dcrat | 4dca2f0ac5ac98e370099d515a40d03059894d9d905fe83d55401d07cfc43482

Analysis

max time kernel
50s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dca2f0ac5ac98e370099d515a40d03059894d9d905fe83d55401d07cfc43482.exe
Size

2.2MB
MD5

a6d7768b3c9f9aae725153c932c2b689
SHA1

04666444433ca3503a63a3846b074947e474f828
SHA256

4dca2f0ac5ac98e370099d515a40d03059894d9d905fe83d55401d07cfc43482
SHA512

b1b4812900a97b2edeea374bea01ade8a27e33f106061cf277eb0f15ec499be044f2e4e7e168767ad8287f2347d08102cf32ffb90cf9e7a1796a88034c225deb
SSDEEP

49152:IBJ/8S2mDpxl4U/IJL4HfAzqLwvugU6fZ9pHhjEHg2Rl+yJmu3qwl:yZ8S2mDpxl4U/IJL4HfAzqLwvugU6f1S

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\OSPPSVC.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\smss.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\", \"C:\\Users\\Default\\Start Menu\\lsass.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\OSPPSVC.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\smss.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\", \"C:\\Users\\Default\\Start Menu\\lsass.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\OSPPSVC.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\smss.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\", \"C:\\Users\\Default\\Start Menu\\lsass.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\msserverfontHostsvc\\componentdll.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\OSPPSVC.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\OSPPSVC.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\smss.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\OSPPSVC.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\smss.exe\", \"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\""	componentdll.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	1700	schtasks.exe	34

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2400	powershell.exe
2196	powershell.exe
808	powershell.exe
2028	powershell.exe
2148	powershell.exe
1628	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
2936	componentdll.exe
2628	componentdll.exe

Loads dropped DLL 2 IoCs

pid	Process
2880	cmd.exe
2880	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\OSPPSVC.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\smss.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\Start Menu\\lsass.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Default\\Start Menu\\lsass.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\componentdll = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\msserverfontHostsvc\\componentdll.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\DVD Maker\\Shared\\DvdStyles\\VideoWall\\OSPPSVC.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\smss.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\spoolsv.exe\""	componentdll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\3a99bb82-4e15-11ef-8354-cae67966b5f6\\Idle.exe\""	componentdll.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\componentdll = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\msserverfontHostsvc\\componentdll.exe\""	componentdll.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC2C4509D5E01246C3993BFD4E322D5A.TMP	csc.exe
File created	\??\c:\Windows\System32\qrosn9.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\OSPPSVC.exe	componentdll.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\1610b97d3ab4a7	componentdll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dca2f0ac5ac98e370099d515a40d03059894d9d905fe83d55401d07cfc43482.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
840	schtasks.exe
2668	schtasks.exe
2728	schtasks.exe
1312	schtasks.exe
1840	schtasks.exe
2664	schtasks.exe
1740	schtasks.exe
1276	schtasks.exe
1832	schtasks.exe
3012	schtasks.exe
2228	schtasks.exe
2956	schtasks.exe
2004	schtasks.exe
2032	schtasks.exe
2588	schtasks.exe
1748	schtasks.exe
2164	schtasks.exe
1224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe
2936	componentdll.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	componentdll.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2628	componentdll.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2188	2296	4dca2f0ac5ac98e370099d515a40d03059894d9d905fe83d55401d07cfc43482.exe	30
PID 2296 wrote to memory of 2188	2296	4dca2f0ac5ac98e370099d515a40d03059894d9d905fe83d55401d07cfc43482.exe	30
PID 2296 wrote to memory of 2188	2296	4dca2f0ac5ac98e370099d515a40d03059894d9d905fe83d55401d07cfc43482.exe	30
PID 2296 wrote to memory of 2188	2296	4dca2f0ac5ac98e370099d515a40d03059894d9d905fe83d55401d07cfc43482.exe	30
PID 2188 wrote to memory of 2880	2188	WScript.exe	31
PID 2188 wrote to memory of 2880	2188	WScript.exe	31
PID 2188 wrote to memory of 2880	2188	WScript.exe	31
PID 2188 wrote to memory of 2880	2188	WScript.exe	31
PID 2880 wrote to memory of 2936	2880	cmd.exe	33
PID 2880 wrote to memory of 2936	2880	cmd.exe	33
PID 2880 wrote to memory of 2936	2880	cmd.exe	33
PID 2880 wrote to memory of 2936	2880	cmd.exe	33
PID 2936 wrote to memory of 580	2936	componentdll.exe	38
PID 2936 wrote to memory of 580	2936	componentdll.exe	38
PID 2936 wrote to memory of 580	2936	componentdll.exe	38
PID 580 wrote to memory of 2448	580	csc.exe	40
PID 580 wrote to memory of 2448	580	csc.exe	40
PID 580 wrote to memory of 2448	580	csc.exe	40
PID 2936 wrote to memory of 2028	2936	componentdll.exe	56
PID 2936 wrote to memory of 2028	2936	componentdll.exe	56
PID 2936 wrote to memory of 2028	2936	componentdll.exe	56
PID 2936 wrote to memory of 808	2936	componentdll.exe	57
PID 2936 wrote to memory of 808	2936	componentdll.exe	57
PID 2936 wrote to memory of 808	2936	componentdll.exe	57
PID 2936 wrote to memory of 2196	2936	componentdll.exe	58
PID 2936 wrote to memory of 2196	2936	componentdll.exe	58
PID 2936 wrote to memory of 2196	2936	componentdll.exe	58
PID 2936 wrote to memory of 2400	2936	componentdll.exe	60
PID 2936 wrote to memory of 2400	2936	componentdll.exe	60
PID 2936 wrote to memory of 2400	2936	componentdll.exe	60
PID 2936 wrote to memory of 2148	2936	componentdll.exe	61
PID 2936 wrote to memory of 2148	2936	componentdll.exe	61
PID 2936 wrote to memory of 2148	2936	componentdll.exe	61
PID 2936 wrote to memory of 1628	2936	componentdll.exe	63
PID 2936 wrote to memory of 1628	2936	componentdll.exe	63
PID 2936 wrote to memory of 1628	2936	componentdll.exe	63
PID 2936 wrote to memory of 2016	2936	componentdll.exe	68
PID 2936 wrote to memory of 2016	2936	componentdll.exe	68
PID 2936 wrote to memory of 2016	2936	componentdll.exe	68
PID 2016 wrote to memory of 3056	2016	cmd.exe	70
PID 2016 wrote to memory of 3056	2016	cmd.exe	70
PID 2016 wrote to memory of 3056	2016	cmd.exe	70
PID 2016 wrote to memory of 2200	2016	cmd.exe	71
PID 2016 wrote to memory of 2200	2016	cmd.exe	71
PID 2016 wrote to memory of 2200	2016	cmd.exe	71
PID 2016 wrote to memory of 2628	2016	cmd.exe	72
PID 2016 wrote to memory of 2628	2016	cmd.exe	72
PID 2016 wrote to memory of 2628	2016	cmd.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4dca2f0ac5ac98e370099d515a40d03059894d9d905fe83d55401d07cfc43482.exe
"C:\Users\Admin\AppData\Local\Temp\4dca2f0ac5ac98e370099d515a40d03059894d9d905fe83d55401d07cfc43482.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\b5G22TwI5sSnSJKL7urg5tCF8EHPXDbL9yEMgA9LaYyHnpFyHeN8L6Oob76V.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\Gl46TpULdKzqTEeaDuM.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\componentdll.exe
      "C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc/componentdll.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ua5uwoy0\ua5uwoy0.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:580
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9D4.tmp" "c:\Windows\System32\CSC2C4509D5E01246C3993BFD4E322D5A.TMP"
        6⤵
        
        PID:2448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\componentdll.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\URatn9mGg0.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2016
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3056
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2200
      - C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\componentdll.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\componentdll.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Start Menu\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdllc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\componentdll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdll" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\componentdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "componentdllc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\componentdll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC9D4.tmp

Filesize
1KB

MD5
3f6fed4ef01bd4c4dda8edde2e2aa544

SHA1
1f588eda01677327853bcddd002d65a05579bb28

SHA256
08891f224fed1f8972eb4058677dc2672fbc2d4d1c6b5ba4f75caed86746facb

SHA512
54d72ca34b47657abef8dc09758327dad93ac29ee8e8904b80e39b9d385676a51f376c6e4f977c62179d23d63c754ebd78422c69176709c9afd9a0b52ee6b7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\URatn9mGg0.bat

Filesize
246B

MD5
3c5dbc5d1c7786fde0931202494db71b

SHA1
78caca791ce066b6a87877947771cd41c0c8d3a4

SHA256
4c8ad11e0a42fc3650889a71acb7536bbbe979d7df9f37df8348a2803e65a843

SHA512
d89c4e6a5ec828b92a8da5f22511e9f3e3358fc14d6c696a8936948846f2e750975733d67b2a730bf00103adbe3874f18f1af441d634b3dd9639953d47dec0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\Gl46TpULdKzqTEeaDuM.bat

Filesize
89B

MD5
98323978cd8426bb4eaf02610b43a8b7

SHA1
60106862147c23f62a8b3c315e99614a55a83e86

SHA256
16f70a27fc2b9b69519984169dec646adc2c1ae59af5bc34c62a783bbd71657f

SHA512
a0db58f068bb80372392a4a436ff260a9729f08eed7ceef01ecdce68ebbdedb481edccd358169983542a64962c602941c41f590a52663141de2cc2b2793b326a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\b5G22TwI5sSnSJKL7urg5tCF8EHPXDbL9yEMgA9LaYyHnpFyHeN8L6Oob76V.vbe

Filesize
220B

MD5
418d6c2804f2e772fd6dca301bf12a34

SHA1
abfe7b99d95635c533a3d04f03ab28ab37dbdc6f

SHA256
6dc0862dcb39c860680a7baa09be804992f68986a5f8450f1f6b0459995cf309

SHA512
1c519fa0b9093a11c71228df5310ba580b26d3211ea1f8a4def1db50c8a42e9d1c4c8e73b98f7f5076e1c4744b18abf134c23adb744392aaf135f73395e61923

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
10ab995367a102c01f99520983dde716

SHA1
06a7f768e5e8af4ca16757d81463155fc6b3613e

SHA256
d941d1e38ae3589aece1270e712d762d523bb593a10d3eb3f803200efc69ddd2

SHA512
a9ddb100bb265374bd42e2cbfa41a5cc9172f7d3f172cf1cda2e66c320e5351eaba76c385befddf885709203dd493c26f92edea72a0ce950612e2a1ba410f4a1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ua5uwoy0\ua5uwoy0.0.cs

Filesize
397B

MD5
bd2044f2492f7d122e04a22cec782450

SHA1
19059eb59403eb48a6b047307ebae6be509ccf2b

SHA256
dd966afe7680c25c428d107dfac91b66812d0339189a9cc031e69e429df814d8

SHA512
3010e8e70afcd1a9e96ad0dbb30b04555ff1620ee41ac11c2b3e6e0ff84e6313af8f2bb2b3f3c18b2a65c54a78530fc2d83dbf2237bf797ffeef77af87509dba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ua5uwoy0\ua5uwoy0.cmdline

Filesize
235B

MD5
56df1cf4198feddf3db9aec5af203adb

SHA1
b528fa09c27e2fffda8fe2948b96df67df654cc3

SHA256
bb752f1352209506275438c17cf8f206ac122d1ecb0dd6ea1e661ba12215e9ec

SHA512
08509c528adf35cf2490080f36d70abd9ab0f71c2f262192c33324198ad08178f1d90f792f630902be0ce9587bf038c451237aa681ee6fb9e88114bfad727c2e

Download Submit
\??\c:\Windows\System32\CSC2C4509D5E01246C3993BFD4E322D5A.TMP

Filesize
1KB

MD5
332eb1c3dc41d312a6495d9ea0a81166

SHA1
1d5c1b68be781b14620d9e98183506f8651f4afd

SHA256
bab20fa8251fcee3c944e76bdc082850ae4a32fd2eff761fec3bc445f58d11f2

SHA512
2c5ae1de2d4cb7f1e1540b455f7876eb1f494cda57bfb8e78a81aa01f3f453c5488b986cd170d6dc96bf684874c54257bfd0335a78764cc3fa43fe310a0cf440

Download Submit
\Users\Admin\AppData\Local\Temp\msserverfontHostsvc\componentdll.exe

Filesize
1.9MB

MD5
0a65c7fe9428f97bb5efd56cc1e19617

SHA1
b88d9cca07a6aa4f47a8c705329a0b2a7a1c9be6

SHA256
1135cc4a0a57bae21afd676287902da8dc40073717570864ce05f6e590ef266d

SHA512
224a9112b9f28f517becdfe7e206693c162f486c297b2ca1fd4f41662143576cacd6f1d9a441e4c4665a4543f9595bf7d40d463a7d04f72df897d705d4c4209f

Download Submit
memory/2028-61-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2028-59-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2628-87-0x0000000001250000-0x000000000143E000-memory.dmp

Filesize
1.9MB

Download
memory/2936-15-0x0000000000190000-0x000000000019E000-memory.dmp

Filesize
56KB

Download
memory/2936-25-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/2936-23-0x00000000003B0000-0x00000000003BE000-memory.dmp

Filesize
56KB

Download
memory/2936-21-0x00000000001A0000-0x00000000001AE000-memory.dmp

Filesize
56KB

Download
memory/2936-19-0x0000000000880000-0x0000000000898000-memory.dmp

Filesize
96KB

Download
memory/2936-17-0x0000000000860000-0x000000000087C000-memory.dmp

Filesize
112KB

Download
memory/2936-13-0x00000000003E0000-0x00000000005CE000-memory.dmp

Filesize
1.9MB

Download