dcrat | 7014e9a725d8449f588d906d671771ccbf2c253d603205818a5af782a02e320c

Analysis

max time kernel
117s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/01/2025, 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ElixirInjector.exe
Size

1.9MB
MD5

04095b54d4245dca4aeb05310a2ddc8a
SHA1

4d5bc54fade2e8af35d36ae0cab2c0f835cb7334
SHA256

7014e9a725d8449f588d906d671771ccbf2c253d603205818a5af782a02e320c
SHA512

f666c5f973a67aeb3d56b2055884267f2fd892634c2267dbd0e29965285dc05d876658fa944100bafe572b66061a8a7caefd3b1e650ee9302ae229255a8a854f
SSDEEP

49152:OB8cSz7LU1B6RIML97yovHGfx8UINTPWUznpd:QEvKB6WMBvqnIJx

Score

10^/10

dcrat discovery execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2800	schtasks.exe	34

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1348	powershell.exe
1772	powershell.exe
1048	powershell.exe
2492	powershell.exe
1648	powershell.exe
344	powershell.exe
1184	powershell.exe
1236	powershell.exe
1008	powershell.exe
1832	powershell.exe
1216	powershell.exe
1856	powershell.exe
648	powershell.exe
1908	powershell.exe
968	powershell.exe
620	powershell.exe
1448	powershell.exe
328	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1692	Bluestacks.exe
2816	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2460	cmd.exe
2460	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\c5b4cb5e9653cc	Bluestacks.exe
File created	C:\Windows\AppPatch\it-IT\Idle.exe	Bluestacks.exe
File opened for modification	C:\Windows\AppPatch\it-IT\Idle.exe	Bluestacks.exe
File created	C:\Windows\AppPatch\it-IT\6ccacd8608530f	Bluestacks.exe
File created	C:\Windows\Logs\DISM\spoolsv.exe	Bluestacks.exe
File created	C:\Windows\Logs\DISM\f3b6ecef712a24	Bluestacks.exe
File created	C:\Windows\Performance\WinSAT\services.exe	Bluestacks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ElixirInjector.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2964	PING.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Bluestacks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Bluestacks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2964	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
904	schtasks.exe
2004	schtasks.exe
2968	schtasks.exe
2168	schtasks.exe
2264	schtasks.exe
2648	schtasks.exe
476	schtasks.exe
2864	schtasks.exe
1932	schtasks.exe
1884	schtasks.exe
1936	schtasks.exe
1228	schtasks.exe
2608	schtasks.exe
2496	schtasks.exe
532	schtasks.exe
1828	schtasks.exe
2020	schtasks.exe
2156	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe
1692	Bluestacks.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	Bluestacks.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2816	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 1940	2560	ElixirInjector.exe	30
PID 2560 wrote to memory of 1940	2560	ElixirInjector.exe	30
PID 2560 wrote to memory of 1940	2560	ElixirInjector.exe	30
PID 2560 wrote to memory of 1940	2560	ElixirInjector.exe	30
PID 1940 wrote to memory of 2460	1940	WScript.exe	31
PID 1940 wrote to memory of 2460	1940	WScript.exe	31
PID 1940 wrote to memory of 2460	1940	WScript.exe	31
PID 1940 wrote to memory of 2460	1940	WScript.exe	31
PID 2460 wrote to memory of 1692	2460	cmd.exe	33
PID 2460 wrote to memory of 1692	2460	cmd.exe	33
PID 2460 wrote to memory of 1692	2460	cmd.exe	33
PID 2460 wrote to memory of 1692	2460	cmd.exe	33
PID 1692 wrote to memory of 1048	1692	Bluestacks.exe	53
PID 1692 wrote to memory of 1048	1692	Bluestacks.exe	53
PID 1692 wrote to memory of 1048	1692	Bluestacks.exe	53
PID 1692 wrote to memory of 968	1692	Bluestacks.exe	54
PID 1692 wrote to memory of 968	1692	Bluestacks.exe	54
PID 1692 wrote to memory of 968	1692	Bluestacks.exe	54
PID 1692 wrote to memory of 1348	1692	Bluestacks.exe	55
PID 1692 wrote to memory of 1348	1692	Bluestacks.exe	55
PID 1692 wrote to memory of 1348	1692	Bluestacks.exe	55
PID 1692 wrote to memory of 2492	1692	Bluestacks.exe	56
PID 1692 wrote to memory of 2492	1692	Bluestacks.exe	56
PID 1692 wrote to memory of 2492	1692	Bluestacks.exe	56
PID 1692 wrote to memory of 1648	1692	Bluestacks.exe	57
PID 1692 wrote to memory of 1648	1692	Bluestacks.exe	57
PID 1692 wrote to memory of 1648	1692	Bluestacks.exe	57
PID 1692 wrote to memory of 1832	1692	Bluestacks.exe	58
PID 1692 wrote to memory of 1832	1692	Bluestacks.exe	58
PID 1692 wrote to memory of 1832	1692	Bluestacks.exe	58
PID 1692 wrote to memory of 1216	1692	Bluestacks.exe	59
PID 1692 wrote to memory of 1216	1692	Bluestacks.exe	59
PID 1692 wrote to memory of 1216	1692	Bluestacks.exe	59
PID 1692 wrote to memory of 344	1692	Bluestacks.exe	60
PID 1692 wrote to memory of 344	1692	Bluestacks.exe	60
PID 1692 wrote to memory of 344	1692	Bluestacks.exe	60
PID 1692 wrote to memory of 1184	1692	Bluestacks.exe	61
PID 1692 wrote to memory of 1184	1692	Bluestacks.exe	61
PID 1692 wrote to memory of 1184	1692	Bluestacks.exe	61
PID 1692 wrote to memory of 1772	1692	Bluestacks.exe	62
PID 1692 wrote to memory of 1772	1692	Bluestacks.exe	62
PID 1692 wrote to memory of 1772	1692	Bluestacks.exe	62
PID 1692 wrote to memory of 620	1692	Bluestacks.exe	63
PID 1692 wrote to memory of 620	1692	Bluestacks.exe	63
PID 1692 wrote to memory of 620	1692	Bluestacks.exe	63
PID 1692 wrote to memory of 1448	1692	Bluestacks.exe	64
PID 1692 wrote to memory of 1448	1692	Bluestacks.exe	64
PID 1692 wrote to memory of 1448	1692	Bluestacks.exe	64
PID 1692 wrote to memory of 1856	1692	Bluestacks.exe	65
PID 1692 wrote to memory of 1856	1692	Bluestacks.exe	65
PID 1692 wrote to memory of 1856	1692	Bluestacks.exe	65
PID 1692 wrote to memory of 648	1692	Bluestacks.exe	66
PID 1692 wrote to memory of 648	1692	Bluestacks.exe	66
PID 1692 wrote to memory of 648	1692	Bluestacks.exe	66
PID 1692 wrote to memory of 1236	1692	Bluestacks.exe	67
PID 1692 wrote to memory of 1236	1692	Bluestacks.exe	67
PID 1692 wrote to memory of 1236	1692	Bluestacks.exe	67
PID 1692 wrote to memory of 328	1692	Bluestacks.exe	68
PID 1692 wrote to memory of 328	1692	Bluestacks.exe	68
PID 1692 wrote to memory of 328	1692	Bluestacks.exe	68
PID 1692 wrote to memory of 1908	1692	Bluestacks.exe	69
PID 1692 wrote to memory of 1908	1692	Bluestacks.exe	69
PID 1692 wrote to memory of 1908	1692	Bluestacks.exe	69
PID 1692 wrote to memory of 1008	1692	Bluestacks.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ElixirInjector.exe
"C:\Users\Admin\AppData\Local\Temp\ElixirInjector.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\WinRAR\data\bin\unistall\6iq5IFzZA9EyHTwKHM8vXk9USXtHecApoG.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Users\Admin\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe
      "C:\Users\Admin\AppData\Local\Temp\WinRAR/data/bin/unistall/Bluestacks.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\DISM\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\it-IT\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J55piiclPY.bat"
        5⤵
        
        PID:2200
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2896
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2964
      - C:\Windows\AppPatch\it-IT\Idle.exe
        
        "C:\Windows\AppPatch\it-IT\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Performance\WinSAT\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\DISM\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Logs\DISM\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\DISM\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\AppPatch\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\AppPatch\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BluestacksB" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Bluestacks" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BluestacksB" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\WinRAR\data\bin\unistall\Bluestacks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\J55piiclPY.bat

Filesize
162B

MD5
d4a668f7442839f8047ed7a5aa99c9fc

SHA1
dfd10b0db09b214774688cbe34cb215e277b8a15

SHA256
62a37ccaca30d1faef976a612d4651e5edf14cfaa9f6b892d2a4b1de852f7725

SHA512
dc7a6f1b30b16d87f70e3d32422435702368409bb596622857a3b9abab363566a3af06650f5fec0f34fec1a7009c63e776a7777b9d97f24957d038101d4703fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinRAR\data\bin\unistall\6iq5IFzZA9EyHTwKHM8vXk9USXtHecApoG.bat

Filesize
95B

MD5
aa898d60b0bc1941439402668a8a16b3

SHA1
9574950945fc837fe9ff07ee3ca6c32185842e0e

SHA256
046bfe53d5f3e0658d97eeada7719219544da9cf16508a1e85b0bfe7831388a8

SHA512
5964f3294d9a7e8ccbe4d8c2c5fd66edc5ad28bd4b5c9664c67ff74f85852ae7d3fa45f42862821f91e94f4ce03c248a858b0e8a4026ef66cdce72c96159a2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinRAR\data\bin\unistall\QUJ9Bg46i5eTnOQKEnteAp7rp1YY9NQfmUbhx6iPrrb4U6kE.vbe

Filesize
240B

MD5
86d5fa5e3228e9586230609c34cdeec7

SHA1
1e27f4cf478a2bb3a99491476e74c7968b811eed

SHA256
a68460a1a574480ffa92d8d4fbe8636d5a32cc3da84936bcb3b47d829a7e588d

SHA512
d4b15b180ab9887f0547193cd42f7273c82bf53f228df74f64424ed684342bc7717669f909a7a156cc0e37a6415a12fddeb7d27c9cc12058d93ce64e2345bc79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
18a606ebe575c560068006e1b085bb89

SHA1
96eed4a6ff71c16995ef008c467bfd7de8e625cf

SHA256
edde1bc3defec0f2adefb3b5506e57a65722e80c530eb2b6fc6f02004291afbc

SHA512
f6f0a0f7c8b3f3b6be644e107b7618f70a7225ac15776d15016d94ee9e07c9e9702a3ea52e391d88ce8736a089ba0c58bbcfc9da3663054081769bd02b5341d3

Download Submit
memory/1008-66-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/1008-52-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/1692-17-0x0000000000550000-0x000000000056C000-memory.dmp

Filesize
112KB

Download
memory/1692-23-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/1692-25-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/1692-27-0x0000000000B60000-0x0000000000B6E000-memory.dmp

Filesize
56KB

Download
memory/1692-29-0x0000000000B70000-0x0000000000B78000-memory.dmp

Filesize
32KB

Download
memory/1692-31-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/1692-21-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/1692-19-0x0000000000570000-0x0000000000588000-memory.dmp

Filesize
96KB

Download
memory/1692-15-0x0000000000520000-0x000000000052E000-memory.dmp

Filesize
56KB

Download
memory/1692-13-0x00000000010B0000-0x00000000012BA000-memory.dmp

Filesize
2.0MB

Download
memory/2816-141-0x00000000001D0000-0x00000000003DA000-memory.dmp

Filesize
2.0MB

Download