dcrat | 7c6a80e93e96d417b7eaf9260c5a645d8d45e4c6cf420dcaf482fd480e80ad4e

Analysis

max time kernel
141s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Exloader_Installer1.exe
Size

27.5MB
MD5

8feb32f1c24e913222ffe6245ea49e86
SHA1

fb93436b7c32bddfb807fcbf07a4434b7bf79a3d
SHA256

7c6a80e93e96d417b7eaf9260c5a645d8d45e4c6cf420dcaf482fd480e80ad4e
SHA512

7b75d76bc079e0fd3acf56cc569bfeac5fd3fb180844b243235c5ca04e53b9f96182c087531919f9437b3d9bd857d1678cea4476812b88b95f54bd56ec0c6b9c
SSDEEP

786432:qHkEWCyHVn1sF4Bw7XqjBk2LZNopfjZqGWHeQZqQ6:qERKFpXqxqf1qGMenQ6

Score

10^/10

dcrat discovery execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	1148	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	1148	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1148	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1148	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1148	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	1148	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	1148	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	1148	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	1148	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1148	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	1148	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	1148	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	1148	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	1148	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1148	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1148	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	1148	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	1148	schtasks.exe	38

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2804	powershell.exe
2684	powershell.exe
2584	powershell.exe
2648	powershell.exe
2716	powershell.exe
2692	powershell.exe
2128	powershell.exe
2744	powershell.exe
1516	powershell.exe
2668	powershell.exe
3040	powershell.exe
2828	powershell.exe
2704	powershell.exe
2984	powershell.exe
2924	powershell.exe
608	powershell.exe
2772	powershell.exe
2788	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
1296	ExLoader_Installer.exe
2448	Exloader.exe
1160	ExLoader_Installer.exe
1576	portagentintoMonitor.exe
2304	taskhost.exe

Loads dropped DLL 8 IoCs

pid	Process
2500	Exloader_Installer1.exe
2500	Exloader_Installer1.exe
2448	Exloader.exe
2448	Exloader.exe
1296	ExLoader_Installer.exe
1160	ExLoader_Installer.exe
2968	cmd.exe
2968	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\69ddcba757bf72	portagentintoMonitor.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\audiodg.exe	portagentintoMonitor.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe	portagentintoMonitor.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\56085415360792	portagentintoMonitor.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe	portagentintoMonitor.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\42af1c969fbb7b	portagentintoMonitor.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe	portagentintoMonitor.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\b75386f1303e64	portagentintoMonitor.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe	portagentintoMonitor.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Boot\PCAT\tr-TR\lsass.exe	portagentintoMonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exloader_Installer1.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1312	schtasks.exe
3036	schtasks.exe
1160	schtasks.exe
1632	schtasks.exe
292	schtasks.exe
2252	schtasks.exe
1592	schtasks.exe
1876	schtasks.exe
2348	schtasks.exe
1992	schtasks.exe
860	schtasks.exe
1432	schtasks.exe
2476	schtasks.exe
496	schtasks.exe
1068	schtasks.exe
1060	schtasks.exe
1600	schtasks.exe
2628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe
1576	portagentintoMonitor.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2304	taskhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1576	portagentintoMonitor.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2304	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1296	2500	Exloader_Installer1.exe	31
PID 2500 wrote to memory of 1296	2500	Exloader_Installer1.exe	31
PID 2500 wrote to memory of 1296	2500	Exloader_Installer1.exe	31
PID 2500 wrote to memory of 1296	2500	Exloader_Installer1.exe	31
PID 2500 wrote to memory of 2448	2500	Exloader_Installer1.exe	32
PID 2500 wrote to memory of 2448	2500	Exloader_Installer1.exe	32
PID 2500 wrote to memory of 2448	2500	Exloader_Installer1.exe	32
PID 2500 wrote to memory of 2448	2500	Exloader_Installer1.exe	32
PID 2500 wrote to memory of 2448	2500	Exloader_Installer1.exe	32
PID 2500 wrote to memory of 2448	2500	Exloader_Installer1.exe	32
PID 2500 wrote to memory of 2448	2500	Exloader_Installer1.exe	32
PID 2448 wrote to memory of 2708	2448	Exloader.exe	33
PID 2448 wrote to memory of 2708	2448	Exloader.exe	33
PID 2448 wrote to memory of 2708	2448	Exloader.exe	33
PID 2448 wrote to memory of 2708	2448	Exloader.exe	33
PID 2448 wrote to memory of 2708	2448	Exloader.exe	33
PID 2448 wrote to memory of 2708	2448	Exloader.exe	33
PID 2448 wrote to memory of 2708	2448	Exloader.exe	33
PID 1296 wrote to memory of 1160	1296	ExLoader_Installer.exe	34
PID 1296 wrote to memory of 1160	1296	ExLoader_Installer.exe	34
PID 1296 wrote to memory of 1160	1296	ExLoader_Installer.exe	34
PID 2708 wrote to memory of 2968	2708	WScript.exe	35
PID 2708 wrote to memory of 2968	2708	WScript.exe	35
PID 2708 wrote to memory of 2968	2708	WScript.exe	35
PID 2708 wrote to memory of 2968	2708	WScript.exe	35
PID 2708 wrote to memory of 2968	2708	WScript.exe	35
PID 2708 wrote to memory of 2968	2708	WScript.exe	35
PID 2708 wrote to memory of 2968	2708	WScript.exe	35
PID 2968 wrote to memory of 1576	2968	cmd.exe	37
PID 2968 wrote to memory of 1576	2968	cmd.exe	37
PID 2968 wrote to memory of 1576	2968	cmd.exe	37
PID 2968 wrote to memory of 1576	2968	cmd.exe	37
PID 1576 wrote to memory of 2128	1576	portagentintoMonitor.exe	57
PID 1576 wrote to memory of 2128	1576	portagentintoMonitor.exe	57
PID 1576 wrote to memory of 2128	1576	portagentintoMonitor.exe	57
PID 1576 wrote to memory of 608	1576	portagentintoMonitor.exe	58
PID 1576 wrote to memory of 608	1576	portagentintoMonitor.exe	58
PID 1576 wrote to memory of 608	1576	portagentintoMonitor.exe	58
PID 1576 wrote to memory of 2744	1576	portagentintoMonitor.exe	60
PID 1576 wrote to memory of 2744	1576	portagentintoMonitor.exe	60
PID 1576 wrote to memory of 2744	1576	portagentintoMonitor.exe	60
PID 1576 wrote to memory of 2804	1576	portagentintoMonitor.exe	61
PID 1576 wrote to memory of 2804	1576	portagentintoMonitor.exe	61
PID 1576 wrote to memory of 2804	1576	portagentintoMonitor.exe	61
PID 1576 wrote to memory of 2684	1576	portagentintoMonitor.exe	63
PID 1576 wrote to memory of 2684	1576	portagentintoMonitor.exe	63
PID 1576 wrote to memory of 2684	1576	portagentintoMonitor.exe	63
PID 1576 wrote to memory of 2924	1576	portagentintoMonitor.exe	64
PID 1576 wrote to memory of 2924	1576	portagentintoMonitor.exe	64
PID 1576 wrote to memory of 2924	1576	portagentintoMonitor.exe	64
PID 1576 wrote to memory of 2788	1576	portagentintoMonitor.exe	67
PID 1576 wrote to memory of 2788	1576	portagentintoMonitor.exe	67
PID 1576 wrote to memory of 2788	1576	portagentintoMonitor.exe	67
PID 1576 wrote to memory of 2772	1576	portagentintoMonitor.exe	69
PID 1576 wrote to memory of 2772	1576	portagentintoMonitor.exe	69
PID 1576 wrote to memory of 2772	1576	portagentintoMonitor.exe	69
PID 1576 wrote to memory of 2692	1576	portagentintoMonitor.exe	70
PID 1576 wrote to memory of 2692	1576	portagentintoMonitor.exe	70
PID 1576 wrote to memory of 2692	1576	portagentintoMonitor.exe	70
PID 1576 wrote to memory of 2648	1576	portagentintoMonitor.exe	71
PID 1576 wrote to memory of 2648	1576	portagentintoMonitor.exe	71
PID 1576 wrote to memory of 2648	1576	portagentintoMonitor.exe	71
PID 1576 wrote to memory of 2716	1576	portagentintoMonitor.exe	72
PID 1576 wrote to memory of 2716	1576	portagentintoMonitor.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Exloader_Installer1.exe
"C:\Users\Admin\AppData\Local\Temp\Exloader_Installer1.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1160
- C:\Users\Admin\AppData\Local\Temp\Exloader.exe
  "C:\Users\Admin\AppData\Local\Temp\Exloader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\MsBrowser\Vx997p6vGUg04xzxeAcESnDiVN8Gcg5sqGf.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\MsBrowser\nEl2vF4guCMTSRHkNZXvpfhn3fBmtJtGAkyt3w3p.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Users\Admin\AppData\Local\Temp\MsBrowser\portagentintoMonitor.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MsBrowser/portagentintoMonitor.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Stationery\1033\audiodg.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\MsBrowser\portagentintoMonitor.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8I80f3yzFH.bat"
        6⤵
        
        PID:1852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2448
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "portagentintoMonitorp" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\MsBrowser\portagentintoMonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "portagentintoMonitor" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\MsBrowser\portagentintoMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "portagentintoMonitorp" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\MsBrowser\portagentintoMonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8I80f3yzFH.bat

Filesize
251B

MD5
e1a05d73faa4ebe56af7f8975c253c91

SHA1
e0b005717d9be3ba18a827625b5027a4a201e0d4

SHA256
817ef775c09cc1c704d81e287b98ff353fbd1a78dbca094059f0e6b98b29ee6b

SHA512
f33c4d52898e98be7dc1cf0f5cfeb102b7f2f5c7b8954c9e6dfedf94c862d67971e9b2c92c3838a53a05f4ed994d1500c7a421feb6149be72959cfacc55dda6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsBrowser\Vx997p6vGUg04xzxeAcESnDiVN8Gcg5sqGf.vbe

Filesize
231B

MD5
6b23100127f6c72107e0e184de3fe37b

SHA1
9a4a73f323cb43a8a46bbe02543aeb83e55b4378

SHA256
18fd703ec287ef5186b6117fcce8bb261e063b9e1ab3596ffc52dbc9f7aaf9ad

SHA512
6b8a8a0edf6dedef6f46ff90a9bc8be97b22dc4921dc842caacafc6fd515550c8fd586df09db011e11c32597ca84e92f06866916d211fc3f7199def47414860d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsBrowser\nEl2vF4guCMTSRHkNZXvpfhn3fBmtJtGAkyt3w3p.bat

Filesize
84B

MD5
e0e1875a0332d8a32bcfe9518733fa11

SHA1
bc9d7c54433d924b5775601ab9a6a2e274f32f18

SHA256
3c53525ea13c13593ccf8afd438caacf22b335447470bafd2edc6fb558b49a54

SHA512
1411ea32be3789c5b2561876d1251187d494c334d0a2643b30a5dbc3e17cfc1233b7d7aabcd4b42b8f33d47de382f90dd3570fb420874b0d826a4b86cb457bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsBrowser\portagentintoMonitor.exe

Filesize
1.8MB

MD5
eaafeeda68b54d3fee1027ad70851ceb

SHA1
602017682f89305d82d69dc80135df337d9cc330

SHA256
87740815e35062cc764dd770497f2e8b0497ace5201bfd0ffcc7138dfce51b88

SHA512
6622411603526cc05095d1c92b5629408387e6a789b1ce69f951435df7531a183544309f8abc35ebeee25ed25d117abefaeb705a6981c13d24161e5bc2f1e2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

Filesize
17.3MB

MD5
d663c9eb379f0dfa6115dd1e669b761f

SHA1
fa9fea1bb8a0db94a1f6f9679cc7ef5acdbdc6bd

SHA256
4bd4bab764eadaa9da230407be3fa9c0522b2bbc3dae60593beb9a0984f35138

SHA512
c154b5c2975797d2faa33a31a2612cdd446a149144a7d055323a0c49acfb7cd8dfb815640d68c5de61ce471c6038ff3390d44a801f9dc970b573ef2ecc67f7d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b2577d5f83d496d007460dc54806fc6d

SHA1
aaed2a617554275fde1f2743a9152728eac71f5e

SHA256
dac640677a86a0990665e1a53df7f9e27901eeb5cdae431ec5c39fbd91ea79b9

SHA512
52b2075da2948eddd43bfbb6d2cec5cf8a5c8a8b16521be50532119a16d7251f130fa885641c7ba917873457b2a346df6a64952ef5d39b161d7e2f14780a5848

Download Submit
\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe

Filesize
25.4MB

MD5
51d5e87ae7bc99d3acc39daa20b03431

SHA1
7320a8cd779bd18f572422aa53b241fadeae6a34

SHA256
07f61f7c87bdeacfe34388001489136c563f55891d1a7e4481048b0e26e888a4

SHA512
273eb5f5c93df9885ce2bcdc35df234a1f99e13af7b904d7e9a257b5e75a9a38b95f2ee4bc27a4cb069718cde57804aea45cc79223b34aa211a3a5604189c7b4

Download Submit
\Users\Admin\AppData\Local\Temp\Exloader.exe

Filesize
2.1MB

MD5
13426247a492c85bf20046b7a026e6b2

SHA1
e21e674a3327005f8e46b4bae38b6272f7056754

SHA256
ab226f7b338a704a1343dfa476952e9d19c8621a96ee47b15b332a34e749584a

SHA512
cdad7db8f9f7e2e29e4497a04666ca5a0a78b37f2f8ecf4795eaf83cb72c4ebb559afc408e217019a5f797cbfb4e70eaae4b5aa7e04758fcbca13f6395308a27

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

Filesize
183KB

MD5
b51f61c70894e92875d5530d0f553067

SHA1
6cfe241ad503445443463faa5f869e0ec9cf0cb5

SHA256
0cb547550924bc73727d60885a82df098ead1eddb37f39b32dd46eac8e83db27

SHA512
e8ed6fa9f10dbad7cd7e420aecf655079cb04d59229b8c014eec2cdae545de16566f8c784786dbb98e2c12f3f3bcdbba2d78445fed14807ec154bea0ce653ccc

Download Submit
memory/1576-668-0x0000000000A60000-0x0000000000C3C000-memory.dmp

Filesize
1.9MB

Download
memory/1576-882-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/1576-884-0x00000000004E0000-0x00000000004F8000-memory.dmp

Filesize
96KB

Download
memory/1576-886-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/1576-880-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/2128-918-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2304-996-0x00000000001D0000-0x00000000003AC000-memory.dmp

Filesize
1.9MB

Download
memory/2500-12-0x0000000000400000-0x0000000001F91000-memory.dmp

Filesize
27.6MB

Download
memory/2684-917-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download