Analysis

  • max time kernel
    149s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-12-2024 02:17

General

  • Target

    18e83d9fabe142a751c644f12d223e6c4825912573a352551361abde977d753f.exe

  • Size

    2.5MB

  • MD5

    a26ed7dc21bc77f20c0251fa25738d02

  • SHA1

    8fc82929941d67a20c76976e796feab701795c2f

  • SHA256

    18e83d9fabe142a751c644f12d223e6c4825912573a352551361abde977d753f

  • SHA512

    5e8044fd8e78aad306d8ffd3b3bbc6583cc353c8cddda1a15b05a22fcf7815a770482418bdb120c679f784017741e36c87aa5bb053008cc94fe9560b97366838

  • SSDEEP

    24576:eRDNakc4BcCw7sUL/4cIG5IuUe1QdcqTHmdbBs3eJCZrCsjOEKka+wlFlett6t1:yDNu4BaMcQmQmqyHM6sslnE

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • DCRat payload 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 60 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 41 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18e83d9fabe142a751c644f12d223e6c4825912573a352551361abde977d753f.exe
    "C:\Users\Admin\AppData\Local\Temp\18e83d9fabe142a751c644f12d223e6c4825912573a352551361abde977d753f.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1212
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1804
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1324
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2640
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1132
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1964
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HhKLl6gQko.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2332
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:1632
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1672
        • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe
          "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2544
          • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3064
          • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2896
          • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2720
          • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2780
          • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2668
          • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2676
          • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2684
          • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2708
          • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2712
          • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2740
          • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2704
          • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:944
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nLkpgeVQrJ.bat"
            4⤵
              PID:1944
              • C:\Windows\system32\chcp.com
                chcp 65001
                5⤵
                  PID:3032
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  5⤵
                    PID:1740
                  • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe
                    "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe"
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2764
                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1684
                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2244
                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2096
                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1212
                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1312
                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2604
                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1756
                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2060
                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2016
                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1132
                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2992
                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                      6⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2216
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PfaLCNk3Y7.bat"
                      6⤵
                        PID:2140
                        • C:\Windows\system32\chcp.com
                          chcp 65001
                          7⤵
                            PID:2568
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            7⤵
                              PID:1672
                            • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe
                              "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe"
                              7⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1988
                              • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                8⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:520
                              • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                8⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2316
                              • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                8⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1700
                              • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
                                8⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3020
                              • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                8⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1504
                              • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                8⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1856
                              • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                8⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2160
                              • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                8⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1408
                              • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                8⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1360
                              • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                8⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1868
                              • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                8⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:620
                              • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                8⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1652
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PGPFa9vscR.bat"
                                8⤵
                                  PID:2504
                                  • C:\Windows\system32\chcp.com
                                    chcp 65001
                                    9⤵
                                      PID:2544
                                    • C:\Windows\system32\PING.EXE
                                      ping -n 10 localhost
                                      9⤵
                                      • System Network Configuration Discovery: Internet Connection Discovery
                                      • Runs ping.exe
                                      PID:2460
                                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe
                                      "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe"
                                      9⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1264
                                      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                        10⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Executes dropped EXE
                                        PID:2304
                                      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                        10⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        PID:1680
                                      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                        10⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        PID:1952
                                      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
                                        10⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        PID:2288
                                      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                        10⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        PID:436
                                      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                        10⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        PID:1780
                                      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                        10⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        PID:1512
                                      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                        10⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        PID:2064
                                      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                        10⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        PID:2496
                                      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                        10⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        PID:2648
                                      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                        10⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        PID:2624
                                      • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe
                                        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                        10⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        PID:2024

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files\Microsoft Office\services.exe

                      Filesize

                      2.5MB

                      MD5

                      a26ed7dc21bc77f20c0251fa25738d02

                      SHA1

                      8fc82929941d67a20c76976e796feab701795c2f

                      SHA256

                      18e83d9fabe142a751c644f12d223e6c4825912573a352551361abde977d753f

                      SHA512

                      5e8044fd8e78aad306d8ffd3b3bbc6583cc353c8cddda1a15b05a22fcf7815a770482418bdb120c679f784017741e36c87aa5bb053008cc94fe9560b97366838

                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe

                      Filesize

                      2.1MB

                      MD5

                      807241164467903cd79a8e9fe994edec

                      SHA1

                      e65e0c5aa158cca3120433119df8e294004151e3

                      SHA256

                      565bf8ae75ea41c12f3f3d75c4e8ffa685e2467a1fb16d6e57a1edd49ace64ad

                      SHA512

                      fdf3e2584e3a2f194cf0990022499ef55b7ef071cff54cbd9a5583edc8c0608e3f17b598cc96601bcd897df78dbd528aa7a50412fe5f6cc7ecd551d9a9ac1783

                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe

                      Filesize

                      384KB

                      MD5

                      71cc53662eea16dd8aacdaae8524b839

                      SHA1

                      8a619e199e20d4289dc0ff0224cfd60353eb5f8c

                      SHA256

                      4f89c984d371d01c46e32199904c20abd5aee13cd90cad729358022e493326b8

                      SHA512

                      aa1a216df7785bc574d19dff7c46c02a6fc6657f3007efc511b7fca7fcc5e84554431f7cafc3c92205dea604e5b7d1f876ebc4285306724934362b9db1e3a293

                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe

                      Filesize

                      1.4MB

                      MD5

                      e2482adce9e0c8dc64878b58ba56193c

                      SHA1

                      fad83867e51441543340b8dbcc6ad6e192165bd3

                      SHA256

                      294c4d685b9491dbc6c5d7d81f1c156ff322df93beb257ca751d3962260d3c90

                      SHA512

                      b69e1abe25cf3ecad23bb19d701d6bcd9584937a35d50c964f9bc9595d645a3aa4ff2461b017795d25e84fc97588d6f3fc778df4002a280d38be66d081dc2c12

                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe

                      Filesize

                      1.2MB

                      MD5

                      8cb27d951fd6cf1a649fea90eb0f6896

                      SHA1

                      58869170502225277806e6c3d766be67c84ef03d

                      SHA256

                      b862f35283d376e2e5a8ea74c9591346ea9193cc1e3937a98cf25f7c96245462

                      SHA512

                      d051b3db235c4110a9f1cb81161e3887726cca278cd58d2cc637f2675af0e50f94ae7b85267b2f47b5c3a0a1181c53d037eb166e5c55419a6c76145e3267b837

                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe

                      Filesize

                      1.2MB

                      MD5

                      b920d8ea74eddea7e366b46e50af4c98

                      SHA1

                      662dbb490c696d068222e46c01ac778420e9df9b

                      SHA256

                      23370b2bcf6f115337f4f49908790ef0a86a65989be402cd4eae9f791451f61b

                      SHA512

                      1f468ad9d62a1d245e29f8e9554951a29c03f8fcfb153ef713b9e67f0e036841fe9f128cbb2e4763f73b9260791df8315a3c19ccfdb2994f1a26179e2948d866

                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe

                      Filesize

                      1.7MB

                      MD5

                      550ecbeeb42ed2a3da64abc1d6d05a68

                      SHA1

                      8fa9ffba98c9428f1bdaa7de223f7604cf5aaea9

                      SHA256

                      1e7a2f3d9c1cabda4ac1714afac1e95fb78112142732d832bc2f9611b0bb4918

                      SHA512

                      eaab0ccef20cf01a8f241b63916b637643f4dc347ff9b25059522ede752e5f5559f18a9484e5173d92e17fabc8fff77d7e00846d8fc985740c5ed0636e4edbb9

                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe

                      Filesize

                      64KB

                      MD5

                      662e351b7299695c10d98195c74682bb

                      SHA1

                      0980d7fee33b832ef2614f203f269068900af9a2

                      SHA256

                      e98a06c2fe988107034764634112f45f18b7976ae3dfb860d89248217accad1f

                      SHA512

                      61e49b92a280fedb380f7321572cad46e013e3c57d0c9b64e7485473ebabe20089568850e0d07be5114c95b697e9fc128c1bcf9ce4a4926265dcd4b41b625db4

                    • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\powershell.exe

                      Filesize

                      42KB

                      MD5

                      8048cfedd03f8eed34e2ef0da95b36c0

                      SHA1

                      cfe7305289b812b01863e57cbeb2cef9040a3cdc

                      SHA256

                      ad451f7e0c6e95c516af5d288fef4de986e31522350037b5a74b2f9b8ad42513

                      SHA512

                      ac8c8186cd52488efb3a50f137b1953addee6f2b32184dee965067b61c87a4034ad286d29623483c5362cfb414c2d375b6f0b86c5b269525f6df4b11e45c19fa

                    • C:\Users\Admin\AppData\Local\Temp\HhKLl6gQko.bat

                      Filesize

                      184B

                      MD5

                      da300c5e8f6b729790a81f7e47e2ea39

                      SHA1

                      29bc0b774cb0aa3b7b7527937074c87c06991953

                      SHA256

                      ac57f2455388bd16854eef5f5e4bec9bdcd7cd8cd0bb7fb8364f8b643356fd4f

                      SHA512

                      05c3175b114b1e4589aecd8cfad2c0b694401368d899d2feea3789dd18c84b0c7d3b6db8c73aa8b32f680a8a85e18c7a8aaf8329f795baad801b622627f79b91

                    • C:\Users\Admin\AppData\Local\Temp\PGPFa9vscR.bat

                      Filesize

                      184B

                      MD5

                      d26efe87c8756d8d48feda5af42cf5ea

                      SHA1

                      e22e7b9770bd587a1cdecfe09101f95919bf511a

                      SHA256

                      8cb8e5d15d7875ecf5c758eec491bcf5961bef3dffd0f21e57a384a1ae763456

                      SHA512

                      c401e2269b786aa49afe615f96f3ff932e9ea218efa3297257938f70486bc651ccc9e0b2649efa2ca61b6c1c69388b1fde8cd0946210e1eea60ede67e7e9096f

                    • C:\Users\Admin\AppData\Local\Temp\PfaLCNk3Y7.bat

                      Filesize

                      232B

                      MD5

                      6718b815be5a1e62fdb2a2cf92f600d1

                      SHA1

                      ddc0ca77cf185b96cde5fe059c855ed64e496039

                      SHA256

                      53b99d9010b3505742912cb93756069b792eb19f3311cefaa141fcd0a7ab9cdb

                      SHA512

                      7fbebb216dce5ac6a276e1ffe273b9c34c2770a4a81c59866e7a7bdd37622c2a3c087e0c594326ac6946a7a59ff106d167021e4e49ac76e260043bf978d6d31f

                    • C:\Users\Admin\AppData\Local\Temp\nLkpgeVQrJ.bat

                      Filesize

                      232B

                      MD5

                      67b619089ae19f2717cd13f756b9ac75

                      SHA1

                      b18ff69480882c9666598f2e298c37caef0b4f42

                      SHA256

                      35d28dffb871140b882b20e08838a9850611dc1265d13edc467c9df8a1839e6c

                      SHA512

                      2bc56127650a40e2d87cdcca12a3fccc913182e99709d27ad9e35f42125f42e8047c442536a48acd31d4a53686dc422c30ec4166f4e4185d29bab7c65a14cf99

                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                      Filesize

                      7KB

                      MD5

                      bf9097786fa494ea275f245f83d5f019

                      SHA1

                      da031dfdc3c82e311b075dc2c8a9e182f21b3022

                      SHA256

                      a1ae3b893407ba4c3ab43e9bb9c20ac29032a2b269ab30526813bd79e377242d

                      SHA512

                      f9e20393be6cebd4579c213305f13fdcd6b7bcdffb5bf7ac15acec0b1ee91222b19ecf5791566db3755749077d0bb8cb1f3cc99fc9ad1e9694d378aacd6d45cc

                    • memory/1132-135-0x000000001B160000-0x000000001B442000-memory.dmp

                      Filesize

                      2.9MB

                    • memory/1988-237-0x0000000001180000-0x0000000001412000-memory.dmp

                      Filesize

                      2.6MB

                    • memory/2520-136-0x0000000002490000-0x0000000002498000-memory.dmp

                      Filesize

                      32KB

                    • memory/2544-147-0x0000000000280000-0x0000000000512000-memory.dmp

                      Filesize

                      2.6MB

                    • memory/2676-184-0x00000000011A0000-0x0000000001432000-memory.dmp

                      Filesize

                      2.6MB

                    • memory/2764-193-0x0000000000170000-0x0000000000402000-memory.dmp

                      Filesize

                      2.6MB

                    • memory/2880-52-0x0000000000B90000-0x0000000000B9E000-memory.dmp

                      Filesize

                      56KB

                    • memory/2880-29-0x0000000000690000-0x000000000069E000-memory.dmp

                      Filesize

                      56KB

                    • memory/2880-33-0x0000000000B10000-0x0000000000B22000-memory.dmp

                      Filesize

                      72KB

                    • memory/2880-34-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2880-36-0x00000000006B0000-0x00000000006BC000-memory.dmp

                      Filesize

                      48KB

                    • memory/2880-38-0x0000000000AF0000-0x0000000000B00000-memory.dmp

                      Filesize

                      64KB

                    • memory/2880-40-0x0000000000B50000-0x0000000000B66000-memory.dmp

                      Filesize

                      88KB

                    • memory/2880-42-0x0000000000B70000-0x0000000000B82000-memory.dmp

                      Filesize

                      72KB

                    • memory/2880-44-0x0000000000B00000-0x0000000000B0E000-memory.dmp

                      Filesize

                      56KB

                    • memory/2880-46-0x0000000000B30000-0x0000000000B40000-memory.dmp

                      Filesize

                      64KB

                    • memory/2880-48-0x0000000000B40000-0x0000000000B50000-memory.dmp

                      Filesize

                      64KB

                    • memory/2880-50-0x00000000022E0000-0x000000000233A000-memory.dmp

                      Filesize

                      360KB

                    • memory/2880-0-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

                      Filesize

                      4KB

                    • memory/2880-54-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

                      Filesize

                      64KB

                    • memory/2880-56-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

                      Filesize

                      56KB

                    • memory/2880-58-0x0000000002280000-0x0000000002298000-memory.dmp

                      Filesize

                      96KB

                    • memory/2880-60-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

                      Filesize

                      48KB

                    • memory/2880-62-0x0000000002530000-0x000000000257E000-memory.dmp

                      Filesize

                      312KB

                    • memory/2880-63-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2880-64-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2880-70-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2880-31-0x00000000006A0000-0x00000000006AC000-memory.dmp

                      Filesize

                      48KB

                    • memory/2880-27-0x0000000000680000-0x000000000068E000-memory.dmp

                      Filesize

                      56KB

                    • memory/2880-25-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

                      Filesize

                      4KB

                    • memory/2880-24-0x00000000004D0000-0x00000000004E0000-memory.dmp

                      Filesize

                      64KB

                    • memory/2880-140-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2880-22-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2880-143-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2880-144-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2880-21-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2880-20-0x00000000004C0000-0x00000000004D0000-memory.dmp

                      Filesize

                      64KB

                    • memory/2880-18-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2880-17-0x00000000004E0000-0x00000000004F8000-memory.dmp

                      Filesize

                      96KB

                    • memory/2880-15-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2880-12-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2880-14-0x0000000000460000-0x0000000000470000-memory.dmp

                      Filesize

                      64KB

                    • memory/2880-11-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2880-10-0x00000000004A0000-0x00000000004BC000-memory.dmp

                      Filesize

                      112KB

                    • memory/2880-9-0x00000000004C0000-0x00000000004DC000-memory.dmp

                      Filesize

                      112KB

                    • memory/2880-7-0x0000000000450000-0x000000000045E000-memory.dmp

                      Filesize

                      56KB

                    • memory/2880-5-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2880-4-0x0000000000470000-0x0000000000496000-memory.dmp

                      Filesize

                      152KB

                    • memory/2880-2-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

                      Filesize

                      9.9MB

                    • memory/2880-1-0x0000000000BE0000-0x0000000000E72000-memory.dmp

                      Filesize

                      2.6MB