dcrat | 961491690742f96da48d1ca1c9dcb91b0d23a803e16dcc8852d90b2f4e54028d

Analysis

max time kernel
117s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

961491690742f96da48d1ca1c9dcb91b0d23a803e16dcc8852d90b2f4e54028d.exe
Size

1.9MB
MD5

897337394338c3de4be5d55a5d23595a
SHA1

33712202b478a39b89b6d81dc757ab3ee9c52923
SHA256

961491690742f96da48d1ca1c9dcb91b0d23a803e16dcc8852d90b2f4e54028d
SHA512

1c30fbe2772accec7da8503064c82f364168e4e5359896a54afb47c72c117e7ee01d0b9a87fd9b89bb79e3dcd9985ef8d2d8e90bc1fe2c04c7ee237cc7939296
SSDEEP

49152:OB8cAUiFBfBfQigyb/9aYabCnHLuoLk+kig2+5HNf:Q/iF/fQdCrzLk+kiIXf

Score

10^/10

dcrat discovery execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2680	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2680	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2680	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2680	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2680	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2680	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2680	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2680	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2680	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2680	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2680	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2680	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2680	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2680	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2680	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2680	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2680	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2680	schtasks.exe	35

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1652	powershell.exe
1376	powershell.exe
1692	powershell.exe
2452	powershell.exe
1604	powershell.exe
1772	powershell.exe
1380	powershell.exe
868	powershell.exe
880	powershell.exe
1748	powershell.exe
1676	powershell.exe
1352	powershell.exe
1096	powershell.exe
2144	powershell.exe
2320	powershell.exe
768	powershell.exe
2520	powershell.exe
2080	powershell.exe

Executes dropped EXE 2 IoCs

Processes:

WinRAR.execmd.exe

pid	Process
2748	WinRAR.exe
2980	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
1428	cmd.exe
1428	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	ipinfo.io
5	ipinfo.io

Drops file in Program Files directory 9 IoCs

Processes:

WinRAR.exe

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\fr-FR\ebf1f9fa8afd6d	WinRAR.exe
File created	C:\Program Files\DVD Maker\it-IT\5940a34987c991	WinRAR.exe
File created	C:\Program Files\Internet Explorer\smss.exe	WinRAR.exe
File opened for modification	C:\Program Files\Internet Explorer\smss.exe	WinRAR.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\6203df4a6bafc7	WinRAR.exe
File created	C:\Program Files\DVD Maker\it-IT\dllhost.exe	WinRAR.exe
File created	C:\Program Files\Internet Explorer\69ddcba757bf72	WinRAR.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\lsass.exe	WinRAR.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\cmd.exe	WinRAR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

961491690742f96da48d1ca1c9dcb91b0d23a803e16dcc8852d90b2f4e54028d.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	961491690742f96da48d1ca1c9dcb91b0d23a803e16dcc8852d90b2f4e54028d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

WinRAR.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WinRAR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WinRAR.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
788	schtasks.exe
1152	schtasks.exe
2180	schtasks.exe
2184	schtasks.exe
2932	schtasks.exe
2448	schtasks.exe
3060	schtasks.exe
1264	schtasks.exe
592	schtasks.exe
1004	schtasks.exe
1796	schtasks.exe
2908	schtasks.exe
2612	schtasks.exe
1244	schtasks.exe
1108	schtasks.exe
1144	schtasks.exe
3044	schtasks.exe
584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WinRAR.exe

pid	Process
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe
2748	WinRAR.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

WinRAR.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exe

description	pid	Process
Token: SeDebugPrivilege	2748	WinRAR.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2980	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

961491690742f96da48d1ca1c9dcb91b0d23a803e16dcc8852d90b2f4e54028d.exeWScript.execmd.exeWinRAR.exe

description	pid	Process	procid_target
PID 2356 wrote to memory of 2488	2356	961491690742f96da48d1ca1c9dcb91b0d23a803e16dcc8852d90b2f4e54028d.exe	30
PID 2356 wrote to memory of 2488	2356	961491690742f96da48d1ca1c9dcb91b0d23a803e16dcc8852d90b2f4e54028d.exe	30
PID 2356 wrote to memory of 2488	2356	961491690742f96da48d1ca1c9dcb91b0d23a803e16dcc8852d90b2f4e54028d.exe	30
PID 2356 wrote to memory of 2488	2356	961491690742f96da48d1ca1c9dcb91b0d23a803e16dcc8852d90b2f4e54028d.exe	30
PID 2488 wrote to memory of 1428	2488	WScript.exe	31
PID 2488 wrote to memory of 1428	2488	WScript.exe	31
PID 2488 wrote to memory of 1428	2488	WScript.exe	31
PID 2488 wrote to memory of 1428	2488	WScript.exe	31
PID 1428 wrote to memory of 2748	1428	cmd.exe	33
PID 1428 wrote to memory of 2748	1428	cmd.exe	33
PID 1428 wrote to memory of 2748	1428	cmd.exe	33
PID 1428 wrote to memory of 2748	1428	cmd.exe	33
PID 2748 wrote to memory of 2144	2748	WinRAR.exe	54
PID 2748 wrote to memory of 2144	2748	WinRAR.exe	54
PID 2748 wrote to memory of 2144	2748	WinRAR.exe	54
PID 2748 wrote to memory of 2320	2748	WinRAR.exe	55
PID 2748 wrote to memory of 2320	2748	WinRAR.exe	55
PID 2748 wrote to memory of 2320	2748	WinRAR.exe	55
PID 2748 wrote to memory of 2520	2748	WinRAR.exe	56
PID 2748 wrote to memory of 2520	2748	WinRAR.exe	56
PID 2748 wrote to memory of 2520	2748	WinRAR.exe	56
PID 2748 wrote to memory of 1096	2748	WinRAR.exe	58
PID 2748 wrote to memory of 1096	2748	WinRAR.exe	58
PID 2748 wrote to memory of 1096	2748	WinRAR.exe	58
PID 2748 wrote to memory of 880	2748	WinRAR.exe	59
PID 2748 wrote to memory of 880	2748	WinRAR.exe	59
PID 2748 wrote to memory of 880	2748	WinRAR.exe	59
PID 2748 wrote to memory of 1604	2748	WinRAR.exe	61
PID 2748 wrote to memory of 1604	2748	WinRAR.exe	61
PID 2748 wrote to memory of 1604	2748	WinRAR.exe	61
PID 2748 wrote to memory of 868	2748	WinRAR.exe	62
PID 2748 wrote to memory of 868	2748	WinRAR.exe	62
PID 2748 wrote to memory of 868	2748	WinRAR.exe	62
PID 2748 wrote to memory of 2452	2748	WinRAR.exe	63
PID 2748 wrote to memory of 2452	2748	WinRAR.exe	63
PID 2748 wrote to memory of 2452	2748	WinRAR.exe	63
PID 2748 wrote to memory of 1748	2748	WinRAR.exe	65
PID 2748 wrote to memory of 1748	2748	WinRAR.exe	65
PID 2748 wrote to memory of 1748	2748	WinRAR.exe	65
PID 2748 wrote to memory of 1352	2748	WinRAR.exe	66
PID 2748 wrote to memory of 1352	2748	WinRAR.exe	66
PID 2748 wrote to memory of 1352	2748	WinRAR.exe	66
PID 2748 wrote to memory of 768	2748	WinRAR.exe	68
PID 2748 wrote to memory of 768	2748	WinRAR.exe	68
PID 2748 wrote to memory of 768	2748	WinRAR.exe	68
PID 2748 wrote to memory of 1380	2748	WinRAR.exe	69
PID 2748 wrote to memory of 1380	2748	WinRAR.exe	69
PID 2748 wrote to memory of 1380	2748	WinRAR.exe	69
PID 2748 wrote to memory of 1692	2748	WinRAR.exe	71
PID 2748 wrote to memory of 1692	2748	WinRAR.exe	71
PID 2748 wrote to memory of 1692	2748	WinRAR.exe	71
PID 2748 wrote to memory of 1676	2748	WinRAR.exe	72
PID 2748 wrote to memory of 1676	2748	WinRAR.exe	72
PID 2748 wrote to memory of 1676	2748	WinRAR.exe	72
PID 2748 wrote to memory of 2080	2748	WinRAR.exe	73
PID 2748 wrote to memory of 2080	2748	WinRAR.exe	73
PID 2748 wrote to memory of 2080	2748	WinRAR.exe	73
PID 2748 wrote to memory of 1376	2748	WinRAR.exe	75
PID 2748 wrote to memory of 1376	2748	WinRAR.exe	75
PID 2748 wrote to memory of 1376	2748	WinRAR.exe	75
PID 2748 wrote to memory of 1772	2748	WinRAR.exe	76
PID 2748 wrote to memory of 1772	2748	WinRAR.exe	76
PID 2748 wrote to memory of 1772	2748	WinRAR.exe	76
PID 2748 wrote to memory of 1652	2748	WinRAR.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\961491690742f96da48d1ca1c9dcb91b0d23a803e16dcc8852d90b2f4e54028d.exe
"C:\Users\Admin\AppData\Local\Temp\961491690742f96da48d1ca1c9dcb91b0d23a803e16dcc8852d90b2f4e54028d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Root\Resources\bin\cache\winrar-x64-701ru\PN3845DtPXfCcoisvbdBJiLsp6plsWC5nHzTerGVBK9Aa7lWb6.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Root\Resources\bin\cache\winrar-x64-701ru\OrxRhfTKfGvHwDBiFG3cEmHkYN.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Root\Resources\bin\cache\winrar-x64-701ru\WinRAR.exe
      "C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850/Root/Resources/bin/cache/winrar-x64-701ru/WinRAR.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\it-IT\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\fr-FR\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Root\Resources\bin\cache\winrar-x64-701ru\WinRAR.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ynfWNffu9F.bat"
        5⤵
        
        PID:2512
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2704
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2800
      - C:\Program Files\Windows Sidebar\fr-FR\cmd.exe
        
        "C:\Program Files\Windows Sidebar\fr-FR\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\it-IT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\fr-FR\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\fr-FR\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRARW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Root\Resources\bin\cache\winrar-x64-701ru\WinRAR.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRAR" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Root\Resources\bin\cache\winrar-x64-701ru\WinRAR.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRARW" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Root\Resources\bin\cache\winrar-x64-701ru\WinRAR.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Root\Resources\bin\cache\winrar-x64-701ru\OrxRhfTKfGvHwDBiFG3cEmHkYN.bat

Filesize
140B

MD5
bb47412af9d5e3192218ee1de8ce3e99

SHA1
15e980722e57fe678cced7441e89234b0590241d

SHA256
2ac628b32907d0b2545bf2954e31bfe10553c4ed061ee662184a25c0fa19792a

SHA512
db660453f66b054b11fd99bb9eda292d3b8dfd64bc75f7af810ab04ccd025c6fbe7d36e62ee14716ac932e3eb7b9e978ae41c3398b2b06216ea4373458b0532f

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_BITS_8712_1425929850\Root\Resources\bin\cache\winrar-x64-701ru\PN3845DtPXfCcoisvbdBJiLsp6plsWC5nHzTerGVBK9Aa7lWb6.vbe

Filesize
277B

MD5
8b13dc9793a5e8ec37e0413d8dcf35ac

SHA1
1069fccfdfad6aa0c331a6861c7f1d6c544c1a98

SHA256
c2ac42b495068dc4b86c5d58c30caa1a7e4e2b63c3dba39e0bf79c106d37cb89

SHA512
e7ca859c50a9ed50a865c7efb9fdf873c2db0cc468a6302690c975e7b36d64dc53c3bf7ea5ae336020ff77aaf9ff02f73278b344f64ac0a3a92febc5908d029a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ynfWNffu9F.bat

Filesize
222B

MD5
1d82b6536620b0b948f8702a8e7c694e

SHA1
483858bac13a4f167300d86f432e5d3f2f8e7521

SHA256
5782ef2aa3dda6893c1bce4fa46bbac17b91782f01f8d945606d11acd67cc9c7

SHA512
6066744c85151d93f739a5c758ab83c8f25936b8e70d140988224e7bf4dcff9d28c0cc38300a76ac7cd091a937b00197d65b266418446ec7b95b851e8ad5116c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0c0cbaa48bab5f8dd3f22f359a74e8b0

SHA1
04c612a34e9ad348f9ccf6c6c0659765d9b30256

SHA256
053ed609374df54acd1c9286ea484e612517b47a89e80c99dd65d823df822b9b

SHA512
dec5f31b33fa165c5b62d273b22bd699e35c99d40304cd7eadcd003f81eb2a99a0d10b9444a26b3dac6402321af9c69defb68bba0dd75dd002c83b476a4990da

Download Submit
memory/768-136-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/880-80-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2748-17-0x00000000020D0000-0x00000000020EC000-memory.dmp

Filesize
112KB

Download
memory/2748-23-0x00000000020B0000-0x00000000020BC000-memory.dmp

Filesize
48KB

Download
memory/2748-25-0x00000000020C0000-0x00000000020CE000-memory.dmp

Filesize
56KB

Download
memory/2748-27-0x0000000002130000-0x0000000002138000-memory.dmp

Filesize
32KB

Download
memory/2748-29-0x0000000002140000-0x000000000214C000-memory.dmp

Filesize
48KB

Download
memory/2748-21-0x0000000002110000-0x0000000002122000-memory.dmp

Filesize
72KB

Download
memory/2748-19-0x00000000020F0000-0x0000000002108000-memory.dmp

Filesize
96KB

Download
memory/2748-15-0x0000000000800000-0x000000000080E000-memory.dmp

Filesize
56KB

Download
memory/2748-13-0x0000000000360000-0x0000000000560000-memory.dmp

Filesize
2.0MB

Download
memory/2980-139-0x0000000000280000-0x0000000000480000-memory.dmp

Filesize
2.0MB

Download