darkvision | dd86228f22a372a870efd571580bd2800c79f502a70a9b47aab2bdb10ca5766b

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 05:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd86228f22a372a870efd571580bd2800c79f502a70a9b47aab2bdb10ca5766b.exe
Size

4.0MB
MD5

247e35b36f1fa7310918e3bf28ce0298
SHA1

3069f557958742358302fcc216f3c80517733c22
SHA256

dd86228f22a372a870efd571580bd2800c79f502a70a9b47aab2bdb10ca5766b
SHA512

d702adb486eeaf270ee0904a5d6ef277025414bf050d392766763b49fa5b675939435913be7e57592757eb6d2c9f5ec93352b0714a1869fc2d71c3cb42f8495f
SSDEEP

49152:GHC3lll91kgrtu/Q+CSj2BUKWXBt1eHx/G039ygNHhPguc:NB1NgnNj2BqX7B03sgNHhl

Score

10^/10

darkvision execution rat

Malware Config

Extracted

Family

darkvision

powercycle.ddns.net

Signatures

DarkVision Rat
DarkVision Rat is a trojan written in C++.
rat darkvision
Darkvision family
darkvision

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3552	powershell.exe
3024	powershell.exe

Checks BIOS information in registry 2 TTPs 64 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dd86228f22a372a870efd571580bd2800c79f502a70a9b47aab2bdb10ca5766b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	chrornes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	chrornes.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dd86228f22a372a870efd571580bd2800c79f502a70a9b47aab2bdb10ca5766b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Drops startup file 30 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
5104	chrornes.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3024	powershell.exe
3024	powershell.exe
3552	powershell.exe
3552	powershell.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe
5104	chrornes.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 4744	4532	dd86228f22a372a870efd571580bd2800c79f502a70a9b47aab2bdb10ca5766b.exe	83
PID 4532 wrote to memory of 4744	4532	dd86228f22a372a870efd571580bd2800c79f502a70a9b47aab2bdb10ca5766b.exe	83
PID 4532 wrote to memory of 5104	4532	dd86228f22a372a870efd571580bd2800c79f502a70a9b47aab2bdb10ca5766b.exe	85
PID 4532 wrote to memory of 5104	4532	dd86228f22a372a870efd571580bd2800c79f502a70a9b47aab2bdb10ca5766b.exe	85
PID 4744 wrote to memory of 3024	4744	cmd.exe	86
PID 4744 wrote to memory of 3024	4744	cmd.exe	86
PID 5104 wrote to memory of 5064	5104	chrornes.exe	87
PID 5104 wrote to memory of 5064	5104	chrornes.exe	87
PID 5104 wrote to memory of 636	5104	chrornes.exe	89
PID 5104 wrote to memory of 636	5104	chrornes.exe	89
PID 5064 wrote to memory of 3552	5064	cmd.exe	90
PID 5064 wrote to memory of 3552	5064	cmd.exe	90
PID 5104 wrote to memory of 4236	5104	chrornes.exe	91
PID 5104 wrote to memory of 4236	5104	chrornes.exe	91
PID 5104 wrote to memory of 3580	5104	chrornes.exe	94
PID 5104 wrote to memory of 3580	5104	chrornes.exe	94
PID 5104 wrote to memory of 3980	5104	chrornes.exe	99
PID 5104 wrote to memory of 3980	5104	chrornes.exe	99
PID 5104 wrote to memory of 2920	5104	chrornes.exe	106
PID 5104 wrote to memory of 2920	5104	chrornes.exe	106
PID 5104 wrote to memory of 3660	5104	chrornes.exe	112
PID 5104 wrote to memory of 3660	5104	chrornes.exe	112
PID 5104 wrote to memory of 2068	5104	chrornes.exe	116
PID 5104 wrote to memory of 2068	5104	chrornes.exe	116
PID 5104 wrote to memory of 1568	5104	chrornes.exe	120
PID 5104 wrote to memory of 1568	5104	chrornes.exe	120
PID 5104 wrote to memory of 3440	5104	chrornes.exe	122
PID 5104 wrote to memory of 3440	5104	chrornes.exe	122
PID 5104 wrote to memory of 1684	5104	chrornes.exe	125
PID 5104 wrote to memory of 1684	5104	chrornes.exe	125
PID 5104 wrote to memory of 3444	5104	chrornes.exe	127
PID 5104 wrote to memory of 3444	5104	chrornes.exe	127
PID 5104 wrote to memory of 4964	5104	chrornes.exe	129
PID 5104 wrote to memory of 4964	5104	chrornes.exe	129
PID 5104 wrote to memory of 3608	5104	chrornes.exe	132
PID 5104 wrote to memory of 3608	5104	chrornes.exe	132
PID 5104 wrote to memory of 812	5104	chrornes.exe	134
PID 5104 wrote to memory of 812	5104	chrornes.exe	134
PID 5104 wrote to memory of 1660	5104	chrornes.exe	137
PID 5104 wrote to memory of 1660	5104	chrornes.exe	137
PID 5104 wrote to memory of 4724	5104	chrornes.exe	140
PID 5104 wrote to memory of 4724	5104	chrornes.exe	140
PID 5104 wrote to memory of 4592	5104	chrornes.exe	142
PID 5104 wrote to memory of 4592	5104	chrornes.exe	142
PID 5104 wrote to memory of 2424	5104	chrornes.exe	144
PID 5104 wrote to memory of 2424	5104	chrornes.exe	144
PID 5104 wrote to memory of 1880	5104	chrornes.exe	147
PID 5104 wrote to memory of 1880	5104	chrornes.exe	147
PID 5104 wrote to memory of 384	5104	chrornes.exe	149
PID 5104 wrote to memory of 384	5104	chrornes.exe	149
PID 5104 wrote to memory of 2684	5104	chrornes.exe	151
PID 5104 wrote to memory of 2684	5104	chrornes.exe	151
PID 5104 wrote to memory of 4356	5104	chrornes.exe	154
PID 5104 wrote to memory of 4356	5104	chrornes.exe	154
PID 5104 wrote to memory of 780	5104	chrornes.exe	156
PID 5104 wrote to memory of 780	5104	chrornes.exe	156
PID 5104 wrote to memory of 2460	5104	chrornes.exe	158
PID 5104 wrote to memory of 2460	5104	chrornes.exe	158
PID 5104 wrote to memory of 2876	5104	chrornes.exe	161
PID 5104 wrote to memory of 2876	5104	chrornes.exe	161
PID 5104 wrote to memory of 1620	5104	chrornes.exe	163
PID 5104 wrote to memory of 1620	5104	chrornes.exe	163
PID 5104 wrote to memory of 2980	5104	chrornes.exe	165
PID 5104 wrote to memory of 2980	5104	chrornes.exe	165

C:\Users\Admin\AppData\Local\Temp\dd86228f22a372a870efd571580bd2800c79f502a70a9b47aab2bdb10ca5766b.exe
"C:\Users\Admin\AppData\Local\Temp\dd86228f22a372a870efd571580bd2800c79f502a70a9b47aab2bdb10ca5766b.exe"
1⤵
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\chrornes'
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\chrornes'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- C:\ProgramData\chrornes\chrornes.exe
  "C:\ProgramData\chrornes\chrornes.exe" {79750DE2-228C-4200-A195-046B39964F00}
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\chrornes'
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-MpPreference -ExclusionPath 'C:\ProgramData\chrornes'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3552
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:636
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4236
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3580
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3980
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2920
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3660
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2068
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:1568
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3440
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:1684
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3444
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4964
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:3608
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:812
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:1660
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4724
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4592
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2424
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:1880
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:384
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2684
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4356
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:780
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2460
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:2876
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:1620
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    PID:2980
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4992
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:372
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4872
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4548
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Drops startup file
    PID:4664
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\chrornes\chrornes.exe

Filesize
4.0MB

MD5
247e35b36f1fa7310918e3bf28ce0298

SHA1
3069f557958742358302fcc216f3c80517733c22

SHA256
dd86228f22a372a870efd571580bd2800c79f502a70a9b47aab2bdb10ca5766b

SHA512
d702adb486eeaf270ee0904a5d6ef277025414bf050d392766763b49fa5b675939435913be7e57592757eb6d2c9f5ec93352b0714a1869fc2d71c3cb42f8495f

Download Submit
C:\ProgramData\{EAD7AEF0-477D-4DC9-9A27-5FC8219FE893}\{4797816F-95C5-4CFD-B3BE-FED6FAD61A0E}.bat

Filesize
103B

MD5
17bc841fb65f63d0ad2b6cd07bd0da43

SHA1
5884ba2582f5e05fff26f2890ae41acabe13c827

SHA256
62ccc76edaa3a1113d99849b6fb74d9de31653275cd4198ffa48bdde18121f86

SHA512
e7d8f68bdcdc8346e7e41ea2db1b55e5857ebb7b5d8d85059694c4682b33d61c5ba870ee7658040f931d308356898cd8601733331e00783a7688b7a4f04398d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lxmpr3f1.kr1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk

Filesize
1KB

MD5
7f9e56c17ecead4b79513a4ce48417e3

SHA1
f4f73ca00815dbc465e3fffc16b0ac7042753de8

SHA256
ff82129de2d2c36e270e4c5e27db872cf44520452a997611736b53c387696094

SHA512
443e072cbabcfe666626b04881d0a3a4f47dbd35f4ce516f6937076dfeaae43f99379c3ca89c08bf2c105bd266a42c479695fe8ba5d3f0145f8f02521c51d984

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk

Filesize
1KB

MD5
6dc9d94fd334cacdfb0545e2f1187dd8

SHA1
af66f4406666590372f31310eb70ae0116e8d221

SHA256
10d426433358604ba9fc028835a39f604a46341330b14e58b58c9ae3bd695fad

SHA512
973c5feff011aa1fb576313be52792fd533629fb5187b6ab12165881fb0c8796fc77b2962234438e42f291a17fb591b33f8a90f372e59b54f47c0b6ae1bafd75

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk

Filesize
1KB

MD5
df513fe321b80ac1e60e66df84d02f0a

SHA1
2cf28b59787a231fe1cd5594993dc7a6f4bd3ebe

SHA256
5b3064fbfae5ec67ea3909b832385103869c7b05bbb8d560c46884d827ddc46a

SHA512
578e48336fa28bcee782de0475b2776a722ab80e6d93856a18abf12ad43d116090869d04492b85ff502539240769aedbc7562b5b97da89ea8191c9d7a4325202

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk

Filesize
1KB

MD5
724c9f4be828a5a445a22d5573422ab9

SHA1
520f0c37d554a9819d701f0d57384872a737d424

SHA256
23bfa4518b7afa25400dadc127b840e7544347b1f6bc942495d81690127a8643

SHA512
4dcdadba4ac910ed10dae029b751296ad90c0c4aaca0cab943cdce1d8d36e0bdffe0f3c152b731b85a287baebbe9a7d5fdcf614c020e63f9b7c99e6491a602d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk

Filesize
1KB

MD5
b20b0d2138501b19d313abfa207fa045

SHA1
3d45ae7279ecc153e750d2c2f03f77edbb3af084

SHA256
2368281a1f1a2bdfdfdcc6d767993e5eff74b28187f0bd84bf0fffeb03adb40e

SHA512
180cb53d98b5948ec83f5e7146bf0e1f8282113bac9157c83639c1f38e565ada075439e628f80a29ca2aa310bf218e704c9369c878c46abdc9c932483ec23762

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk

Filesize
1KB

MD5
7d1db7fb5cdf586d87bdba525856a79a

SHA1
a79b0db5c0f0750ce618dea0d7e2c9c36d7b1f09

SHA256
8601bb9211dac9b87876fe2b524a7ce588ccdc808fa3c841aa392821171cd402

SHA512
90ef78f2d2cc4083ae37427abe4c30c514e4115ca1555386629119c1ddbeeb697b2ba96f1926dd562d46463de3ff540fc637a9a6c5d0fbf83e0cd65e839df8fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk

Filesize
1KB

MD5
04fa0c7748659eb8f81fa40863a48c67

SHA1
2858e59de5d193b434db9b2d59785ceea25e262a

SHA256
ee51bc51099a8b5e9a63b77077f58d67b5116109d0956b2965d457a5bdc19314

SHA512
6e08ea1fb543e2ca3c750f114124cfdc14a4e6bd8642ecf3710572e5d01aa8b4928fd4e4ffb105543385654b12967609a1ba00809be88d17769493cc6490c192

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk

Filesize
1KB

MD5
9d872814711d1b046efe6cf4949eae21

SHA1
1041d44bd64bdcfe4acbf1c6369e1b5ef03327a7

SHA256
8d4ac058e1b84c91a956d1fcafd90063b117fac5d25ed2bd65d9367e8c8ea59c

SHA512
2c9d25875be66a085a96eb4fc7dd16badd77ae35c47b7aee87a75edaa14e0af20af7b824c6c29175f8dc8cd71e9080734ae45fd35ca74b8e2bf3d7b29baa83c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{80DAFBD3-D30D-4C9B-88FD-1C16EE255FF8}.lnk

Filesize
1KB

MD5
72d7dea8adcb4336ad056bdfdab17e0c

SHA1
7832727350775cd4378e66c2de7b1020071651ec

SHA256
b0e80461a4cd6565c3ac47a70eed2f6faa0f11d4172a68bff4b64c2bbaee71a3

SHA512
109fb85886a02624cd43216b505bd6d93276db09b51c69d8cac8903fbfca7d3712a29c92a96c84fed2d949b2eae04f2d55b27ab52dda820564f6e625e0b202de

Download Submit
memory/636-35-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-66-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-45-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-44-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-43-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-41-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-39-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-37-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-36-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-46-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-33-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-38-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-34-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-32-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-31-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-23-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-50-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-21-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/636-29-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-30-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-40-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-42-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-47-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-49-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/636-48-0x0000000002A20000-0x0000000002E2C000-memory.dmp

Filesize
4.0MB

Download
memory/3024-53-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

Filesize
2.0MB

Download
memory/3024-16-0x0000019E392B0000-0x0000019E392D2000-memory.dmp

Filesize
136KB

Download
memory/3024-10-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

Filesize
2.0MB

Download
memory/4236-92-0x000001918A3A0000-0x000001918A7AC000-memory.dmp

Filesize
4.0MB

Download
memory/4532-8-0x00007FF7314F0000-0x00007FF7318FC000-memory.dmp

Filesize
4.0MB

Download
memory/4532-0-0x00007FF7314F0000-0x00007FF7318FC000-memory.dmp

Filesize
4.0MB

Download
memory/4532-1-0x00007FFE62110000-0x00007FFE62112000-memory.dmp

Filesize
8KB

Download
memory/5104-193-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

Filesize
2.0MB

Download
memory/5104-160-0x00007FF6C3A90000-0x00007FF6C3E9C000-memory.dmp

Filesize
4.0MB

Download
memory/5104-9-0x00007FFE62070000-0x00007FFE62265000-memory.dmp

Filesize
2.0MB

Download
memory/5104-7-0x00007FF6C3A90000-0x00007FF6C3E9C000-memory.dmp

Filesize
4.0MB

Download