dcrat | 27beae1aeb07d9aa24f6f4f13d247c7f69d8c412ed9150ac0e13c36de80d159a

Analysis

max time kernel
899s
max time network
900s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-uk
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-uklocale:uk-uaos:windows10-ltsc_2021-x64systemwindows
submitted
28/03/2025, 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DCRatBuild.exe
Size

2.1MB
MD5

fa7058193e55dcf22576be1d81ee4ec9
SHA1

7ac5c2aeff7da77ea0ea71e9e4244dec68ee7a18
SHA256

27beae1aeb07d9aa24f6f4f13d247c7f69d8c412ed9150ac0e13c36de80d159a
SHA512

fbb538fa4d26bd3c554f9e837b134c119a6acff43b0a8cc0b805bcb9a0acfa54d4b0ca18d745f7f167ba9bc9642d8e14e783c38ad7207d55389d8ea7dd1af74e
SSDEEP

49152:IBJnuqJN5zhadFAfdQhkGdf8v0d4RHP5Hx7:yxuqVMdFPCgfydRHBHx

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\99fd0edc0f2095eabdc1\\cmd.exe\", \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Admin\\Recent\\Registry.exe\", \"C:\\msWebfontCommonsvc\\sysmon.exe\", \"C:\\Program Files\\7-Zip\\Lang\\conhost.exe\", \"C:\\msWebfontCommonsvc\\ContainerAgentBrowserSession.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\99fd0edc0f2095eabdc1\\cmd.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\99fd0edc0f2095eabdc1\\cmd.exe\", \"C:\\Users\\Default\\sppsvc.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\99fd0edc0f2095eabdc1\\cmd.exe\", \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Admin\\Recent\\Registry.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\99fd0edc0f2095eabdc1\\cmd.exe\", \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Admin\\Recent\\Registry.exe\", \"C:\\msWebfontCommonsvc\\sysmon.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\99fd0edc0f2095eabdc1\\cmd.exe\", \"C:\\Users\\Default\\sppsvc.exe\", \"C:\\Users\\Admin\\Recent\\Registry.exe\", \"C:\\msWebfontCommonsvc\\sysmon.exe\", \"C:\\Program Files\\7-Zip\\Lang\\conhost.exe\""	ContainerAgentBrowserSession.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	5732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	5732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	5732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	5732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5716	5732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	5732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	5732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	5732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5200	5732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5224	5732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5516	5732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5140	5732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	5732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	5732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	5732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	5732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	5732	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5712	5732	schtasks.exe	85

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4856	powershell.exe
5896	powershell.exe
5464	powershell.exe
5232	powershell.exe
5332	powershell.exe
5344	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\Control Panel\International\Geo\Nation	ContainerAgentBrowserSession.exe

Executes dropped EXE 23 IoCs

pid	Process
116	ContainerAgentBrowserSession.exe
4360	cmd.exe
4104	cmd.exe
6024	sppsvc.exe
2340	sppsvc.exe
2068	Registry.exe
5548	Registry.exe
5688	sysmon.exe
3036	sysmon.exe
5648	conhost.exe
3180	conhost.exe
5820	ContainerAgentBrowserSession.exe
3268	ContainerAgentBrowserSession.exe
1176	ContainerAgentBrowserSession.exe
5096	sysmon.exe
2004	cmd.exe
3664	ContainerAgentBrowserSession.exe
5144	Registry.exe
956	cmd.exe
5864	conhost.exe
4148	sppsvc.exe
4112	ContainerAgentBrowserSession.exe
724	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\99fd0edc0f2095eabdc1\\cmd.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Admin\\Recent\\Registry.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\msWebfontCommonsvc\\sysmon.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\msWebfontCommonsvc\\sysmon.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\7-Zip\\Lang\\conhost.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\7-Zip\\Lang\\conhost.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ContainerAgentBrowserSession = "\"C:\\msWebfontCommonsvc\\ContainerAgentBrowserSession.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\99fd0edc0f2095eabdc1\\cmd.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\sppsvc.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\Default\\sppsvc.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Admin\\Recent\\Registry.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ContainerAgentBrowserSession = "\"C:\\msWebfontCommonsvc\\ContainerAgentBrowserSession.exe\""	ContainerAgentBrowserSession.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCAD725A8566A405A881847BDDF40299D.TMP	csc.exe
File created	\??\c:\Windows\System32\zhwj81.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSCFD5B8CE26DFD4E369797BE28A8B11E0.TMP	csc.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe
File created	C:\Program Files\7-Zip\Lang\conhost.exe	ContainerAgentBrowserSession.exe
File created	C:\Program Files\7-Zip\Lang\088424020bedd6	ContainerAgentBrowserSession.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings	ContainerAgentBrowserSession.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1860	schtasks.exe
5140	schtasks.exe
2688	schtasks.exe
4088	schtasks.exe
3980	schtasks.exe
5004	schtasks.exe
5716	schtasks.exe
5516	schtasks.exe
3068	schtasks.exe
1456	schtasks.exe
2404	schtasks.exe
5200	schtasks.exe
1152	schtasks.exe
3836	schtasks.exe
5712	schtasks.exe
4224	schtasks.exe
3284	schtasks.exe
5224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe
116	ContainerAgentBrowserSession.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3464	taskmgr.exe
5096	sysmon.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	ContainerAgentBrowserSession.exe
Token: SeDebugPrivilege	4104	cmd.exe
Token: SeDebugPrivilege	4360	cmd.exe
Token: SeDebugPrivilege	2340	sppsvc.exe
Token: SeDebugPrivilege	6024	sppsvc.exe
Token: SeDebugPrivilege	2068	Registry.exe
Token: SeDebugPrivilege	5548	Registry.exe
Token: SeDebugPrivilege	3036	sysmon.exe
Token: SeDebugPrivilege	5688	sysmon.exe
Token: SeDebugPrivilege	5648	conhost.exe
Token: SeDebugPrivilege	3180	conhost.exe
Token: SeDebugPrivilege	5344	powershell.exe
Token: SeDebugPrivilege	5232	powershell.exe
Token: SeDebugPrivilege	4856	powershell.exe
Token: SeDebugPrivilege	5896	powershell.exe
Token: SeDebugPrivilege	5332	powershell.exe
Token: SeDebugPrivilege	5464	powershell.exe
Token: SeDebugPrivilege	5820	ContainerAgentBrowserSession.exe
Token: SeDebugPrivilege	3268	ContainerAgentBrowserSession.exe
Token: SeIncreaseQuotaPrivilege	5896	powershell.exe
Token: SeSecurityPrivilege	5896	powershell.exe
Token: SeTakeOwnershipPrivilege	5896	powershell.exe
Token: SeLoadDriverPrivilege	5896	powershell.exe
Token: SeSystemProfilePrivilege	5896	powershell.exe
Token: SeSystemtimePrivilege	5896	powershell.exe
Token: SeProfSingleProcessPrivilege	5896	powershell.exe
Token: SeIncBasePriorityPrivilege	5896	powershell.exe
Token: SeCreatePagefilePrivilege	5896	powershell.exe
Token: SeBackupPrivilege	5896	powershell.exe
Token: SeRestorePrivilege	5896	powershell.exe
Token: SeShutdownPrivilege	5896	powershell.exe
Token: SeDebugPrivilege	5896	powershell.exe
Token: SeSystemEnvironmentPrivilege	5896	powershell.exe
Token: SeRemoteShutdownPrivilege	5896	powershell.exe
Token: SeUndockPrivilege	5896	powershell.exe
Token: SeManageVolumePrivilege	5896	powershell.exe
Token: 33	5896	powershell.exe
Token: 34	5896	powershell.exe
Token: 35	5896	powershell.exe
Token: 36	5896	powershell.exe
Token: SeIncreaseQuotaPrivilege	5344	powershell.exe
Token: SeSecurityPrivilege	5344	powershell.exe
Token: SeTakeOwnershipPrivilege	5344	powershell.exe
Token: SeLoadDriverPrivilege	5344	powershell.exe
Token: SeSystemProfilePrivilege	5344	powershell.exe
Token: SeSystemtimePrivilege	5344	powershell.exe
Token: SeProfSingleProcessPrivilege	5344	powershell.exe
Token: SeIncBasePriorityPrivilege	5344	powershell.exe
Token: SeCreatePagefilePrivilege	5344	powershell.exe
Token: SeBackupPrivilege	5344	powershell.exe
Token: SeRestorePrivilege	5344	powershell.exe
Token: SeShutdownPrivilege	5344	powershell.exe
Token: SeDebugPrivilege	5344	powershell.exe
Token: SeSystemEnvironmentPrivilege	5344	powershell.exe
Token: SeRemoteShutdownPrivilege	5344	powershell.exe
Token: SeUndockPrivilege	5344	powershell.exe
Token: SeManageVolumePrivilege	5344	powershell.exe
Token: 33	5344	powershell.exe
Token: 34	5344	powershell.exe
Token: 35	5344	powershell.exe
Token: 36	5344	powershell.exe
Token: SeIncreaseQuotaPrivilege	5232	powershell.exe
Token: SeSecurityPrivilege	5232	powershell.exe
Token: SeTakeOwnershipPrivilege	5232	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe
3464	taskmgr.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 5780 wrote to memory of 5908	5780	DCRatBuild.exe	81
PID 5780 wrote to memory of 5908	5780	DCRatBuild.exe	81
PID 5780 wrote to memory of 5908	5780	DCRatBuild.exe	81
PID 5908 wrote to memory of 5736	5908	WScript.exe	86
PID 5908 wrote to memory of 5736	5908	WScript.exe	86
PID 5908 wrote to memory of 5736	5908	WScript.exe	86
PID 5736 wrote to memory of 116	5736	cmd.exe	88
PID 5736 wrote to memory of 116	5736	cmd.exe	88
PID 116 wrote to memory of 2464	116	ContainerAgentBrowserSession.exe	93
PID 116 wrote to memory of 2464	116	ContainerAgentBrowserSession.exe	93
PID 2464 wrote to memory of 4968	2464	csc.exe	95
PID 2464 wrote to memory of 4968	2464	csc.exe	95
PID 116 wrote to memory of 5084	116	ContainerAgentBrowserSession.exe	96
PID 116 wrote to memory of 5084	116	ContainerAgentBrowserSession.exe	96
PID 5084 wrote to memory of 4284	5084	csc.exe	98
PID 5084 wrote to memory of 4284	5084	csc.exe	98
PID 4212 wrote to memory of 4360	4212	cmd.exe	106
PID 4212 wrote to memory of 4360	4212	cmd.exe	106
PID 5040 wrote to memory of 4104	5040	cmd.exe	105
PID 5040 wrote to memory of 4104	5040	cmd.exe	105
PID 2328 wrote to memory of 6024	2328	cmd.exe	120
PID 2328 wrote to memory of 6024	2328	cmd.exe	120
PID 1076 wrote to memory of 2340	1076	cmd.exe	119
PID 1076 wrote to memory of 2340	1076	cmd.exe	119
PID 4252 wrote to memory of 2068	4252	cmd.exe	123
PID 4252 wrote to memory of 2068	4252	cmd.exe	123
PID 3944 wrote to memory of 5548	3944	cmd.exe	125
PID 3944 wrote to memory of 5548	3944	cmd.exe	125
PID 3900 wrote to memory of 5688	3900	cmd.exe	133
PID 3900 wrote to memory of 5688	3900	cmd.exe	133
PID 4084 wrote to memory of 3036	4084	cmd.exe	134
PID 4084 wrote to memory of 3036	4084	cmd.exe	134
PID 116 wrote to memory of 5344	116	ContainerAgentBrowserSession.exe	143
PID 116 wrote to memory of 5344	116	ContainerAgentBrowserSession.exe	143
PID 116 wrote to memory of 5332	116	ContainerAgentBrowserSession.exe	144
PID 116 wrote to memory of 5332	116	ContainerAgentBrowserSession.exe	144
PID 116 wrote to memory of 5232	116	ContainerAgentBrowserSession.exe	145
PID 116 wrote to memory of 5232	116	ContainerAgentBrowserSession.exe	145
PID 116 wrote to memory of 5464	116	ContainerAgentBrowserSession.exe	146
PID 116 wrote to memory of 5464	116	ContainerAgentBrowserSession.exe	146
PID 116 wrote to memory of 5896	116	ContainerAgentBrowserSession.exe	147
PID 116 wrote to memory of 5896	116	ContainerAgentBrowserSession.exe	147
PID 116 wrote to memory of 4856	116	ContainerAgentBrowserSession.exe	148
PID 116 wrote to memory of 4856	116	ContainerAgentBrowserSession.exe	148
PID 2576 wrote to memory of 5648	2576	cmd.exe	149
PID 2576 wrote to memory of 5648	2576	cmd.exe	149
PID 1396 wrote to memory of 3180	1396	cmd.exe	160
PID 1396 wrote to memory of 3180	1396	cmd.exe	160
PID 116 wrote to memory of 3928	116	ContainerAgentBrowserSession.exe	161
PID 116 wrote to memory of 3928	116	ContainerAgentBrowserSession.exe	161
PID 1696 wrote to memory of 5820	1696	cmd.exe	163
PID 1696 wrote to memory of 5820	1696	cmd.exe	163
PID 1672 wrote to memory of 3268	1672	cmd.exe	164
PID 1672 wrote to memory of 3268	1672	cmd.exe	164
PID 3928 wrote to memory of 1460	3928	cmd.exe	165
PID 3928 wrote to memory of 1460	3928	cmd.exe	165
PID 3928 wrote to memory of 4800	3928	cmd.exe	166
PID 3928 wrote to memory of 4800	3928	cmd.exe	166
PID 3928 wrote to memory of 1176	3928	cmd.exe	169
PID 3928 wrote to memory of 1176	3928	cmd.exe	169

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5780
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\msWebfontCommonsvc\1Pqb55993gaAnMOQKOP1Zx4Ywr074Tyvs.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\msWebfontCommonsvc\xOY2DcV2ToDeh.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5736
  - - C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe
      "C:\msWebfontCommonsvc/ContainerAgentBrowserSession.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:116
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mm0r2gwc\mm0r2gwc.cmdline"
        5⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2464
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES859B.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCFD5B8CE26DFD4E369797BE28A8B11E0.TMP"
        6⤵
        
        PID:4968
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xc12hyen\xc12hyen.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5084
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES85F9.tmp" "c:\Windows\System32\CSCAD725A8566A405A881847BDDF40299D.TMP"
        6⤵
        
        PID:4284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\99fd0edc0f2095eabdc1\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msWebfontCommonsvc\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4856
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pxDHsLgqc0.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3928
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1460
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4800
      - C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe
        
        "C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe"
        6⤵
        Executes dropped EXE
        
        PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\99fd0edc0f2095eabdc1\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\99fd0edc0f2095eabdc1\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\99fd0edc0f2095eabdc1\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\99fd0edc0f2095eabdc1\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5040
- C:\99fd0edc0f2095eabdc1\cmd.exe
  C:\99fd0edc0f2095eabdc1\cmd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\99fd0edc0f2095eabdc1\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4212
- C:\99fd0edc0f2095eabdc1\cmd.exe
  C:\99fd0edc0f2095eabdc1\cmd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Default\sppsvc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Default\sppsvc.exe
  C:\Users\Default\sppsvc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Default\sppsvc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Default\sppsvc.exe
  C:\Users\Default\sppsvc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Recent\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Admin\Recent\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Recent\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Recent\Registry.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Users\Admin\Recent\Registry.exe
  C:\Users\Admin\Recent\Registry.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Recent\Registry.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Users\Admin\Recent\Registry.exe
  C:\Users\Admin\Recent\Registry.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\msWebfontCommonsvc\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\msWebfontCommonsvc\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\msWebfontCommonsvc\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\msWebfontCommonsvc\sysmon.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4084
- C:\msWebfontCommonsvc\sysmon.exe
  C:\msWebfontCommonsvc\sysmon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\msWebfontCommonsvc\sysmon.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3900
- C:\msWebfontCommonsvc\sysmon.exe
  C:\msWebfontCommonsvc\sysmon.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files\7-Zip\Lang\conhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Program Files\7-Zip\Lang\conhost.exe
  "C:\Program Files\7-Zip\Lang\conhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files\7-Zip\Lang\conhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Program Files\7-Zip\Lang\conhost.exe
  "C:\Program Files\7-Zip\Lang\conhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ContainerAgentBrowserSessionC" /sc MINUTE /mo 9 /tr "'C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ContainerAgentBrowserSession" /sc ONLOGON /tr "'C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ContainerAgentBrowserSessionC" /sc MINUTE /mo 6 /tr "'C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe
  C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe
  C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5820

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3464

C:\msWebfontCommonsvc\sysmon.exe
"C:\msWebfontCommonsvc\sysmon.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:5096

C:\99fd0edc0f2095eabdc1\cmd.exe
"C:\99fd0edc0f2095eabdc1\cmd.exe"
1⤵
- Executes dropped EXE
PID:2004

C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe
"C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe"
1⤵
- Executes dropped EXE
PID:3664

C:\Users\Admin\Recent\Registry.exe
"C:\Users\Admin\Recent\Registry.exe"
1⤵
- Executes dropped EXE
PID:5144

C:\99fd0edc0f2095eabdc1\cmd.exe
"C:\99fd0edc0f2095eabdc1\cmd.exe"
1⤵
- Executes dropped EXE
PID:956

C:\Program Files\7-Zip\Lang\conhost.exe
"C:\Program Files\7-Zip\Lang\conhost.exe"
1⤵
- Executes dropped EXE
PID:5864

C:\Users\Default\sppsvc.exe
"C:\Users\Default\sppsvc.exe"
1⤵
- Executes dropped EXE
PID:4148

C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe
"C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe"
1⤵
- Executes dropped EXE
PID:4112

C:\99fd0edc0f2095eabdc1\cmd.exe
"C:\99fd0edc0f2095eabdc1\cmd.exe"
1⤵
- Executes dropped EXE
PID:724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
4KB

MD5
012afaa9c548aa06e0aea6a231b6aba0

SHA1
162ea2feea2eeb6a1899837a9a6768de3544ec16

SHA256
8aaadf4794824b6429c54e03bb7ac56d91319b2408c99dbaf5ca713af513286b

SHA512
f163f486b72e14c617c119034af7cbf02bb4755a2affeb1d2aab3f708025d7360a24735381c1d3fd34ef79013667ea5fc32e9f513d9fd8d1712422de4c51b980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ContainerAgentBrowserSession.exe.log

Filesize
1KB

MD5
3472240ba9018b36cebbb3fa4d9ecde2

SHA1
fa7d94af70df8bd1719c25cc1485c093354e3cb6

SHA256
4ff5eaa183765d37205065b36b4212117fe7cc93216a5cdc88649d8943b4f449

SHA512
4ac5bedcf0e686dd86e82ca4dc02f6ec0b5a3a5dd06056856dee7ef230f3abbf37e8237a08f3d9d31e24bf9c8a21eca04a824846a2f5bd50d6defd470a53db3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

Filesize
847B

MD5
37544b654facecb83555afec67d08b33

SHA1
4dc0f5db034801784b01befef5c1d3304145e1dc

SHA256
ec084a6c6ecd7d31f1927b0cd926ec03ce346a469f24e5a860e05f2241bd7bf4

SHA512
4af827ead52c8769672f58a69fca18484aeba1e59b7ec0527e200f8e3d893bcbc1063ea820260fc0b922985ee3b26c3a6f79b4044fb34f1b58f2e3379971b5f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3241e72b8d66be5ea6d8ce69f04dd55

SHA1
4205689c32cf8c213f94f40d9213aef4c6d8405f

SHA256
fa16ac854181607dd4cf6f1900cb6fc2703589171959967e9ed2c73a2f14c1d9

SHA512
cf266ccb8a2afe2a2de12256d0c921c5ed3168aad161f158a6f16ed76f75a1cb38a8892e242d6abad72680dfa6df71c2981ffb8c95e55206ef15c44990e107ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4f0efa9e340921d917fe8578307bd13d

SHA1
b9adc63ebd792a4434151acfebf2ccbe66b9bece

SHA256
271316ceb46658857641c3d823855278efb38748c08681f5fc8dfd08e67aff4e

SHA512
b859a8da7a09292926cb269eb5c2c017efa70b0e9ceb28310ffd236e281e4a82538734113d120111e66cd67e087280489067f8473217e763e177d337b66c98b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bcd62128837c387f7e929e2fa11ec8c1

SHA1
ecfed9f2da445bd287d88e454ca3def5e54ec9c7

SHA256
ee5009c583365e76a7c2956a87e5747cb74cd31549ef6a3cef66c3f21913a7c6

SHA512
a39d3fb50711a412693fdaebed22d3df3c23894ad8506d946deb5961737cc3388b6578fb317d7f89d99fad6720f3abb406c357ff04f755ac6a85078527840f37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e0fb40d1ef88be76f4c3311d80c0fcb0

SHA1
cc4d9ecb3ffc4fb82f9bdef6e1e24c0e665914ac

SHA256
12145f5b34863c8e3865cd48cec9ebb48d2b723494008707d376b020ec0fa77b

SHA512
a213ebedc741b60a324829b6f517faf53e7d001213b9155a51e654eae7b4e473b8335adcf156b28d890494c5c9a41340c9429522860109bcc26ba46208ec4adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES859B.tmp

Filesize
1KB

MD5
f0cd738d0d3e0ad5ffc49e3e0f2dddb9

SHA1
92c90b14b43ccbfa2692d5370c49281f71107373

SHA256
33aef9d2434c1fb805045254909fb5c32cb570f9ab35d9971f66bcc1bdb2126d

SHA512
67600c80abbe7d523eb06fb1e6d95e1e20e15e8c4762a7bfd5d7afe64ebe01567bea30eeeafa69e1c9f465f543fbae2c2dd8d543d293807bf293cfdf7b2abba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES85F9.tmp

Filesize
1KB

MD5
b191bcc550ae3fd54b46b507a9e79b87

SHA1
2ebca2c56552b20c93cb5a1d4d02a18de382a9c6

SHA256
2c93785e7859960f7f5624e2ce80091cb95a01887c048f0b0d6a2de5ad0c4e12

SHA512
bf89557d3ca97fb77cfbb926b0370957375a3d236d4d4269afe6d2e7474addcd94e4287a8301889788612c1bb065149eec57e140ecd804dfd1929e51dbd56431

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p3wlkvlp.t3g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxDHsLgqc0.bat

Filesize
230B

MD5
3cc1b250d48a7e7f80838f63cb6fb3b1

SHA1
e7555cd324659a27dca1d90b0044a2f51eaf9682

SHA256
b47f35bf3b71c522bd7d1b16076033d6d7766ac9787d2e930c1079f024310f48

SHA512
99931d63e0b7b3df5bddfbca15d32e09f68076d3a188958cd46bdec1e402c624c65155f47615d5d77ce02ab39c0873331b27a8d1a7e8007b41448c7cf6764caf

Download Submit
C:\msWebfontCommonsvc\1Pqb55993gaAnMOQKOP1Zx4Ywr074Tyvs.vbe

Filesize
209B

MD5
7456528d87fdbbf7380081612a878945

SHA1
91a8b74ee56e559e664e7e41bc9c9d0cd7a1e344

SHA256
274fd47fcfe3c642aaed07e9d94fe524e1680020d5b63e0eff71e7155973a961

SHA512
4fa8dbfb2aa1c1117bcbd3d1de7bcbc4140efa1eddbada9652304d136b71cdb5de633ac8d48d68e58d0bb6317c7132b1e140003a6dd564e8114a6ab0501f7877

Download Submit
C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe

Filesize
1.8MB

MD5
4b48b143e95e5292b1700bd25ba63c76

SHA1
3b321290b54028f94d2b1736173d18ce16bcc260

SHA256
3b1888daacc09277d0f3daca114f05613f708d260e2950ee5620d77881c584cb

SHA512
f8fb811150f81f9636193506451445b77634b27ad36884bfaa4454887666bbcc7f88ff190e912e3a3f7bf8ed82080280075ad753041d5d9bb50717b22b71bcb0

Download Submit
C:\msWebfontCommonsvc\xOY2DcV2ToDeh.bat

Filesize
105B

MD5
d9b64ed326c6cfceaa29ddbee358a8e2

SHA1
42b494e3ffa836f173e1a2b1e3da8a93ffe39561

SHA256
576041699b52e2a3eddb04819000376696a1ad869711dc5d786473e9b9f3c2de

SHA512
32c74021848f6d9b5dc6d38287fe992299c8e1a12113203e1dbcab5f5d2abe922fa9fdf62e6ba0d6dac8c3d5ea5e66af5deca42fa51f2b0b699e90a89cd82e67

Download Submit
C:\windows\system32\zhwj81.exe

Filesize
4KB

MD5
9f2a0e7a17f15283b03dcc0331f9db73

SHA1
a422f8bcac451adc472177febfe0e5c1bff3185d

SHA256
a5dc5b2ba52214a3b4dd187fa2bccce4d17e6b8bcb5ba0846ce040430e2cfe94

SHA512
92b2b9fa37eeb2964d04b6943d4dec34bd2f5f1589a79268202079ecab9b9c831cd8c7bd58f736bd05dee2ef62ce54803143b901af092c2a264015cdf619970a

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSCFD5B8CE26DFD4E369797BE28A8B11E0.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mm0r2gwc\mm0r2gwc.0.cs

Filesize
393B

MD5
62fa67e950a66016a6518c97ab8daea1

SHA1
b8eb85c789bb8d937a7f5f49044b336253384ea2

SHA256
87f24bc1fd8f87c78b707a16620d90adbff6d57334901d458e2d033c7755a254

SHA512
36081966c620ec58e64cce2dd0168fa4c6cac71c438a518e0201ec1fa28eea106247c962b396564f15e74bb2700311f07610864607f962c13d7a8a315a47f5ef

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mm0r2gwc\mm0r2gwc.cmdline

Filesize
265B

MD5
0b2c73573f1e3af7825485050328d0cb

SHA1
70a697e5b352fb7d0680f6af06cccc0e0212a283

SHA256
c86bf257d6eeead86529ba130a434cdf10d6a9d0e76c02b5f09a76eed9083443

SHA512
7a09f9000b6dc70ae389325eedf865f6279786e847ee1c04a2fe32ec97cd26783e856210216b7732a04078511bb07f1bdc91ed3a4d25e2fefc5ef057f3434f81

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xc12hyen\xc12hyen.0.cs

Filesize
363B

MD5
b61eb27f06c5954e1e6ac0bf81926a0f

SHA1
89f2106ffe3ffe4c1fa8e667bf613c021c3c2450

SHA256
20d2cede04426c46936be91f28aac845d0870555fb1bc7953c6455e3b1c8b757

SHA512
ab6c25f4ba799bb849294df068d36004a9d6ed79c2242218677f52d68583f47e5abfe42b5617b7f283503a2a21a48804845bd08df191d3d3a982af1b12b9de3f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xc12hyen\xc12hyen.cmdline

Filesize
235B

MD5
021090f6accba85658ca334574dbe8c8

SHA1
01b497e4ff658c8945636a570c132e3b7f50825c

SHA256
557bebfed78a50d6541d617bfd14fa3dcb2577cac9eb1df872bb76fd4b3b8775

SHA512
a96ad1cf99f6bc90a5761c7d948385e8f8b5e11f281271a8ff794177c868254e586a1f0e4cf7e2cfc28b9a9573ea2ce65f9ab476dc6469d07c12f87e3d8971f9

Download Submit
\??\c:\Windows\System32\CSCAD725A8566A405A881847BDDF40299D.TMP

Filesize
1KB

MD5
106f3af94d8a2bfb5f983e2e14934eca

SHA1
81759dc8f671c6f3f856cf0975d92da2e60c8dc6

SHA256
aef59bf55701459fb802b665b6a6a10196f949d7e0d1c87198b8ea54335c1b51

SHA512
c1eb2ac48d7f42adf18d5a94a678722f13bac3df9b1243c2aae071be6d08659c1877c94c7bdb5d5728abdf4e7e2fb4c5060ebc9c1d0d5557f82f1c942e17cdf8

Download Submit
memory/116-15-0x00007FFCF0A23000-0x00007FFCF0A25000-memory.dmp

Filesize
8KB

Download
memory/116-20-0x00000000024E0000-0x00000000024FC000-memory.dmp

Filesize
112KB

Download
memory/116-74-0x000000001B090000-0x000000001B0DE000-memory.dmp

Filesize
312KB

Download
memory/116-25-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/116-23-0x000000001AEE0000-0x000000001AEF8000-memory.dmp

Filesize
96KB

Download
memory/116-16-0x00000000000E0000-0x00000000002BA000-memory.dmp

Filesize
1.9MB

Download
memory/116-18-0x0000000000AA0000-0x0000000000AAE000-memory.dmp

Filesize
56KB

Download
memory/116-21-0x000000001B2F0000-0x000000001B340000-memory.dmp

Filesize
320KB

Download
memory/3464-173-0x00000273F51B0000-0x00000273F51B1000-memory.dmp

Filesize
4KB

Download
memory/3464-175-0x00000273F51B0000-0x00000273F51B1000-memory.dmp

Filesize
4KB

Download
memory/3464-170-0x00000273F51B0000-0x00000273F51B1000-memory.dmp

Filesize
4KB

Download
memory/3464-171-0x00000273F51B0000-0x00000273F51B1000-memory.dmp

Filesize
4KB

Download
memory/3464-172-0x00000273F51B0000-0x00000273F51B1000-memory.dmp

Filesize
4KB

Download
memory/3464-164-0x00000273F51B0000-0x00000273F51B1000-memory.dmp

Filesize
4KB

Download
memory/3464-165-0x00000273F51B0000-0x00000273F51B1000-memory.dmp

Filesize
4KB

Download
memory/3464-166-0x00000273F51B0000-0x00000273F51B1000-memory.dmp

Filesize
4KB

Download
memory/3464-176-0x00000273F51B0000-0x00000273F51B1000-memory.dmp

Filesize
4KB

Download
memory/3464-174-0x00000273F51B0000-0x00000273F51B1000-memory.dmp

Filesize
4KB

Download
memory/4856-152-0x0000029073D10000-0x0000029073F2D000-memory.dmp

Filesize
2.1MB

Download
memory/5096-186-0x00000000030A0000-0x00000000030A8000-memory.dmp

Filesize
32KB

Download
memory/5096-187-0x000000001C950000-0x000000001C99E000-memory.dmp

Filesize
312KB

Download
memory/5232-149-0x000002835A0B0000-0x000002835A2CD000-memory.dmp

Filesize
2.1MB

Download
memory/5332-141-0x00000296F2A00000-0x00000296F2C1D000-memory.dmp

Filesize
2.1MB

Download
memory/5344-148-0x000001D336960000-0x000001D336B7D000-memory.dmp

Filesize
2.1MB

Download
memory/5344-84-0x000001D336890000-0x000001D3368B2000-memory.dmp

Filesize
136KB

Download
memory/5464-145-0x000002E75CBD0000-0x000002E75CDED000-memory.dmp

Filesize
2.1MB

Download
memory/5896-144-0x000001E224390000-0x000001E2245AD000-memory.dmp

Filesize
2.1MB

Download