114f95a5-f247-46b6-aec6-a231840001e3.vbs
                    Filesize

                    709B

                    MD5

                    81b7d0ad04a5ec20868d3c9c648932c8

                    SHA1

                    a6c7a66e9f77b7a2c65a88f7a195d0711fd87a4f

                    SHA256

                    e4c6daef1be5b32563a919d2ce61cbf75942314ac6823ed1a418afba15169ec7

                    SHA512

                    817f198866e3d4bc3eee1b10f5946ad64828f45364723fabe7d891a44f875adc9edabe0ae5fa52328f8de11d48c26dc2d0dca5398ff62cf76d18b06574f23ff1

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\11dbbc77-a67f-4a75-9582-429196cf64b2.vbs
                    Filesize

                    709B

                    MD5

                    946ac488a1ad61208fd83e498388229a

                    SHA1

                    729e10db483fd626353babb611d04a8a1d50c4e0

                    SHA256

                    7dc5454d7895a7d693b8c86ff17ec51520afb25d6bb6ae095e6357eba3d27976

                    SHA512

                    f70ff5f09df585872c1cd3ab07c95910cb65525e1c4bb4360d4a6769925513d72a860408ffdeaab0107dbcfb45076645d1d100c1666c506006cc24c02a0e2cdf

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\22dcbcef-e26d-491a-babd-92c79fa0efaa.vbs
                    Filesize

                    485B

                    MD5

                    161b07556ea24172bee04e00652a2ee7

                    SHA1

                    c3a176190a7f1d753df9c0fb0700ed255e6865d5

                    SHA256

                    36b9cd287c34ca3ad07c7594bbc45627dddcc038235ca2d7533749acd7254a09

                    SHA512

                    108652c6a9b1f0c53d49415b2eadde92fd0bcc738bd7206f18787a8208a4cf3679d87d4c88c49b6df65190f640bea4a069f58c7518b1cd86defd7f12be747f1e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\32604370-3b14-454c-b783-f6934e9f9496.vbs
                    Filesize

                    709B

                    MD5

                    f8ebb88e52bc1254404956f73162b8c6

                    SHA1

                    537e64916a2ec6d360d2197223f2a71a2c130cdf

                    SHA256

                    a36514cbfd2ff8de1d4843b57220eeeb3d6e02043f8d106e40ef7b98407322e5

                    SHA512

                    7470e8f9d7bcb3a20be0d260e262efe1950d7eef0a4a7f6e13370371fed877221f70834b85e9380f8cb2f5e8a023d484ff3fc4bdaea841763657e8da78b0daa1

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\4844ac91-9cc3-4cfc-814e-e3a5fce2b9b5.vbs
                    Filesize

                    709B

                    MD5

                    e81029d028dc458b5509cb9961008def

                    SHA1

                    f858960760083affdadb5165dac7b1adc255aa35

                    SHA256

                    f270f77a3d195678df6ad806c7030e447fa4c12ca1d74fbffe908be4bae22e6a

                    SHA512

                    7be4990e7981a38430da8dc126041144c9e827580d699355840c3abc97ed1e364f75f95e8acad1a241f1ade9744c5dc0d84317e933d0f2f95d93e5841c1f8708

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\4a204c96-a3ea-475b-ae77-b333ab689cbf.vbs
                    Filesize

                    709B

                    MD5

                    329210bc694c32d6e84e7eacca40b9d1

                    SHA1

                    9cca590f3fbb6b55ce71e822cf6b354cb21b4d5c

                    SHA256

                    28d1083c0a022a58e299f3e9fad2d6b2d4fa45f7e55148688b88448a82d3af5b

                    SHA512

                    76e1b82b5836a3ac47c7eb3db7a8e9580e212d0f897c3e6e198c3e67be682be5e650461222c5df28b79c6eb894239b715b88426c5a2cadc42ffaf53ba06eb258

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\58c68841-6154-4814-a98f-08e06c3f42b8.vbs
                    Filesize

                    709B

                    MD5

                    ac3652e8df0dde5043da1dbb7a8e51d0

                    SHA1

                    5858d06c053d3acbc8322df2e3cb10b71b417c29

                    SHA256

                    0a58143a163f27239f723cb7fc3d1597b6e9528ef03ca2007266092dcd662e5c

                    SHA512

                    57261ce26cbf73c58bb3ef3ace60367683ff06258a97af1217421747fddeeac772a62da89764289cb9fa43938004536f91f2eeaf7e1c41648e470e36d642f309

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mu3er4mx.gbk.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\iZI5hhwLa0.bat
                    Filesize

                    198B

                    MD5

                    bd56b5c4078dc6bb693baead89b7665f

                    SHA1

                    9e99d2cc1b2768b5ed3f33e24de95286a6d84f5b

                    SHA256

                    9297cc96c3e1bdca89c0f2e6e2de022e34ead657f86255d6c911e5fa3c1be1d4

                    SHA512

                    777f194e2f6659b2c5bdfa69cc7a0d7fb4590ffeb310588f5f91d383b6841bca68ef6f3f86724bb92e252484c58a838fb6cc0e9c5ebe1968da229be94258de47

                    Download Submit

                  • memory/1684-0-0x00007FFE2E223000-0x00007FFE2E225000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/1684-15-0x000000001B860000-0x000000001B86A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/1684-17-0x000000001B880000-0x000000001B888000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/1684-9-0x000000001B150000-0x000000001B162000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/1684-10-0x000000001C1E0000-0x000000001C708000-memory.dmp

                    Filesize

                    5.2MB

                    Download

                  • memory/1684-74-0x00007FFE2E220000-0x00007FFE2ECE1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1684-8-0x000000001B140000-0x000000001B14A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/1684-18-0x000000001BA50000-0x000000001BA5A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/1684-5-0x000000001B170000-0x000000001B1C0000-memory.dmp

                    Filesize

                    320KB

                    Download

                  • memory/1684-4-0x000000001B100000-0x000000001B11C000-memory.dmp

                    Filesize

                    112KB

                    Download

                  • memory/1684-3-0x0000000002650000-0x000000000265E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/1684-2-0x00007FFE2E220000-0x00007FFE2ECE1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1684-6-0x000000001B0E0000-0x000000001B0E8000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/1684-19-0x000000001BA60000-0x000000001BA6C000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/1684-7-0x000000001B120000-0x000000001B136000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/1684-16-0x000000001B870000-0x000000001B87E000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/1684-1-0x0000000000340000-0x00000000005D8000-memory.dmp

                    Filesize

                    2.6MB

                    Download

                  • memory/1684-14-0x000000001B850000-0x000000001B858000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/1684-13-0x000000001B800000-0x000000001B856000-memory.dmp

                    Filesize

                    344KB

                    Download

                  • memory/1684-12-0x000000001B7F0000-0x000000001B7F8000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/1684-11-0x000000001B160000-0x000000001B16C000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/1816-179-0x0000000003050000-0x0000000003062000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/2392-225-0x000000001BD50000-0x000000001BDA6000-memory.dmp

                    Filesize

                    344KB

                    Download

                  • memory/3476-237-0x000000001B4A0000-0x000000001B4B2000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/4756-61-0x000001C8D0E30000-0x000001C8D0E52000-memory.dmp

                    Filesize

                    136KB

                    Download