dcrat | 10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91

Resubmissions

13/01/2025, 05:28

250113-f59araxqfz 10

12/01/2025, 19:36

250112-ybg9aaylfr 10

Analysis

max time kernel
854s
max time network
720s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13/01/2025, 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
Size

1.7MB
MD5

a95c577913d17f1786babed3306fed60
SHA1

16106bfac76f6e4f711a9dd7e016cd52fbaeb774
SHA256

10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91
SHA512

314edb12b8885f8f9ea83e991b49aafcc629d5325f3439460610cc0046f0f0d1d629cecd79c2a9c48899d07c171253be7e65a6ef27c1434cf5ff55d5043fdec0
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	3040	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	3040	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	3040	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	3040	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	3040	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	3040	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	3040	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	3040	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	3040	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	3040	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	3040	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	3040	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	3040	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	3040	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	3040	schtasks.exe	29

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1076-1-0x0000000001270000-0x0000000001426000-memory.dmp	dcrat
behavioral1/files/0x00050000000196a1-27.dat	dcrat
behavioral1/files/0x0011000000012243-77.dat	dcrat
behavioral1/files/0x000800000001939b-88.dat	dcrat
behavioral1/memory/2632-129-0x0000000000D00000-0x0000000000EB6000-memory.dmp	dcrat
behavioral1/memory/1916-170-0x0000000000190000-0x0000000000346000-memory.dmp	dcrat
behavioral1/memory/2912-174-0x0000000000910000-0x0000000000AC6000-memory.dmp	dcrat
behavioral1/memory/1804-177-0x0000000000030000-0x00000000001E6000-memory.dmp	dcrat
behavioral1/memory/2412-181-0x00000000002D0000-0x0000000000486000-memory.dmp	dcrat
behavioral1/memory/2424-183-0x0000000001080000-0x0000000001236000-memory.dmp	dcrat
behavioral1/memory/1972-186-0x0000000000100000-0x00000000002B6000-memory.dmp	dcrat
behavioral1/memory/2996-188-0x0000000001030000-0x00000000011E6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1556	powershell.exe
1912	powershell.exe
1868	powershell.exe
3068	powershell.exe
1624	powershell.exe
776	powershell.exe
1808	powershell.exe
2428	powershell.exe
2884	powershell.exe
1984	powershell.exe
2256	powershell.exe
2892	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe

Executes dropped EXE 8 IoCs

pid	Process
2632	dllhost.exe
1916	dllhost.exe
2912	spoolsv.exe
1804	dllhost.exe
2412	spoolsv.exe
2424	csrss.exe
1972	audiodg.exe
2996	spoolsv.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
File created	C:\Program Files (x86)\Windows NT\886983d96e3d3e	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCX760D.tmp	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX7F68.tmp	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\csrss.exe	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
File created	C:\Program Files (x86)\Windows NT\csrss.exe	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\RCX7A84.tmp	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\886983d96e3d3e	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCX760C.tmp	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\RCX7A83.tmp	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\csrss.exe	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\RCX7EFA.tmp	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\5940a34987c991	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
File opened for modification	C:\Program Files (x86)\Windows NT\csrss.exe	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1604	schtasks.exe
2616	schtasks.exe
2444	schtasks.exe
2568	schtasks.exe
1692	schtasks.exe
2808	schtasks.exe
1892	schtasks.exe
2028	schtasks.exe
1420	schtasks.exe
1784	schtasks.exe
2032	schtasks.exe
2464	schtasks.exe
2112	schtasks.exe
2488	schtasks.exe
2472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
1912	powershell.exe
2428	powershell.exe
1868	powershell.exe
776	powershell.exe
2884	powershell.exe
1556	powershell.exe
1624	powershell.exe
2632	dllhost.exe
2632	dllhost.exe
2256	powershell.exe
2632	dllhost.exe
1808	powershell.exe
3068	powershell.exe
1984	powershell.exe
2892	powershell.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe
2632	dllhost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2632	dllhost.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	1916	dllhost.exe
Token: SeDebugPrivilege	2912	spoolsv.exe
Token: SeDebugPrivilege	1804	dllhost.exe
Token: SeDebugPrivilege	2412	spoolsv.exe
Token: SeDebugPrivilege	2424	csrss.exe
Token: SeDebugPrivilege	1972	audiodg.exe
Token: SeDebugPrivilege	2996	spoolsv.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1808	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	45
PID 1076 wrote to memory of 1808	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	45
PID 1076 wrote to memory of 1808	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	45
PID 1076 wrote to memory of 1556	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	46
PID 1076 wrote to memory of 1556	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	46
PID 1076 wrote to memory of 1556	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	46
PID 1076 wrote to memory of 2428	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	47
PID 1076 wrote to memory of 2428	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	47
PID 1076 wrote to memory of 2428	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	47
PID 1076 wrote to memory of 2884	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	48
PID 1076 wrote to memory of 2884	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	48
PID 1076 wrote to memory of 2884	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	48
PID 1076 wrote to memory of 1984	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	49
PID 1076 wrote to memory of 1984	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	49
PID 1076 wrote to memory of 1984	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	49
PID 1076 wrote to memory of 2256	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	50
PID 1076 wrote to memory of 2256	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	50
PID 1076 wrote to memory of 2256	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	50
PID 1076 wrote to memory of 1912	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	51
PID 1076 wrote to memory of 1912	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	51
PID 1076 wrote to memory of 1912	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	51
PID 1076 wrote to memory of 1868	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	52
PID 1076 wrote to memory of 1868	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	52
PID 1076 wrote to memory of 1868	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	52
PID 1076 wrote to memory of 2892	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	53
PID 1076 wrote to memory of 2892	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	53
PID 1076 wrote to memory of 2892	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	53
PID 1076 wrote to memory of 1624	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	54
PID 1076 wrote to memory of 1624	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	54
PID 1076 wrote to memory of 1624	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	54
PID 1076 wrote to memory of 3068	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	55
PID 1076 wrote to memory of 3068	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	55
PID 1076 wrote to memory of 3068	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	55
PID 1076 wrote to memory of 776	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	56
PID 1076 wrote to memory of 776	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	56
PID 1076 wrote to memory of 776	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	56
PID 1076 wrote to memory of 2632	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	69
PID 1076 wrote to memory of 2632	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	69
PID 1076 wrote to memory of 2632	1076	10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe	69
PID 2632 wrote to memory of 1060	2632	dllhost.exe	70
PID 2632 wrote to memory of 1060	2632	dllhost.exe	70
PID 2632 wrote to memory of 1060	2632	dllhost.exe	70
PID 2632 wrote to memory of 836	2632	dllhost.exe	71
PID 2632 wrote to memory of 836	2632	dllhost.exe	71
PID 2632 wrote to memory of 836	2632	dllhost.exe	71
PID 1060 wrote to memory of 1916	1060	WScript.exe	72
PID 1060 wrote to memory of 1916	1060	WScript.exe	72
PID 1060 wrote to memory of 1916	1060	WScript.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe
C:\Users\Admin\AppData\Local\Temp\10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91N.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe
  "C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28059498-e150-472f-9ea8-f330f7e73b11.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe
      "C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1916
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe9e54b8-bade-4ea8-b818-3eac157a6a18.vbs"
    3⤵
    PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\taskeng.exe
taskeng.exe {17817482-523B-48EA-A2BB-7CF940100C40} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
1⤵
PID:1920
- C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe
  "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe
  "C:\Program Files\Windows Photo Viewer\fr-FR\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Program Files (x86)\Windows NT\csrss.exe
  "C:\Program Files (x86)\Windows NT\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe
  "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe
  "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe
  "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe

Filesize
1.7MB

MD5
87f7cb6bc1a1a1f694983cf41c7e2ebe

SHA1
c8ff293f7178c9fa30dd203fb05e5486cf3542d3

SHA256
32c998cc4bf0b75b7f0c43948e9916256508d123b4749334fa82e0ad041999fc

SHA512
b64f48d24e729c4d244dac7af111c27dcc49463729b8a2feb26defe1874d7ea1dd7d6841b31be6019712b272c6588c82d1b9583a3fb8993ef9bfcdf2fcb5afcd

Download Submit
C:\Program Files (x86)\Windows NT\csrss.exe

Filesize
1.7MB

MD5
a95c577913d17f1786babed3306fed60

SHA1
16106bfac76f6e4f711a9dd7e016cd52fbaeb774

SHA256
10deea290eb4d8620994434958a5ba14e8669f34a2ab998b65792acad1b49c91

SHA512
314edb12b8885f8f9ea83e991b49aafcc629d5325f3439460610cc0046f0f0d1d629cecd79c2a9c48899d07c171253be7e65a6ef27c1434cf5ff55d5043fdec0

Download Submit
C:\Program Files (x86)\Windows NT\csrss.exe

Filesize
1.7MB

MD5
cd70ef6ce62ccd6df349d902173a6cd1

SHA1
e92a571e0fd6ed2ab0d7c3c2d3a1baf68bea0e2f

SHA256
5c3b1bfc29cfe072d941a7f8ba0cdd261daa7339908593080649d17addfc8d84

SHA512
aa4fa4a5c8c1f1e1a7ddf69fcf54e4a378d7cbd23e818eefa8020d19d371a09af17583ec4954ea4694164fd6cb68ae6efb534a6ee1b96332287cdc3c66e7e957

Download Submit
C:\Users\Admin\AppData\Local\Temp\28059498-e150-472f-9ea8-f330f7e73b11.vbs

Filesize
731B

MD5
814f5770dc6db27c081b33fd5f19775e

SHA1
c9e3c56c9bade1cb687a8970bc44b3f9b49a4121

SHA256
153b2e9a4505021510ea91ab21e4bab524c06f8a2328c7bf9861d289dc9ab037

SHA512
a8b14b6683c00b47cd93e6f926feb3b0196d22fd877742bc483e6ba006e0f120704027f4cc98e1d84849f876c9d1798c891bdb65b2400733b0b965e6c4f0829f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe9e54b8-bade-4ea8-b818-3eac157a6a18.vbs

Filesize
507B

MD5
94d32644446f81e2efd358550f818472

SHA1
f9c77ff90faa7adbdd4be5bef45a98c394b540c5

SHA256
79b1ba928a3130054881faef376a3ad4d0c95347d6f3a92e4235a7bf6a05de72

SHA512
22d227e47e199aba9c7924688fbd54da46e40d9f444c95e24e9d96584a3c9268efd5009978cfd07edd3c3fe6a8613082a0844a9aec0b6bd212b548ae4ca69a03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
30b20292fce925f859cc7313af18c8d9

SHA1
e4fcd22b22845b93a0cc05cd6de73b0cc5e1ac1b

SHA256
9a5091feed1e69b559b75bc3297bf7168968e46ccc2eb5d5533a77769119bab8

SHA512
fd9b944570276a58d7d1637798806951adc2531816bc04405a76ebd6b9f65b004f1b28299614019e7d15f0c16d5deab7e575952e09e5ea1941e64b6ce447e7fe

Download Submit
memory/1076-13-0x0000000000C90000-0x0000000000C9C000-memory.dmp

Filesize
48KB

Download
memory/1076-1-0x0000000001270000-0x0000000001426000-memory.dmp

Filesize
1.7MB

Download
memory/1076-8-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/1076-9-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/1076-10-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/1076-12-0x0000000000C80000-0x0000000000C8C000-memory.dmp

Filesize
48KB

Download
memory/1076-2-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/1076-14-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

Filesize
40KB

Download
memory/1076-16-0x0000000000F00000-0x0000000000F0C000-memory.dmp

Filesize
48KB

Download
memory/1076-15-0x0000000000D30000-0x0000000000D38000-memory.dmp

Filesize
32KB

Download
memory/1076-17-0x0000000000F10000-0x0000000000F1C000-memory.dmp

Filesize
48KB

Download
memory/1076-20-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/1076-3-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/1076-5-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/1076-4-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/1076-0-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp

Filesize
4KB

Download
memory/1076-7-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/1076-130-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Filesize
9.9MB

Download
memory/1076-6-0x0000000000580000-0x0000000000596000-memory.dmp

Filesize
88KB

Download
memory/1804-177-0x0000000000030000-0x00000000001E6000-memory.dmp

Filesize
1.7MB

Download
memory/1804-178-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1916-170-0x0000000000190000-0x0000000000346000-memory.dmp

Filesize
1.7MB

Download
memory/1916-171-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/1972-186-0x0000000000100000-0x00000000002B6000-memory.dmp

Filesize
1.7MB

Download
memory/2412-181-0x00000000002D0000-0x0000000000486000-memory.dmp

Filesize
1.7MB

Download
memory/2424-183-0x0000000001080000-0x0000000001236000-memory.dmp

Filesize
1.7MB

Download
memory/2428-118-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/2428-103-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2632-137-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2632-129-0x0000000000D00000-0x0000000000EB6000-memory.dmp

Filesize
1.7MB

Download
memory/2912-175-0x0000000002160000-0x0000000002172000-memory.dmp

Filesize
72KB

Download
memory/2912-174-0x0000000000910000-0x0000000000AC6000-memory.dmp

Filesize
1.7MB

Download
memory/2996-188-0x0000000001030000-0x00000000011E6000-memory.dmp

Filesize
1.7MB

Download