dcrat | 44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6

Analysis

max time kernel
120s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31/10/2024, 02:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
Size

1.8MB
MD5

ec4891ec2e1e54b6e32d1e1b3bdb5915
SHA1

c30c1fad6115013e814e288a1d06d2523aec6d95
SHA256

44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6
SHA512

3ab4c039d3cf22c55dedf8506851ec3ea221849eb4e132928eb314c67c38a650b403afc4270874c2d2c46875f1a9ec668b83f7619793ef75758bc2398b4cc7cc
SSDEEP

24576:juhBQp12QFQP7U9QlUrNGWsm5wtgeZBN+HE3r13P+doHExf27vH/h6kcWqnxqlM:jMWYoQlUr4M4geZ2ktP+dCEeghxql

Score

10^/10

dcrat discovery execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2760	powershell.exe
316	powershell.exe
2724	powershell.exe
2684	powershell.exe
764	powershell.exe
484	powershell.exe
3008	powershell.exe
572	powershell.exe
2176	powershell.exe
688	powershell.exe
2768	powershell.exe
2388	powershell.exe
2668	powershell.exe
2188	powershell.exe
792	powershell.exe
2864	powershell.exe
2240	powershell.exe
2148	powershell.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\explorer.exe	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
File created	C:\Program Files (x86)\Uninstall Information\7a0fd90576e088	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\explorer.exe	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\7a0fd90576e088	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
File created	C:\Program Files (x86)\Internet Explorer\44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
File created	C:\Program Files (x86)\Internet Explorer\53d19d1a46a8c9	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\CSC\v2.0.6\wininit.exe	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
File created	C:\Windows\Offline Web Pages\csrss.exe	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
File created	C:\Windows\Offline Web Pages\886983d96e3d3e	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3016	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3016	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	484	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	288	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 792	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	30
PID 2348 wrote to memory of 792	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	30
PID 2348 wrote to memory of 792	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	30
PID 2348 wrote to memory of 688	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	31
PID 2348 wrote to memory of 688	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	31
PID 2348 wrote to memory of 688	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	31
PID 2348 wrote to memory of 484	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	32
PID 2348 wrote to memory of 484	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	32
PID 2348 wrote to memory of 484	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	32
PID 2348 wrote to memory of 2188	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	33
PID 2348 wrote to memory of 2188	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	33
PID 2348 wrote to memory of 2188	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	33
PID 2348 wrote to memory of 2176	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	34
PID 2348 wrote to memory of 2176	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	34
PID 2348 wrote to memory of 2176	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	34
PID 2348 wrote to memory of 2148	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	35
PID 2348 wrote to memory of 2148	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	35
PID 2348 wrote to memory of 2148	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	35
PID 2348 wrote to memory of 2240	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	36
PID 2348 wrote to memory of 2240	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	36
PID 2348 wrote to memory of 2240	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	36
PID 2348 wrote to memory of 316	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	37
PID 2348 wrote to memory of 316	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	37
PID 2348 wrote to memory of 316	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	37
PID 2348 wrote to memory of 2760	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	38
PID 2348 wrote to memory of 2760	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	38
PID 2348 wrote to memory of 2760	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	38
PID 2348 wrote to memory of 2864	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	39
PID 2348 wrote to memory of 2864	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	39
PID 2348 wrote to memory of 2864	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	39
PID 2348 wrote to memory of 2668	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	40
PID 2348 wrote to memory of 2668	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	40
PID 2348 wrote to memory of 2668	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	40
PID 2348 wrote to memory of 764	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	41
PID 2348 wrote to memory of 764	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	41
PID 2348 wrote to memory of 764	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	41
PID 2348 wrote to memory of 572	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	42
PID 2348 wrote to memory of 572	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	42
PID 2348 wrote to memory of 572	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	42
PID 2348 wrote to memory of 2388	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	43
PID 2348 wrote to memory of 2388	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	43
PID 2348 wrote to memory of 2388	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	43
PID 2348 wrote to memory of 2684	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	44
PID 2348 wrote to memory of 2684	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	44
PID 2348 wrote to memory of 2684	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	44
PID 2348 wrote to memory of 3008	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	45
PID 2348 wrote to memory of 3008	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	45
PID 2348 wrote to memory of 3008	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	45
PID 2348 wrote to memory of 2724	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	46
PID 2348 wrote to memory of 2724	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	46
PID 2348 wrote to memory of 2724	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	46
PID 2348 wrote to memory of 2768	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	47
PID 2348 wrote to memory of 2768	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	47
PID 2348 wrote to memory of 2768	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	47
PID 2348 wrote to memory of 2620	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	63
PID 2348 wrote to memory of 2620	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	63
PID 2348 wrote to memory of 2620	2348	44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe	63
PID 2620 wrote to memory of 2252	2620	cmd.exe	69
PID 2620 wrote to memory of 2252	2620	cmd.exe	69
PID 2620 wrote to memory of 2252	2620	cmd.exe	69
PID 2620 wrote to memory of 3016	2620	cmd.exe	70
PID 2620 wrote to memory of 3016	2620	cmd.exe	70
PID 2620 wrote to memory of 3016	2620	cmd.exe	70
PID 2620 wrote to memory of 288	2620	cmd.exe	71

C:\Users\Admin\AppData\Local\Temp\44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
"C:\Users\Admin\AppData\Local\Temp\44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uBqwsm2N0U.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2252
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3016
- - C:\Users\Admin\AppData\Local\Temp\44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe
    "C:\Users\Admin\AppData\Local\Temp\44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uBqwsm2N0U.bat

Filesize
230B

MD5
5b5371d850ba71aa924d8a5e3124e290

SHA1
808ddc9b3a79d043091af13f34178fc548e15e83

SHA256
5a42cc0c3495f13090eac299c822f39d8f11852d8677798f1bbf165237ed431a

SHA512
c701197cdcbd6ff4da1c98e4a899e390a4693a68a0ed0fcce463b781c443d8aa8e10defa906e82e56b9cda762740d55c5c36d49e63144ae467842ab7872b7232

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e1a79ffa3acc4ac43b0da159fb40fc4b

SHA1
bf295c7f31a2f30b8498cc2a7591ed2e8d410b24

SHA256
37e7557ef5c8559c982bb17a900a1f7d3d8508cc14eedb898bf836b4e952e8f2

SHA512
37c21c4b9731458c2ce3a4d1465100a187d36f269c72a24352810ec6052da1afeecf00da31b5f39c5ae76f28a517b895bd6e11536b29cb32428d7b53b55921f7

Download Submit
C:\Windows\Offline Web Pages\csrss.exe

Filesize
1.8MB

MD5
ec4891ec2e1e54b6e32d1e1b3bdb5915

SHA1
c30c1fad6115013e814e288a1d06d2523aec6d95

SHA256
44a641d0d8a75103154273f34f65999770498af9f63aa8d878f4532718860ea6

SHA512
3ab4c039d3cf22c55dedf8506851ec3ea221849eb4e132928eb314c67c38a650b403afc4270874c2d2c46875f1a9ec668b83f7619793ef75758bc2398b4cc7cc

Download Submit
memory/288-126-0x00000000013E0000-0x00000000015BA000-memory.dmp

Filesize
1.9MB

Download
memory/688-39-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/688-40-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2348-6-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/2348-33-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-13-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2348-14-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-15-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-9-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-28-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-11-0x00000000001B0000-0x00000000001C8000-memory.dmp

Filesize
96KB

Download
memory/2348-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/2348-4-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-3-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-23-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2348-8-0x0000000000190000-0x00000000001AC000-memory.dmp

Filesize
112KB

Download
memory/2348-1-0x0000000000DF0000-0x0000000000FCA000-memory.dmp

Filesize
1.9MB

Download