dcrat | 664f2edf9843880338b78f5b1919df48f0b8363883d691381adb724ca3324e6b

Analysis

max time kernel
95s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReinHoodCrack/ReinHoodCrack.exe
Size

1.9MB
MD5

d729318f3c05173ec630df123a15550f
SHA1

f1da12a6d6906ed1244f4270990fdd80de695787
SHA256

7cc84a0d97ee454b7c281e0a48b2150741420582d65c7f7358942acab3af4b8e
SHA512

ccdebad0ab7a30f138f65a84caac179d65491c6a1668985793f75e5a642831e74f370d56e67d6596d92923af98ee79a125e2cfe5f903840b0b4e0b205aefe9ca
SSDEEP

49152:mBf/tCg1Ef8V927r9PhOSeAj/570mJyOW167/7:4QguG92v9JdRamAk/7

Score

10^/10

dcrat discovery evasion execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\csrss.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Adobe\\Setup\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\driverhost\\hyperMonitornet.exe\""	hyperMonitornet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\csrss.exe\""	hyperMonitornet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\csrss.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\""	hyperMonitornet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\csrss.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Adobe\\Setup\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\cmd.exe\""	hyperMonitornet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\csrss.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Adobe\\Setup\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\wininit.exe\""	hyperMonitornet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Adobe\\csrss.exe\", \"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\Adobe\\Setup\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\cmd.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\""	hyperMonitornet.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	2488	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2488	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2488	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	2488	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2488	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2488	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	2488	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	2488	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2488	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	2488	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	2488	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	2488	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4000	2488	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2488	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2488	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	2488	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	2488	schtasks.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2488	schtasks.exe	93

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2508	powershell.exe
2472	powershell.exe
2116	powershell.exe
3568	powershell.exe
1884	powershell.exe
2900	powershell.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	hyperMonitornet.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ReinHoodCrack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
1672	hyperMonitornet.exe
2280	hyperMonitornet.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyperMonitornet = "\"C:\\driverhost\\hyperMonitornet.exe\""	hyperMonitornet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Adobe\\csrss.exe\""	hyperMonitornet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\All Users\\Adobe\\Setup\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\cmd.exe\""	hyperMonitornet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\All Users\\Adobe\\Setup\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\cmd.exe\""	hyperMonitornet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\wininit.exe\""	hyperMonitornet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	hyperMonitornet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyperMonitornet = "\"C:\\driverhost\\hyperMonitornet.exe\""	hyperMonitornet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Adobe\\csrss.exe\""	hyperMonitornet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\""	hyperMonitornet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Libraries\\RuntimeBroker.exe\""	hyperMonitornet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\wininit.exe\""	hyperMonitornet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\""	hyperMonitornet.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ipinfo.io
17	ipinfo.io
45	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC571B0468A3A444FBAF67EDB4ACDFE6E.TMP	csc.exe
File created	\??\c:\Windows\System32\ip2t47.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe	hyperMonitornet.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\56085415360792	hyperMonitornet.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ReinHoodCrack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	ReinHoodCrack.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	hyperMonitornet.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4940	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5092	schtasks.exe
4000	schtasks.exe
780	schtasks.exe
3500	schtasks.exe
4920	schtasks.exe
1280	schtasks.exe
1036	schtasks.exe
5100	schtasks.exe
1456	schtasks.exe
1820	schtasks.exe
4912	schtasks.exe
5040	schtasks.exe
1400	schtasks.exe
684	schtasks.exe
3340	schtasks.exe
4256	schtasks.exe
4312	schtasks.exe
1340	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe
1672	hyperMonitornet.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	hyperMonitornet.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2280	hyperMonitornet.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 4524	1984	ReinHoodCrack.exe	85
PID 1984 wrote to memory of 4524	1984	ReinHoodCrack.exe	85
PID 1984 wrote to memory of 4524	1984	ReinHoodCrack.exe	85
PID 4524 wrote to memory of 2312	4524	WScript.exe	87
PID 4524 wrote to memory of 2312	4524	WScript.exe	87
PID 4524 wrote to memory of 2312	4524	WScript.exe	87
PID 2312 wrote to memory of 4940	2312	cmd.exe	89
PID 2312 wrote to memory of 4940	2312	cmd.exe	89
PID 2312 wrote to memory of 4940	2312	cmd.exe	89
PID 2312 wrote to memory of 1672	2312	cmd.exe	90
PID 2312 wrote to memory of 1672	2312	cmd.exe	90
PID 1672 wrote to memory of 740	1672	hyperMonitornet.exe	98
PID 1672 wrote to memory of 740	1672	hyperMonitornet.exe	98
PID 740 wrote to memory of 3632	740	csc.exe	100
PID 740 wrote to memory of 3632	740	csc.exe	100
PID 1672 wrote to memory of 1884	1672	hyperMonitornet.exe	118
PID 1672 wrote to memory of 1884	1672	hyperMonitornet.exe	118
PID 1672 wrote to memory of 2900	1672	hyperMonitornet.exe	119
PID 1672 wrote to memory of 2900	1672	hyperMonitornet.exe	119
PID 1672 wrote to memory of 3568	1672	hyperMonitornet.exe	120
PID 1672 wrote to memory of 3568	1672	hyperMonitornet.exe	120
PID 1672 wrote to memory of 2116	1672	hyperMonitornet.exe	121
PID 1672 wrote to memory of 2116	1672	hyperMonitornet.exe	121
PID 1672 wrote to memory of 2508	1672	hyperMonitornet.exe	122
PID 1672 wrote to memory of 2508	1672	hyperMonitornet.exe	122
PID 1672 wrote to memory of 2472	1672	hyperMonitornet.exe	123
PID 1672 wrote to memory of 2472	1672	hyperMonitornet.exe	123
PID 1672 wrote to memory of 2064	1672	hyperMonitornet.exe	130
PID 1672 wrote to memory of 2064	1672	hyperMonitornet.exe	130
PID 2064 wrote to memory of 4976	2064	cmd.exe	132
PID 2064 wrote to memory of 4976	2064	cmd.exe	132
PID 2064 wrote to memory of 1220	2064	cmd.exe	133
PID 2064 wrote to memory of 1220	2064	cmd.exe	133
PID 2064 wrote to memory of 2280	2064	cmd.exe	141
PID 2064 wrote to memory of 2280	2064	cmd.exe	141

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ReinHoodCrack\ReinHoodCrack.exe
"C:\Users\Admin\AppData\Local\Temp\ReinHoodCrack\ReinHoodCrack.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\driverhost\QJeW8TvQQcQdddS2NNLe8raPuC9jj4AyM7Xu6zBc0iBIPzioGdTpOcBxC.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\driverhost\41iQaQPOddkQfhuOQlW7t.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4940
  - - C:\driverhost\hyperMonitornet.exe
      "C:\driverhost/hyperMonitornet.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oaiu0zcp\oaiu0zcp.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:740
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES785C.tmp" "c:\Windows\System32\CSC571B0468A3A444FBAF67EDB4ACDFE6E.TMP"
        6⤵
        
        PID:3632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\driverhost\hyperMonitornet.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6wsqhn13CS.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2064
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4976
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1220
      - C:\driverhost\hyperMonitornet.exe
        
        "C:\driverhost\hyperMonitornet.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperMonitorneth" /sc MINUTE /mo 6 /tr "'C:\driverhost\hyperMonitornet.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperMonitornet" /sc ONLOGON /tr "'C:\driverhost\hyperMonitornet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hyperMonitorneth" /sc MINUTE /mo 9 /tr "'C:\driverhost\hyperMonitornet.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hyperMonitornet.exe.log

Filesize
1KB

MD5
050808ab0c42646c9803bbdb3a3d0466

SHA1
c1e3899b38f3b9c91f388e45d7dd3d819ff91644

SHA256
e6724e3ffa2b05ddd2b9b1499ad79b12fe7b2b15db9f228e2625bdad53b2ef8d

SHA512
15bd439c91cb0ca29f7b5ed71e2a7f3428f3d9119f45b487d3ff154bdb804e82bb3ef6d8435a8260144996ee4e3a15233d8cb7f9bda5eeaafa6e8aeed889bf74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
750e4be22a6fdadd7778a388198a9ee3

SHA1
8feb2054d8a3767833dd972535df54f0c3ab6648

SHA256
26209c196c9c45202d27468ea707b2b46f375bb612d50271924a28f9210df6a1

SHA512
b0415087dfc32908b449b876b395a607698b0f7b72031916b6fe7c002e4b163ba318b7e85c8ce41f007429e666974c04967bc14345e3f4614e34d94f5c8ae804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\6wsqhn13CS.bat

Filesize
209B

MD5
53de738ca827bd6e572b0128e8989ecd

SHA1
69cf9651b6bf5d2fb387e774fdb79e3853a520b5

SHA256
45350f4da51358f47797f58805e41b33d812992cd51bb8bdfacfd2bfaf7c2df7

SHA512
cf5dc45d1b3b916d80dedf51d177be87f3e50d359f6d1c64dad821736b5be383904cdba356709425d48a9c0751457f9e253baf053a25b41e6cb521503c4a921b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES785C.tmp

Filesize
1KB

MD5
833600938cd7e7e4dcba8f7e6dd55e6d

SHA1
0b89af2a392882739b3ccb45bb6af18c39cf3442

SHA256
0f2eab9dc0b11e9447470c9451822041a0c742a5ea9a8999f80ec938c359d52e

SHA512
27230ae6fc9c0235eb3f942bbc3c446b6ea48a1602e662e7dee56dc63481cafcba9268788a1130253a1d65b0f896a64b2b43f889165e937939101bc164aeaff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jwc5ouic.m4i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\driverhost\41iQaQPOddkQfhuOQlW7t.bat

Filesize
178B

MD5
33008107f84e59fda0410c57b2d6768e

SHA1
22bdb6d6dda704fc97417b9ce0b5e925f8e4512e

SHA256
3c6ff43f9fa9c429986727286f0985f7969cebaf8c62d77d0c2af0827885a20a

SHA512
f2cd4a37a0f91879ed300090f36ea2896924bf831ced1b03ce9d9417876e50be7d370795fb6621b4f2701baa160ec8e6aa5e37517c7b3053caa38d8305238633

Download Submit
C:\driverhost\QJeW8TvQQcQdddS2NNLe8raPuC9jj4AyM7Xu6zBc0iBIPzioGdTpOcBxC.vbe

Filesize
209B

MD5
f19c48ce044ec0b5e28c2b2530544b91

SHA1
04c97a36ca30a3b2a12c8cfe426962c8e034a222

SHA256
77889aa0242d969b55eb7933004380b401c9511dc42bb31b96ea67f168ad5736

SHA512
7b2ed4ec6a3b1a996539917915645738ae1b3d983008cc133a05cc4f7598a4e8d42bfcad04adf0b51a133991401f3ab3079970b5a990309f9169c11d7e89c889

Download Submit
C:\driverhost\hyperMonitornet.exe

Filesize
2.1MB

MD5
4bf2bcc271ffd6ec643a1f18dd55a0c4

SHA1
be2ba4193bb6c89d11dcddd86c773108ecd4b520

SHA256
d3066b626194a8d6f6d598a8cb4edca9843cc73935bd394a3ebbc45dbc80e3a1

SHA512
e3ea10a3ae4222b927f726e0e8e7ad375ebb92009fb0eaf80c6e4d6914b13cedc7750828f0eacac557083b9949f7995408d45d93b36011f6071352ff762906dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oaiu0zcp\oaiu0zcp.0.cs

Filesize
366B

MD5
0817c77585e7ce654f3dc62573255fce

SHA1
c48f50b688266a51f9afd14afd03d0b45a050008

SHA256
2c08e77fd4d5e313ebe91d7f91074700e2acbf0ed9cc8c980e66cc00507124d1

SHA512
9f4fe93e5dea731d1592c2ccd76b3132e6b88e3299e806e6ca9f4c71428b385b5b698eb58cc91d5a6e2ab4281900cabb3e6cba42a7566c65a166befa4833b375

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oaiu0zcp\oaiu0zcp.cmdline

Filesize
235B

MD5
294b57706e9662a9d292274185c7aa03

SHA1
c50993c053242d9ace752499a3b406a8e028ae0e

SHA256
47582d8f0090ce8b0c7480d154ab2569a52bd68ef237c76c44441a088a295519

SHA512
3e9167e0380021d0f5a1cd1f128bdfc1a50d08df454a940aa3cd9e33d1a47755d19ec34a5a998e67671e1372d3d6048f74534d6a41cfbbcb7a75133e55b1b5bc

Download Submit
\??\c:\Windows\System32\CSC571B0468A3A444FBAF67EDB4ACDFE6E.TMP

Filesize
1KB

MD5
034b083b6729ade0b138a24cbdd66c6d

SHA1
299c5a9dd91498cfc4226a5fe6d52ea633c2d148

SHA256
8e3aa7a68c0bfea6cae11fe40e79aa1483bc2e43c4c3fd11fcebca1f7bcea0d2

SHA512
43f68ec3211f2d1eb3a095713b3988a5b45a6fb03136876431edd3b25b628f904079557cbb60d0107c0444551db274c8e6817d63a543e8a7e390206af64d1cc3

Download Submit
memory/1672-17-0x000000001C030000-0x000000001C080000-memory.dmp

Filesize
320KB

Download
memory/1672-23-0x0000000002FF0000-0x0000000002FFC000-memory.dmp

Filesize
48KB

Download
memory/1672-35-0x00000000031A0000-0x00000000031AC000-memory.dmp

Filesize
48KB

Download
memory/1672-31-0x0000000003180000-0x000000000318E000-memory.dmp

Filesize
56KB

Download
memory/1672-29-0x0000000003170000-0x0000000003180000-memory.dmp

Filesize
64KB

Download
memory/1672-27-0x0000000003160000-0x000000000316C000-memory.dmp

Filesize
48KB

Download
memory/1672-25-0x0000000003150000-0x000000000315E000-memory.dmp

Filesize
56KB

Download
memory/1672-33-0x0000000003190000-0x0000000003198000-memory.dmp

Filesize
32KB

Download
memory/1672-12-0x0000000000CB0000-0x0000000000ECA000-memory.dmp

Filesize
2.1MB

Download
memory/1672-21-0x0000000002FE0000-0x0000000002FEE000-memory.dmp

Filesize
56KB

Download
memory/1672-19-0x0000000003020000-0x0000000003038000-memory.dmp

Filesize
96KB

Download
memory/1672-16-0x0000000003000000-0x000000000301C000-memory.dmp

Filesize
112KB

Download
memory/1672-14-0x0000000002FD0000-0x0000000002FDE000-memory.dmp

Filesize
56KB

Download
memory/2472-73-0x000001EEBEC10000-0x000001EEBEC32000-memory.dmp

Filesize
136KB

Download