dcrat | 4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

14/04/2025, 07:51

250414-jp1kfssjz9 10

14/04/2025, 07:46

250414-jl9nyssjt9 10

08/04/2025, 15:58

250408-tevasswl18 10

08/04/2025, 14:19

250408-rm2nqsvqw2 10

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
14/04/2025, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Size

1.6MB
MD5

52e4554ec87085ec0d31bca66d35df00
SHA1

3196fc8f3064b5d80cd8829c0b3fd6730b2141c0
SHA256

f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93
SHA512

04070464d0489ec88509dc767f9c5f0db4dc2e1b3bb06ac3719441a5a923172d9fcac478dfab1b7ad4cdd2bbc0a39f77c6dd0d5d256dfd82d474e74e1b9af899
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5324	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5964	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5360	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	2736	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	2736	schtasks.exe	78

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral28/memory/6076-1-0x0000000000BB0000-0x0000000000D52000-memory.dmp	dcrat
behavioral28/files/0x001900000002b23d-26.dat	dcrat
behavioral28/files/0x001a00000002b23a-93.dat	dcrat
behavioral28/files/0x001b00000002b23d-104.dat	dcrat
behavioral28/files/0x001b00000002b240-115.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2188	powershell.exe
2276	powershell.exe
2508	powershell.exe
3440	powershell.exe
4656	powershell.exe
3816	powershell.exe
1968	powershell.exe
2576	powershell.exe
3452	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
5972	sihost.exe
5400	sihost.exe
5116	sihost.exe
4640	sihost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\5b884080fd4f94	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX7DDF.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX7DFF.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX874D.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX87BB.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Google\Update\SearchHost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Google\Update\SearchHost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Google\Update\cfa885d449487c	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CbsTemp\RCX84DA.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\CbsTemp\dllhost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\RCX8C33.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\RCX8C34.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\CbsTemp\5940a34987c991	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\ServiceProfiles\NetworkService\5b884080fd4f94	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\CbsTemp\RCX8548.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\fontdrvhost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\CbsTemp\dllhost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\ServiceProfiles\NetworkService\fontdrvhost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000_Classes\Local Settings	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Key created	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-4239789418-2672923313-1754393631-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5360	schtasks.exe
684	schtasks.exe
5324	schtasks.exe
4916	schtasks.exe
4772	schtasks.exe
5088	schtasks.exe
5080	schtasks.exe
3448	schtasks.exe
2372	schtasks.exe
5024	schtasks.exe
4948	schtasks.exe
2060	schtasks.exe
4328	schtasks.exe
4492	schtasks.exe
4216	schtasks.exe
4644	schtasks.exe
4224	schtasks.exe
1028	schtasks.exe
3756	schtasks.exe
3128	schtasks.exe
5964	schtasks.exe
4924	schtasks.exe
5104	schtasks.exe
3532	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
2576	powershell.exe
2508	powershell.exe
1968	powershell.exe
3816	powershell.exe
2276	powershell.exe
3440	powershell.exe
3452	powershell.exe
2188	powershell.exe
4656	powershell.exe
4656	powershell.exe
3440	powershell.exe
3440	powershell.exe
2508	powershell.exe
2508	powershell.exe
2276	powershell.exe
2276	powershell.exe
2576	powershell.exe
2576	powershell.exe
3452	powershell.exe
3452	powershell.exe
4656	powershell.exe
1968	powershell.exe
1968	powershell.exe
3816	powershell.exe
3816	powershell.exe
2188	powershell.exe
2188	powershell.exe
5972	sihost.exe
5116	sihost.exe
4640	sihost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	5972	sihost.exe
Token: SeDebugPrivilege	5116	sihost.exe
Token: SeDebugPrivilege	4640	sihost.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 6076 wrote to memory of 2188	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	103
PID 6076 wrote to memory of 2188	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	103
PID 6076 wrote to memory of 2576	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	104
PID 6076 wrote to memory of 2576	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	104
PID 6076 wrote to memory of 2276	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	105
PID 6076 wrote to memory of 2276	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	105
PID 6076 wrote to memory of 1968	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	106
PID 6076 wrote to memory of 1968	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	106
PID 6076 wrote to memory of 3816	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	107
PID 6076 wrote to memory of 3816	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	107
PID 6076 wrote to memory of 3452	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	108
PID 6076 wrote to memory of 3452	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	108
PID 6076 wrote to memory of 4656	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	110
PID 6076 wrote to memory of 4656	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	110
PID 6076 wrote to memory of 3440	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	111
PID 6076 wrote to memory of 3440	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	111
PID 6076 wrote to memory of 2508	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	113
PID 6076 wrote to memory of 2508	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	113
PID 6076 wrote to memory of 1224	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	121
PID 6076 wrote to memory of 1224	6076	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	121
PID 1224 wrote to memory of 4856	1224	cmd.exe	123
PID 1224 wrote to memory of 4856	1224	cmd.exe	123
PID 1224 wrote to memory of 5972	1224	cmd.exe	124
PID 1224 wrote to memory of 5972	1224	cmd.exe	124
PID 5972 wrote to memory of 1404	5972	sihost.exe	125
PID 5972 wrote to memory of 1404	5972	sihost.exe	125
PID 5972 wrote to memory of 5976	5972	sihost.exe	126
PID 5972 wrote to memory of 5976	5972	sihost.exe	126
PID 1404 wrote to memory of 5400	1404	WScript.exe	127
PID 1404 wrote to memory of 5400	1404	WScript.exe	127
PID 2336 wrote to memory of 5116	2336	WScript.exe	130
PID 2336 wrote to memory of 5116	2336	WScript.exe	130
PID 5116 wrote to memory of 2172	5116	sihost.exe	131
PID 5116 wrote to memory of 2172	5116	sihost.exe	131
PID 5116 wrote to memory of 572	5116	sihost.exe	132
PID 5116 wrote to memory of 572	5116	sihost.exe	132
PID 2172 wrote to memory of 4640	2172	WScript.exe	133
PID 2172 wrote to memory of 4640	2172	WScript.exe	133
PID 4640 wrote to memory of 2632	4640	sihost.exe	134
PID 4640 wrote to memory of 2632	4640	sihost.exe	134
PID 4640 wrote to memory of 1220	4640	sihost.exe	135
PID 4640 wrote to memory of 1220	4640	sihost.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
"C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\2ede47d3b1628d9dc127d1f03a161c\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d43261e443c85885cb99c34096\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\SearchHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vQoryyONEk.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4856
- - C:\Recovery\WindowsRE\sihost.exe
    "C:\Recovery\WindowsRE\sihost.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5972
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4bc1dde-4ab4-451e-80e8-d908ae748bed.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5400
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8642330-6dd0-4087-9448-bf49dc9bfb4e.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\181bb0df-edc2-4c5a-a0b4-05624a06a7eb.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a6efdf6-1c8c-480d-94b6-f0ef96892e65.vbs"
        10⤵
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\806c6bdb-5676-4e39-a44d-747f4d0d3a14.vbs"
        10⤵
        
        PID:1220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7399191f-6bc6-4d26-af7f-84b314550cc0.vbs"
        8⤵
        
        PID:572
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82a85153-41e1-405d-ac3c-34e6f8aa671f.vbs"
        6⤵
        
        PID:4216
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fb46628-ad14-4361-9d2c-ed5ecc82cfa4.vbs"
      4⤵
      PID:5976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\2ede47d3b1628d9dc127d1f03a161c\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\2ede47d3b1628d9dc127d1f03a161c\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\2ede47d3b1628d9dc127d1f03a161c\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\d43261e443c85885cb99c34096\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d43261e443c85885cb99c34096\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\d43261e443c85885cb99c34096\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\CbsTemp\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\CbsTemp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\CbsTemp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\SearchHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\PrintHood\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\PrintHood\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\NetworkService\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\NetworkService\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\SearchHost.exe

Filesize
1.6MB

MD5
4902bab8e7d434c327a2166c8d0df92a

SHA1
807bf62e515e15d90538afb5aa5b24867ac86f44

SHA256
a3173f11f4aa7ec1a608ff8eb18b70b065b9c091d41256e5213691782bb6984c

SHA512
59ea0b98acc526e8ea08aa380458a447b19d18271214d0a4fcf3db4607277b519b3bf99a63ce20c97f81dacbe7ccdce02cbe9e19ebbd1522f7fe05095716deaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
8660c36dcff96744fee12820fc973263

SHA1
3be2a4dd4474873d20ee93b4f80b5e786424d814

SHA256
2520a9e21907ba0f4f0eee47783a432201c67d368a7269f8c1fd02f88a9156c8

SHA512
2833190db9a3863a4ebe89108c31b696b4f8ae5f4f31f9bcd97f4b618720040ad69440e4a969ccf4c1096f15e208922909312ad534e1e102f69c8bb79abdb7dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05b3cd21c1ec02f04caba773186ee8d0

SHA1
39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

SHA256
911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

SHA512
e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6b6c7f20485e3eb78dcebc57dbffd53a

SHA1
0b74b6fd0e39ac4802b6ace079c0f818e279cb28

SHA256
79171f02cd2053089116645c69ad0bcdcf591db073ecf3b7397fac2fb6e9fb9a

SHA512
1fc966ed88e45e026ee7207c9a2deb18df65be84d0e10b03642a72b094e37b7464bfd10aa73429de51d6b70e0b2cf5b54ebc06e2263f5dd0ad023f20633b0e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
45f53352160cf0903c729c35c8edfdce

SHA1
b35a4d4fbaf2a3cc61e540fc03516dd70f3c34ab

SHA256
9cf18d157a858fc143a6de5c2dd3f618516a527b34478ac478d8c94ff027b0d2

SHA512
e3fa27a80a1df58acb49106c306dab22e5ed582f6b0cd7d9c3ef0a85e9f5919333257e88aa44f42a0e095fd577c9e12a02957a7845c0d109f821f32d8d3343f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\181bb0df-edc2-4c5a-a0b4-05624a06a7eb.vbs

Filesize
708B

MD5
ddb0ccb16b5beea0421cfdf1c5d5dc43

SHA1
2bf44c0a6db92313d093280a16ad137e5fea10a9

SHA256
10accc26d5f4bd67aadf704690fdb7ecc828fb97117b1b383e84130239df6311

SHA512
6ae262188626d6e816af4f85e87c93578375f75a7b9f00c6cf8e3522437ab4e4dc13baed241cf9f6fc01a909384158e70dc1ff72af1e086035cdbafb0a037fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a6efdf6-1c8c-480d-94b6-f0ef96892e65.vbs

Filesize
708B

MD5
027ade8f1a3d5232b54fa7274d031f34

SHA1
243dc2616694bb578fda48affd875172901dc1bb

SHA256
df19f4486a529d2a7738cbc0133c2a5804401053befb3979a8a900b4828fc635

SHA512
c689c646a8f5ea1cc91cf47ec87657235578e53bf4b140bbfd26ca31007abab3e947cb24cec33b4f13f702db3d30c7d845582a4d8be42736b5c8d869aafa89dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\8fb46628-ad14-4361-9d2c-ed5ecc82cfa4.vbs

Filesize
484B

MD5
3683af7207d97f072d16300f3fb70d67

SHA1
fdbd71903fa5fef9a8f424327fdba04d3147b7c2

SHA256
7592e779ad357f1e39f736b5c4ac36164c5a61f7f8c4c6156081396e0dc2beea

SHA512
498eecf1ac8fa6359e905dc1c845725cfe5521f2aba239524ae4644863fb00d95ea53dc3ebbe6e3fcede9be62319e27b34a15f0700ec0b609fa45fad33a174fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uoveazxq.rmy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4bc1dde-4ab4-451e-80e8-d908ae748bed.vbs

Filesize
708B

MD5
b3e5659c0747b14bbe237a218a58fb6e

SHA1
f7f0d01ef7c968ecd0152734cae9e7bfe0852ab3

SHA256
70b483e01ce707f0fa08b871354178f34c152d87b4ee5df8fbc4492f263f1ff8

SHA512
87ba647f0a8edde5944a4fcbab330b9aa4e2515aa132613d175bd0e06071a2239b80d61df43a82936bd4ac13c864ec31e0816832e0694219467edbc912381296

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQoryyONEk.bat

Filesize
197B

MD5
de9ebfb462e41bcf90f06e3bc513666a

SHA1
1e888a636551673bfb2c49fbaea245def4b218fa

SHA256
5af11cc20763b184775624abde90ea4cb020e9f76a61626796401f3e653d74f0

SHA512
2bb3150c31cd42342d1274ef35022a711fc4d78e75e3cfac05497bcff0b6c9e9d10b5e30d43a23ce047cf2265993758c103bf448c2646128235d855cdc458922

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\System.exe

Filesize
1.6MB

MD5
1fe067a2411657d7a4b6c5543bb32906

SHA1
e66eef9ce088f837cb4e001df1f977b09e4d7e34

SHA256
17ef35ac269476f1231ee4d5c16d9890ccbab0b4d622623fbac83cc36004b6fb

SHA512
a931dc725a8503342425d2171d726ecd10f7f561ffd5f838a7756ba267c79413684e641a65efc1efed0af11e47921f10c49839a7a638160dc958138bfbd86464

Download Submit
C:\Windows\CbsTemp\dllhost.exe

Filesize
1.6MB

MD5
52e4554ec87085ec0d31bca66d35df00

SHA1
3196fc8f3064b5d80cd8829c0b3fd6730b2141c0

SHA256
f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93

SHA512
04070464d0489ec88509dc767f9c5f0db4dc2e1b3bb06ac3719441a5a923172d9fcac478dfab1b7ad4cdd2bbc0a39f77c6dd0d5d256dfd82d474e74e1b9af899

Download Submit
C:\Windows\CbsTemp\dllhost.exe

Filesize
1.6MB

MD5
c0d35b4a27d13758242510bd4405c805

SHA1
4ee0e42b8492727dc4d88abbc892a69201f7823b

SHA256
53a8388d3666c193593b0148a1d3f42cea1239d98398a7114b6a391dcebef035

SHA512
07d64ba9f4c9ea400dc600f30027b4a6833f2efd76135241b89dac5a3f0cbed5c8eac23771e9566bd4d387921024d1051f6c5a0f53f679ede0513fdb90c284c9

Download Submit
memory/2576-136-0x00000226CBFC0000-0x00000226CBFE2000-memory.dmp

Filesize
136KB

Download
memory/6076-11-0x000000001C070000-0x000000001C07C000-memory.dmp

Filesize
48KB

Download
memory/6076-10-0x000000001C060000-0x000000001C06C000-memory.dmp

Filesize
48KB

Download
memory/6076-13-0x000000001C2A0000-0x000000001C2AE000-memory.dmp

Filesize
56KB

Download
memory/6076-14-0x000000001C2B0000-0x000000001C2B8000-memory.dmp

Filesize
32KB

Download
memory/6076-12-0x000000001C290000-0x000000001C29A000-memory.dmp

Filesize
40KB

Download
memory/6076-16-0x000000001C2D0000-0x000000001C2DA000-memory.dmp

Filesize
40KB

Download
memory/6076-184-0x00007FFEA2030000-0x00007FFEA2AF2000-memory.dmp

Filesize
10.8MB

Download
memory/6076-15-0x000000001C2C0000-0x000000001C2C8000-memory.dmp

Filesize
32KB

Download
memory/6076-17-0x000000001C2E0000-0x000000001C2EC000-memory.dmp

Filesize
48KB

Download
memory/6076-0-0x00007FFEA2033000-0x00007FFEA2035000-memory.dmp

Filesize
8KB

Download
memory/6076-9-0x000000001C040000-0x000000001C048000-memory.dmp

Filesize
32KB

Download
memory/6076-7-0x000000001C030000-0x000000001C038000-memory.dmp

Filesize
32KB

Download
memory/6076-8-0x000000001C050000-0x000000001C060000-memory.dmp

Filesize
64KB

Download
memory/6076-6-0x000000001BA00000-0x000000001BA16000-memory.dmp

Filesize
88KB

Download
memory/6076-4-0x000000001C080000-0x000000001C0D0000-memory.dmp

Filesize
320KB

Download
memory/6076-5-0x0000000002FA0000-0x0000000002FB0000-memory.dmp

Filesize
64KB

Download
memory/6076-3-0x000000001B9D0000-0x000000001B9EC000-memory.dmp

Filesize
112KB

Download
memory/6076-2-0x00007FFEA2030000-0x00007FFEA2AF2000-memory.dmp

Filesize
10.8MB

Download
memory/6076-1-0x0000000000BB0000-0x0000000000D52000-memory.dmp

Filesize
1.6MB

Download