dcrat | c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
Size

1.7MB
MD5

15f0518755f69a45d4bbee4601eca73e
SHA1

880798aa715fdf93d1554ec4e8859ea25cb79d48
SHA256

c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff
SHA512

ee28371ff0e4b4c55e66e1c2797b78ba0c6e349c7f74cd4f35aba3c4ec694cbdd8e2490285dfe5067209ac23a986948a453304e623ca32f0b37777c96774207f
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvK:eTHUxUoh1IF9gl2d

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2208	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	2208	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2208	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2208	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	2208	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	2208	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2208	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2208	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2208	schtasks.exe	84

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3800-1-0x0000000000020000-0x00000000001E0000-memory.dmp	dcrat
behavioral2/files/0x0008000000023cd8-32.dat	dcrat
behavioral2/files/0x0008000000023cd9-53.dat	dcrat
behavioral2/memory/4800-201-0x0000000000CE0000-0x0000000000EA0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
220	powershell.exe
628	powershell.exe
3100	powershell.exe
1632	powershell.exe
720	powershell.exe
4780	powershell.exe
1568	powershell.exe
868	powershell.exe
460	powershell.exe
4384	powershell.exe
5052	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 3 IoCs

pid	Process
4800	sihost.exe
2360	sihost.exe
2892	sihost.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\sysmon.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File created	C:\Program Files\VideoLAN\121e5b5079f7c0	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File created	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\microsoft.system.package.metadata\Registry.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Program Files\VideoLAN\RCXCA86.tmp	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Program Files\VideoLAN\RCXCA87.tmp	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxMetadata\System.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File created	C:\Program Files\VideoLAN\sysmon.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\addins\System.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File created	C:\Windows\addins\27d1bcfc3c54e0	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Windows\addins\RCXCF0E.tmp	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Windows\addins\RCXCF1E.tmp	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Windows\addins\System.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
376	schtasks.exe
2260	schtasks.exe
4132	schtasks.exe
3364	schtasks.exe
1160	schtasks.exe
1388	schtasks.exe
216	schtasks.exe
2012	schtasks.exe
2896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
628	powershell.exe
628	powershell.exe
460	powershell.exe
460	powershell.exe
4384	powershell.exe
4384	powershell.exe
720	powershell.exe
720	powershell.exe
3100	powershell.exe
3100	powershell.exe
4780	powershell.exe
4780	powershell.exe
1632	powershell.exe
1632	powershell.exe
868	powershell.exe
868	powershell.exe
220	powershell.exe
220	powershell.exe
1568	powershell.exe
1568	powershell.exe
5052	powershell.exe
5052	powershell.exe
1632	powershell.exe
4384	powershell.exe
460	powershell.exe
628	powershell.exe
4780	powershell.exe
220	powershell.exe
720	powershell.exe
3100	powershell.exe
5052	powershell.exe
1568	powershell.exe
868	powershell.exe
4800	sihost.exe
4800	sihost.exe
4800	sihost.exe
4800	sihost.exe
4800	sihost.exe
4800	sihost.exe
4800	sihost.exe
4800	sihost.exe
4800	sihost.exe
4800	sihost.exe
4800	sihost.exe
4800	sihost.exe
4800	sihost.exe
4800	sihost.exe
4800	sihost.exe
4800	sihost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	460	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	720	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	220	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	4800	sihost.exe
Token: SeDebugPrivilege	2360	sihost.exe
Token: SeDebugPrivilege	2892	sihost.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 220	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	94
PID 3800 wrote to memory of 220	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	94
PID 3800 wrote to memory of 4780	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	95
PID 3800 wrote to memory of 4780	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	95
PID 3800 wrote to memory of 1568	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	96
PID 3800 wrote to memory of 1568	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	96
PID 3800 wrote to memory of 628	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	97
PID 3800 wrote to memory of 628	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	97
PID 3800 wrote to memory of 3100	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	98
PID 3800 wrote to memory of 3100	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	98
PID 3800 wrote to memory of 868	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	99
PID 3800 wrote to memory of 868	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	99
PID 3800 wrote to memory of 460	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	100
PID 3800 wrote to memory of 460	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	100
PID 3800 wrote to memory of 4384	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	101
PID 3800 wrote to memory of 4384	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	101
PID 3800 wrote to memory of 1632	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	102
PID 3800 wrote to memory of 1632	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	102
PID 3800 wrote to memory of 720	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	103
PID 3800 wrote to memory of 720	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	103
PID 3800 wrote to memory of 5052	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	104
PID 3800 wrote to memory of 5052	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	104
PID 3800 wrote to memory of 2420	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	116
PID 3800 wrote to memory of 2420	3800	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	116
PID 2420 wrote to memory of 4132	2420	cmd.exe	118
PID 2420 wrote to memory of 4132	2420	cmd.exe	118
PID 2420 wrote to memory of 4800	2420	cmd.exe	119
PID 2420 wrote to memory of 4800	2420	cmd.exe	119
PID 4800 wrote to memory of 4408	4800	sihost.exe	120
PID 4800 wrote to memory of 4408	4800	sihost.exe	120
PID 4800 wrote to memory of 4308	4800	sihost.exe	121
PID 4800 wrote to memory of 4308	4800	sihost.exe	121
PID 4408 wrote to memory of 2360	4408	WScript.exe	130
PID 4408 wrote to memory of 2360	4408	WScript.exe	130
PID 2360 wrote to memory of 2072	2360	sihost.exe	131
PID 2360 wrote to memory of 2072	2360	sihost.exe	131
PID 2360 wrote to memory of 3024	2360	sihost.exe	132
PID 2360 wrote to memory of 3024	2360	sihost.exe	132
PID 2072 wrote to memory of 2892	2072	WScript.exe	133
PID 2072 wrote to memory of 2892	2072	WScript.exe	133
PID 2892 wrote to memory of 3972	2892	sihost.exe	134
PID 2892 wrote to memory of 3972	2892	sihost.exe	134
PID 2892 wrote to memory of 3368	2892	sihost.exe	135
PID 2892 wrote to memory of 3368	2892	sihost.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
"C:\Users\Admin\AppData\Local\Temp\c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iZKNaLvFxc.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4132
- - C:\Recovery\WindowsRE\sihost.exe
    "C:\Recovery\WindowsRE\sihost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01a57d6f-d5be-44b9-a64e-b0f6067cf279.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4408
    - - C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0407e4e5-6888-4fe6-b523-8dc7135e91a3.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37918b8c-0552-42cb-8c65-590812b7eb79.vbs"
        8⤵
        
        PID:3972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\598eb23c-1b50-4a6d-94ee-32367397e419.vbs"
        8⤵
        
        PID:3368
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f33e6152-3d72-473b-b181-ce425fec5e5d.vbs"
        6⤵
        
        PID:3024
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08fa82aa-c766-47ca-9116-a84859a9275a.vbs"
      4⤵
      PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\addins\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\sihost.exe

Filesize
1.7MB

MD5
f80a4d740390afed85b2fda632bb34c2

SHA1
1ab7b7e5fd2f7344660e5017c8396640900f729c

SHA256
47407fdc0ad6dc50ae6ae14a82bd3912ddd6c050fe32247ef58bfb0e516b72bb

SHA512
6dd33dbc5e2eeaff9c83215e745ae8809599ddaca58b0e6f4de6c40d457dff455ce695a05c68b395ec0c4e4c1e16b900a598b74be95cb7a36765903070f171f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\01a57d6f-d5be-44b9-a64e-b0f6067cf279.vbs

Filesize
708B

MD5
81c8e7171f928a7d0c80fc7429f980b3

SHA1
2adb42833402c50535338dc12361a9446c5a99c3

SHA256
edd8b2b10c73eb9b7605553a5ffee38ded29d548d86b66d2d9845c2922acb6d9

SHA512
049f6bc47087b670c16f797bde78771e5e35453cd26fa67a37449e10a3789d76f6f18954cb077755e6aa39d5831cdcab8f8a6d9161ef279483b819206341dd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\0407e4e5-6888-4fe6-b523-8dc7135e91a3.vbs

Filesize
708B

MD5
62ee09267d3c2edfe6f5838bb5338910

SHA1
9458a8c7ce046f2b6516ae9225f8b7b841587b61

SHA256
a2b098ff3492b06f5c4f64da11a262df8c3cdd1767589026f82ab2a2eab9905a

SHA512
4cdb152453eb6cd122e771f675bbac18cf9f28ed3d7870c7b7af1b934215c5bf98a754a65dca8478084f8a70f8c8e1850754eca5ccc7841c776052f09e8472cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\08fa82aa-c766-47ca-9116-a84859a9275a.vbs

Filesize
484B

MD5
117e699a8b2edd4232ff2a67b4bbc3b9

SHA1
81783d37cc59dd41e613974a5a802d8c90b1c9b9

SHA256
e501e544106a941f6b1e5762dc53b7c6aa0ac665b85647b47d503dd6e1805f38

SHA512
e6416ddd210d18250872e281de69ca7c920a4ba592dd8bab3bff7c437ac77724bc67505fcd3aedff6119a5fd589869c8a54855a44294c416d5608145f17e7ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\37918b8c-0552-42cb-8c65-590812b7eb79.vbs

Filesize
708B

MD5
534446c853a346b69c3e7120415ba594

SHA1
b107c2120eb1184883f174d5920e950cfebcf216

SHA256
880bfcd86189534249935c1aa8a50cd5d8c0b07e28366f0b7ed4851788b3f298

SHA512
a9e0403b618d5ca32ab54ce41a916aa0e85e7ac8eed6514590059cfcf958fd7bbfda973e8d62c9b76fc959b359cc2bbecd741f1839c91af7646f19114d1dece9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXC862.tmp

Filesize
1.7MB

MD5
66eded8b72e993eef8ec0b1b19944cc0

SHA1
21b2295f1f9bd380dd114ff5a5c931b281b1f74c

SHA256
2a5d4895e98e443d4a121f3c22dae87386341c63f739523c25c5ab5f420a480d

SHA512
da0079636800e3b463582f90fe68daf8edfa3dd7a5b2837844bd4009607e6b98e6d134ddb92c2f91ebafc251636840e8ab6f5a4fdb87d716a40ca111a84ac787

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pue1kk3h.tgu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iZKNaLvFxc.bat

Filesize
197B

MD5
580dafa9ea3666a094b02c9582595aba

SHA1
7967d7fd9d713735677be47d6e120dac9fe06e7e

SHA256
ad760faf4dfab007f979f48b77cc7e3c3a1b6f9e37f033e4904682a5e5230d63

SHA512
8fc171f29413c0514cb6c0893df09bcc0a88014643ab89f9438cd0b1ebc3e81e655a32ae7c29b20ed71a85bd271d2bc2adfda74ee023c35886b598bae946e852

Download Submit
memory/2360-230-0x0000000003170000-0x00000000031A5000-memory.dmp

Filesize
212KB

Download
memory/2360-234-0x0000000003170000-0x00000000031A5000-memory.dmp

Filesize
212KB

Download
memory/2892-236-0x000000001B2F0000-0x000000001B302000-memory.dmp

Filesize
72KB

Download
memory/3800-10-0x000000001AF60000-0x000000001AF68000-memory.dmp

Filesize
32KB

Download
memory/3800-0-0x00007FFB5BBD3000-0x00007FFB5BBD5000-memory.dmp

Filesize
8KB

Download
memory/3800-22-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/3800-23-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/3800-15-0x000000001B780000-0x000000001B78A000-memory.dmp

Filesize
40KB

Download
memory/3800-16-0x000000001B790000-0x000000001B79E000-memory.dmp

Filesize
56KB

Download
memory/3800-73-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/3800-17-0x000000001B610000-0x000000001B618000-memory.dmp

Filesize
32KB

Download
memory/3800-1-0x0000000000020000-0x00000000001E0000-memory.dmp

Filesize
1.8MB

Download
memory/3800-18-0x000000001B620000-0x000000001B62C000-memory.dmp

Filesize
48KB

Download
memory/3800-14-0x000000001B500000-0x000000001B50C000-memory.dmp

Filesize
48KB

Download
memory/3800-13-0x000000001BA30000-0x000000001BF58000-memory.dmp

Filesize
5.2MB

Download
memory/3800-12-0x000000001AF70000-0x000000001AF82000-memory.dmp

Filesize
72KB

Download
memory/3800-19-0x000000001B630000-0x000000001B63C000-memory.dmp

Filesize
48KB

Download
memory/3800-9-0x000000001AF50000-0x000000001AF5C000-memory.dmp

Filesize
48KB

Download
memory/3800-2-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/3800-8-0x000000001AF40000-0x000000001AF50000-memory.dmp

Filesize
64KB

Download
memory/3800-7-0x000000001AF20000-0x000000001AF36000-memory.dmp

Filesize
88KB

Download
memory/3800-3-0x0000000002500000-0x000000000251C000-memory.dmp

Filesize
112KB

Download
memory/3800-4-0x000000001B4B0000-0x000000001B500000-memory.dmp

Filesize
320KB

Download
memory/3800-5-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/3800-6-0x0000000002530000-0x0000000002540000-memory.dmp

Filesize
64KB

Download
memory/4384-83-0x00000287EE700000-0x00000287EE722000-memory.dmp

Filesize
136KB

Download
memory/4800-217-0x0000000002FA0000-0x0000000002FD5000-memory.dmp

Filesize
212KB

Download
memory/4800-211-0x0000000002FA0000-0x0000000002FD5000-memory.dmp

Filesize
212KB

Download
memory/4800-201-0x0000000000CE0000-0x0000000000EA0000-memory.dmp

Filesize
1.8MB

Download