dcrat | 9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d

Analysis

max time kernel
118s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d.exe
Size

1.9MB
MD5

f0760ed8625ee03218d3064f83594c03
SHA1

07c653bb3ca05ac4e208f689abc2e0652e8614aa
SHA256

9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d
SHA512

3047e0053a2bf8871f796b3218dd1982adef3b9cffbb90d18cebfda18ad56faef00af34371c7ff9d1c9e84cf92dc220548f801d814625e082e40f4b8fd79746e
SSDEEP

49152:OB8c5eSHkidcRnl0jHWuN2op5tUaqNCAM:QH3k0snDCgNCAM

Score

10^/10

dcrat discovery execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2608	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2608	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2608	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2608	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2608	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2608	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2608	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2608	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2608	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2608	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2608	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2608	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2608	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2608	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2608	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2608	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2608	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2608	schtasks.exe	35

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
688	powershell.exe
896	powershell.exe
840	powershell.exe
1604	powershell.exe
564	powershell.exe
2356	powershell.exe
836	powershell.exe
2352	powershell.exe
1636	powershell.exe
1524	powershell.exe
2036	powershell.exe
2068	powershell.exe
2112	powershell.exe
1512	powershell.exe
1336	powershell.exe
800	powershell.exe
2948	powershell.exe
280	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
740	WinRAR.exe
2464	WinRAR.exe

Loads dropped DLL 2 IoCs

pid	Process
2704	cmd.exe
2704	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\ja-JP\886983d96e3d3e	WinRAR.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\WmiPrvSE.exe	WinRAR.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\24dbde2999530e	WinRAR.exe
File created	C:\Program Files\Windows Journal\ja-JP\csrss.exe	WinRAR.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\csrss.exe	WinRAR.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\tracing\csrss.exe	WinRAR.exe
File created	C:\Windows\tracing\886983d96e3d3e	WinRAR.exe
File created	C:\Windows\Speech\Common\csrss.exe	WinRAR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WinRAR.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WinRAR.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2240	schtasks.exe
1616	schtasks.exe
2960	schtasks.exe
1700	schtasks.exe
1592	schtasks.exe
620	schtasks.exe
2084	schtasks.exe
1984	schtasks.exe
2248	schtasks.exe
2204	schtasks.exe
2224	schtasks.exe
2732	schtasks.exe
796	schtasks.exe
2920	schtasks.exe
408	schtasks.exe
2912	schtasks.exe
1904	schtasks.exe
1916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe
740	WinRAR.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	740	WinRAR.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2464	WinRAR.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 1784	1668	9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d.exe	31
PID 1668 wrote to memory of 1784	1668	9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d.exe	31
PID 1668 wrote to memory of 1784	1668	9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d.exe	31
PID 1668 wrote to memory of 1784	1668	9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d.exe	31
PID 1784 wrote to memory of 2704	1784	WScript.exe	32
PID 1784 wrote to memory of 2704	1784	WScript.exe	32
PID 1784 wrote to memory of 2704	1784	WScript.exe	32
PID 1784 wrote to memory of 2704	1784	WScript.exe	32
PID 2704 wrote to memory of 740	2704	cmd.exe	34
PID 2704 wrote to memory of 740	2704	cmd.exe	34
PID 2704 wrote to memory of 740	2704	cmd.exe	34
PID 2704 wrote to memory of 740	2704	cmd.exe	34
PID 740 wrote to memory of 836	740	WinRAR.exe	54
PID 740 wrote to memory of 836	740	WinRAR.exe	54
PID 740 wrote to memory of 836	740	WinRAR.exe	54
PID 740 wrote to memory of 2036	740	WinRAR.exe	55
PID 740 wrote to memory of 2036	740	WinRAR.exe	55
PID 740 wrote to memory of 2036	740	WinRAR.exe	55
PID 740 wrote to memory of 800	740	WinRAR.exe	56
PID 740 wrote to memory of 800	740	WinRAR.exe	56
PID 740 wrote to memory of 800	740	WinRAR.exe	56
PID 740 wrote to memory of 1336	740	WinRAR.exe	57
PID 740 wrote to memory of 1336	740	WinRAR.exe	57
PID 740 wrote to memory of 1336	740	WinRAR.exe	57
PID 740 wrote to memory of 688	740	WinRAR.exe	59
PID 740 wrote to memory of 688	740	WinRAR.exe	59
PID 740 wrote to memory of 688	740	WinRAR.exe	59
PID 740 wrote to memory of 2068	740	WinRAR.exe	60
PID 740 wrote to memory of 2068	740	WinRAR.exe	60
PID 740 wrote to memory of 2068	740	WinRAR.exe	60
PID 740 wrote to memory of 1636	740	WinRAR.exe	63
PID 740 wrote to memory of 1636	740	WinRAR.exe	63
PID 740 wrote to memory of 1636	740	WinRAR.exe	63
PID 740 wrote to memory of 2352	740	WinRAR.exe	65
PID 740 wrote to memory of 2352	740	WinRAR.exe	65
PID 740 wrote to memory of 2352	740	WinRAR.exe	65
PID 740 wrote to memory of 896	740	WinRAR.exe	67
PID 740 wrote to memory of 896	740	WinRAR.exe	67
PID 740 wrote to memory of 896	740	WinRAR.exe	67
PID 740 wrote to memory of 840	740	WinRAR.exe	69
PID 740 wrote to memory of 840	740	WinRAR.exe	69
PID 740 wrote to memory of 840	740	WinRAR.exe	69
PID 740 wrote to memory of 2948	740	WinRAR.exe	71
PID 740 wrote to memory of 2948	740	WinRAR.exe	71
PID 740 wrote to memory of 2948	740	WinRAR.exe	71
PID 740 wrote to memory of 280	740	WinRAR.exe	72
PID 740 wrote to memory of 280	740	WinRAR.exe	72
PID 740 wrote to memory of 280	740	WinRAR.exe	72
PID 740 wrote to memory of 1604	740	WinRAR.exe	73
PID 740 wrote to memory of 1604	740	WinRAR.exe	73
PID 740 wrote to memory of 1604	740	WinRAR.exe	73
PID 740 wrote to memory of 1524	740	WinRAR.exe	74
PID 740 wrote to memory of 1524	740	WinRAR.exe	74
PID 740 wrote to memory of 1524	740	WinRAR.exe	74
PID 740 wrote to memory of 2356	740	WinRAR.exe	75
PID 740 wrote to memory of 2356	740	WinRAR.exe	75
PID 740 wrote to memory of 2356	740	WinRAR.exe	75
PID 740 wrote to memory of 564	740	WinRAR.exe	76
PID 740 wrote to memory of 564	740	WinRAR.exe	76
PID 740 wrote to memory of 564	740	WinRAR.exe	76
PID 740 wrote to memory of 2112	740	WinRAR.exe	77
PID 740 wrote to memory of 2112	740	WinRAR.exe	77
PID 740 wrote to memory of 2112	740	WinRAR.exe	77
PID 740 wrote to memory of 1512	740	WinRAR.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d.exe
"C:\Users\Admin\AppData\Local\Temp\9035fcba668617e1471b67b0b5d95ea2582828243ab923dd2c423e667dbd629d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\QfVXG2q6DfaUiSMJ.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\vrb9dR4dg8Y2QFcBzx1PxO83yV.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\WinRAR.exe
      "C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804/winrar-x64-701/WinRAR.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\ja-JP\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\WinRAR.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m5KG5evz6Q.bat"
        5⤵
        
        PID:1552
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2340
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2240
      - C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\WinRAR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\WinRAR.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\en-US\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Music\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Music\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRARW" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\WinRAR.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRAR" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\WinRAR.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinRARW" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\WinRAR.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\QfVXG2q6DfaUiSMJ.vbe

Filesize
251B

MD5
af5a30d028d6a5e7d188ff3b979e8566

SHA1
e76317932d35a4428738912c5b1107af501f4b03

SHA256
1f6f643b2402635cc0cad80bbf2b6ee77da35af77dfb4890687d676affa13eac

SHA512
f1d66bf2dc43b63815e7e86529d402ebf15553f406edde9a3e22f1493b68636b0237ddd92d8e93820a82c7031ca420cd088d397de10adb5f5830bb3f64bafa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_BITS_11056_1885616804\winrar-x64-701\vrb9dR4dg8Y2QFcBzx1PxO83yV.bat

Filesize
117B

MD5
38c9a9b2baa13052d877a46df02f565a

SHA1
9c777107eaac4b39d50347e3757c384b338ad7eb

SHA256
95b80502d9e6d30a2a34b6958bb18cba07f6c8a117ba71eee88df97b91ab4d18

SHA512
f2e35fc451e1702735dbc5effec881b23d094772c34026982201281500392e5092e57c8531018e482d4dc838b1674f43a7a3712f66b376c5bb1c2807ee7c120a

Download Submit
C:\Users\Admin\AppData\Local\Temp\m5KG5evz6Q.bat

Filesize
264B

MD5
bc8e9454df79b59d42999eb181377c28

SHA1
96ccfd25196a7f3c318bb1c3b0bd857c6315b3c6

SHA256
56930df5876c0fae6fa05314221c58972b0a026584135dad725eed753bebd4e7

SHA512
72490b62732398508cbc464f3424b4fac64322e89f0c006cfb9d6a09bf6166c16d43b115b6d212b73e8b2fe4ddee791ee82f126bad58380eeef5175005336a5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HCD933JRCDWZV5P1UXAQ.temp

Filesize
7KB

MD5
96388e366948e64c6b6eb6caa2e64f6f

SHA1
364abbc4afd7df15bc848c245f6f15d4c51449dc

SHA256
c740002501eaf8d240df1b42e7235db0d4f681fdadaef7cef82145ef75d40d52

SHA512
c5b65b5b0ade1bde165ea4ff8626d60aa06f859737afd88ed2390f69da993e2c914fed79c9c7131fe39f9007c9828036cdb1ea7a8b3fa956edc0d64acee7d806

Download Submit
memory/564-76-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/740-17-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/740-21-0x0000000000580000-0x0000000000592000-memory.dmp

Filesize
72KB

Download
memory/740-23-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/740-25-0x0000000000460000-0x000000000046E000-memory.dmp

Filesize
56KB

Download
memory/740-27-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/740-29-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/740-19-0x0000000000440000-0x0000000000458000-memory.dmp

Filesize
96KB

Download
memory/740-15-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/740-13-0x00000000012B0000-0x00000000014B0000-memory.dmp

Filesize
2.0MB

Download
memory/2352-133-0x0000000002730000-0x0000000002738000-memory.dmp

Filesize
32KB

Download
memory/2464-135-0x0000000000090000-0x0000000000290000-memory.dmp

Filesize
2.0MB

Download