dcrat | d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-12-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
Size

2.9MB
MD5

ce2ec4539435dfeac7e246fe5565c521
SHA1

59f3da006005a109914c31b5d5cd94dc4c93309c
SHA256

d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562
SHA512

408a1db2cd98702bca3811e124d78a56cbca79a1d200593759bde1947a4a599f8cd40cd8dbb2e7be7dec416e3f5de0c4466f98ddea1daf6d313671695f25a7ba
SSDEEP

49152:6h/814lignPl1s5Cp5+tOCiqgc8I7uBiYUtGGirMn0JkH4SwiLwRktMtL+CsA7Z:6h/8Hgn9u4P+l8I7uB6db0JhAw6tMtLr

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Steam\\steamclient.exe\""	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Steam\\steamclient.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe\""	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2420	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2420	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2420	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2340	powershell.exe
2932	powershell.exe
2364	powershell.exe
3016	powershell.exe
444	powershell.exe
1224	powershell.exe
1800	powershell.exe
1284	powershell.exe
2596	powershell.exe
1268	powershell.exe
2100	powershell.exe
2524	powershell.exe
1704	powershell.exe
808	powershell.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\steamclient = "\"C:\\Program Files (x86)\\Steam\\steamclient.exe\""	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe\""	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe\""	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\steamclient = "\"C:\\Program Files (x86)\\Steam\\steamclient.exe\""	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCDE03AFD6FE2F4AD2B2D2406A541BA4C.TMP	csc.exe
File created	\??\c:\Windows\System32\9w3j6e.exe	csc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Steam\steamclient.exe	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
File opened for modification	C:\Program Files (x86)\Steam\steamclient.exe	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
File created	C:\Program Files (x86)\Steam\fcafd258929766	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2696	schtasks.exe
1160	schtasks.exe
2732	schtasks.exe
912	schtasks.exe
2904	schtasks.exe
580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	1996	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2260	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	34
PID 2568 wrote to memory of 2260	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	34
PID 2568 wrote to memory of 2260	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	34
PID 2260 wrote to memory of 1044	2260	csc.exe	36
PID 2260 wrote to memory of 1044	2260	csc.exe	36
PID 2260 wrote to memory of 1044	2260	csc.exe	36
PID 2568 wrote to memory of 2932	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	40
PID 2568 wrote to memory of 2932	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	40
PID 2568 wrote to memory of 2932	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	40
PID 2568 wrote to memory of 1268	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	41
PID 2568 wrote to memory of 1268	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	41
PID 2568 wrote to memory of 1268	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	41
PID 2568 wrote to memory of 1800	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	42
PID 2568 wrote to memory of 1800	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	42
PID 2568 wrote to memory of 1800	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	42
PID 2568 wrote to memory of 1224	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	44
PID 2568 wrote to memory of 1224	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	44
PID 2568 wrote to memory of 1224	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	44
PID 2568 wrote to memory of 2596	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	47
PID 2568 wrote to memory of 2596	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	47
PID 2568 wrote to memory of 2596	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	47
PID 2568 wrote to memory of 444	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	49
PID 2568 wrote to memory of 444	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	49
PID 2568 wrote to memory of 444	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	49
PID 2568 wrote to memory of 808	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	50
PID 2568 wrote to memory of 808	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	50
PID 2568 wrote to memory of 808	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	50
PID 2568 wrote to memory of 1704	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	51
PID 2568 wrote to memory of 1704	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	51
PID 2568 wrote to memory of 1704	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	51
PID 2568 wrote to memory of 1284	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	52
PID 2568 wrote to memory of 1284	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	52
PID 2568 wrote to memory of 1284	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	52
PID 2568 wrote to memory of 3016	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	53
PID 2568 wrote to memory of 3016	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	53
PID 2568 wrote to memory of 3016	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	53
PID 2568 wrote to memory of 2524	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	54
PID 2568 wrote to memory of 2524	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	54
PID 2568 wrote to memory of 2524	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	54
PID 2568 wrote to memory of 2100	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	55
PID 2568 wrote to memory of 2100	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	55
PID 2568 wrote to memory of 2100	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	55
PID 2568 wrote to memory of 2340	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	56
PID 2568 wrote to memory of 2340	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	56
PID 2568 wrote to memory of 2340	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	56
PID 2568 wrote to memory of 2364	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	57
PID 2568 wrote to memory of 2364	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	57
PID 2568 wrote to memory of 2364	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	57
PID 2568 wrote to memory of 2036	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	68
PID 2568 wrote to memory of 2036	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	68
PID 2568 wrote to memory of 2036	2568	d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe	68
PID 2036 wrote to memory of 2316	2036	cmd.exe	70
PID 2036 wrote to memory of 2316	2036	cmd.exe	70
PID 2036 wrote to memory of 2316	2036	cmd.exe	70
PID 2036 wrote to memory of 2004	2036	cmd.exe	71
PID 2036 wrote to memory of 2004	2036	cmd.exe	71
PID 2036 wrote to memory of 2004	2036	cmd.exe	71
PID 2036 wrote to memory of 1996	2036	cmd.exe	72
PID 2036 wrote to memory of 1996	2036	cmd.exe	72
PID 2036 wrote to memory of 1996	2036	cmd.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
"C:\Users\Admin\AppData\Local\Temp\d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yiy0xt0e\yiy0xt0e.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6BB.tmp" "c:\Windows\System32\CSCDE03AFD6FE2F4AD2B2D2406A541BA4C.TMP"
    3⤵
    PID:1044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Steam\steamclient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zelourP5xM.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2316
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2004
- - C:\Users\Admin\AppData\Local\Temp\d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe
    "C:\Users\Admin\AppData\Local\Temp\d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "steamclients" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Steam\steamclient.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "steamclient" /sc ONLOGON /tr "'C:\Program Files (x86)\Steam\steamclient.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "steamclients" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Steam\steamclient.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562d" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562d" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\d5ee74f4f460c4f861c01ecc3e22b679075949108b6fee594193695d4175d562.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESA6BB.tmp

Filesize
1KB

MD5
4a0deb1511728fa948731ecd70a4ab86

SHA1
88aa6c7503ecaa0bf0e50ad771c71072c193f875

SHA256
0f822a5719cb87bc82fd297e132598f77b319c8983a8253272f5a87a82fa627a

SHA512
c53df6095b69f86df7b465eb56341b255d4347b74e82c59cba14e47049710c979d6f53ba10f89adf922c35ffa38f2d7dc4b2f1db871895b7e6de11eeb3ecadf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zelourP5xM.bat

Filesize
278B

MD5
42a814f420583906d6473e3c7f74e35b

SHA1
6545d590e075a481efa91653e49578c0f6177025

SHA256
35b82251f500b3c65e99103136a98ec8c20d196999e6b5fe407f56adec8495b9

SHA512
82e38f7f3a90acd4b8b077260bf0587e843a451eeb424b75d961d9c79d7ccd084a3022c54c5f375c540fb779936bb781a79baca3c657981c02335a2989122fd4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
aa34d35b77907f10f8cad9912ce484f9

SHA1
2b7c5c99b819096e5f98e128652ba2bdab51d5a3

SHA256
cf3ba67343b1b205cd5082155c667b247155786fdf814a7171da1e64fa540221

SHA512
0685d814d0d9f83a66f9976eedce58e1aabbf976eedd74f6eb8de87e8bd1a0b5cd954f02dc465ec455f30ab69f32a563372330a7ddd40d6376295f7e98b28fa0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yiy0xt0e\yiy0xt0e.0.cs

Filesize
376B

MD5
f82989096fe4df29f01615e9c141d1d3

SHA1
f652c642369516e4a840b1e2e41249f7e1b830e5

SHA256
76b4ef7827810dbba1853836504b83f6a0f62dfbe30a16841cf54ab483620436

SHA512
e0ef4b7092205ea4e2c9b0689d98b4a4422c6d3eddf38a0003a77b1944b96001f9ea39bc7e7b2a203850f2e26014dc9d991e8a581b6089db7ea8eaeee6baec69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yiy0xt0e\yiy0xt0e.cmdline

Filesize
235B

MD5
7debe2416f25fd9db9ddad42a45267b7

SHA1
875269326cb10de2d5a0d37da49c0bfa367cfefc

SHA256
0a3dfe444981cffb51dc81c63baaae939fbee6ac4ece57a044dcca83f2ccade3

SHA512
4607bcc29f37c878bee642405361d8f6cf6df1a8d6c1b243949660c600fe23bae83425bc6d5e9d65b33683075d72d621de34411661eb510ea7d9ccfe5635ff77

Download Submit
\??\c:\Windows\System32\CSCDE03AFD6FE2F4AD2B2D2406A541BA4C.TMP

Filesize
1KB

MD5
70046c6c63d509bb29450ef32b59dda3

SHA1
26802b73997ee22a7cd3d07ae77016969603cf00

SHA256
dd0e7409cd9412eafdd8f881d6094fb539ad19c7a54d76043de655a00f80f5d0

SHA512
d7b8d4ed84b8e1f5e416c378872bb7bc6d884341f0aa76f2c3b664f1ad0324a2d749c51718f3940d61663d152c35ba241ce0def03a002c6423a4d0957866c96f

Download Submit
memory/1800-3647-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/1800-3645-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/1996-3704-0x00000000012F0000-0x00000000012F8000-memory.dmp

Filesize
32KB

Download
memory/2568-24-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-58-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-46-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-3563-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2568-54-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-3574-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2568-56-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-6-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-60-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-8-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-10-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-12-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-14-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-16-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-18-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-20-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-28-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-66-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-326-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2568-64-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-62-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-50-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-48-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-44-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-42-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-38-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-36-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-34-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-32-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-30-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-26-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-4-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-22-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-3560-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2568-52-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-3573-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2568-41-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-3585-0x0000000000D40000-0x0000000000D4E000-memory.dmp

Filesize
56KB

Download
memory/2568-3587-0x0000000000EA0000-0x0000000000EB2000-memory.dmp

Filesize
72KB

Download
memory/2568-3583-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2568-3582-0x0000000000D00000-0x0000000000D10000-memory.dmp

Filesize
64KB

Download
memory/2568-3580-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2568-3589-0x0000000000D50000-0x0000000000D5C000-memory.dmp

Filesize
48KB

Download
memory/2568-3579-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/2568-3593-0x000000001A670000-0x000000001A686000-memory.dmp

Filesize
88KB

Download
memory/2568-3591-0x0000000000E80000-0x0000000000E90000-memory.dmp

Filesize
64KB

Download
memory/2568-3577-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2568-3595-0x000000001A690000-0x000000001A6A2000-memory.dmp

Filesize
72KB

Download
memory/2568-3576-0x0000000000E60000-0x0000000000E78000-memory.dmp

Filesize
96KB

Download
memory/2568-3597-0x0000000000E90000-0x0000000000E9E000-memory.dmp

Filesize
56KB

Download
memory/2568-3599-0x000000001A650000-0x000000001A660000-memory.dmp

Filesize
64KB

Download
memory/2568-3601-0x000000001A660000-0x000000001A670000-memory.dmp

Filesize
64KB

Download
memory/2568-3603-0x000000001A710000-0x000000001A76A000-memory.dmp

Filesize
360KB

Download
memory/2568-3572-0x0000000000B30000-0x0000000000B40000-memory.dmp

Filesize
64KB

Download
memory/2568-3605-0x000000001A6B0000-0x000000001A6BE000-memory.dmp

Filesize
56KB

Download
memory/2568-3570-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2568-3607-0x000000001A6C0000-0x000000001A6D0000-memory.dmp

Filesize
64KB

Download
memory/2568-3609-0x000000001A6D0000-0x000000001A6DE000-memory.dmp

Filesize
56KB

Download
memory/2568-3611-0x000000001A6E0000-0x000000001A6E8000-memory.dmp

Filesize
32KB

Download
memory/2568-3613-0x000000001A770000-0x000000001A788000-memory.dmp

Filesize
96KB

Download
memory/2568-3615-0x000000001A6F0000-0x000000001A6FC000-memory.dmp

Filesize
48KB

Download
memory/2568-3-0x000000001AF30000-0x000000001B266000-memory.dmp

Filesize
3.2MB

Download
memory/2568-3569-0x0000000000CE0000-0x0000000000CFC000-memory.dmp

Filesize
112KB

Download
memory/2568-3567-0x000007FEF5103000-0x000007FEF5104000-memory.dmp

Filesize
4KB

Download
memory/2568-3566-0x00000000005A0000-0x00000000005AE000-memory.dmp

Filesize
56KB

Download
memory/2568-3564-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2568-3562-0x0000000000D10000-0x0000000000D36000-memory.dmp

Filesize
152KB

Download
memory/2568-3639-0x000007FEF5100000-0x000007FEF5AEC000-memory.dmp

Filesize
9.9MB

Download
memory/2568-2-0x000000001AF30000-0x000000001B26C000-memory.dmp

Filesize
3.2MB

Download
memory/2568-1-0x0000000000EC0000-0x0000000000EC8000-memory.dmp

Filesize
32KB

Download
memory/2568-0-0x000007FEF5103000-0x000007FEF5104000-memory.dmp

Filesize
4KB

Download