dcrat | 9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
Size

1.7MB
MD5

2ee8bf268f50f97db5231d71e3023c37
SHA1

0dd823f60b08b9b307c4be5f59c3b275caa2e1d5
SHA256

9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7
SHA512

294877dccd8c04d4c134ca29a9ebebe746f4b4a67bd7761cd581f27fcfe6a7b0866cde35d1c819e1f63b9fb829424e6d77711a494427ea73b84c53b48a2d6f0a
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2828	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2828	schtasks.exe	30

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2396-1-0x00000000000B0000-0x0000000000270000-memory.dmp	dcrat
behavioral1/files/0x000600000001933e-29.dat	dcrat
behavioral1/files/0x00080000000193af-62.dat	dcrat
behavioral1/memory/1976-145-0x00000000000A0000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/836-157-0x0000000000F50000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/1052-191-0x0000000000220000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/1868-203-0x0000000001170000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/2220-215-0x00000000002B0000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/1756-227-0x0000000000E60000-0x0000000001020000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1012	powershell.exe
1700	powershell.exe
1636	powershell.exe
896	powershell.exe
576	powershell.exe
1776	powershell.exe
1836	powershell.exe
1256	powershell.exe
2124	powershell.exe
2504	powershell.exe
404	powershell.exe
1004	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe

Executes dropped EXE 9 IoCs

pid	Process
1576	spoolsv.exe
1976	spoolsv.exe
836	spoolsv.exe
1884	spoolsv.exe
2704	spoolsv.exe
1052	spoolsv.exe
1868	spoolsv.exe
2220	spoolsv.exe
1756	spoolsv.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\ja-JP\RCX1651.tmp	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\services.exe	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\ja-JP\services.exe	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\c5b4cb5e9653cc	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\ja-JP\RCX1650.tmp	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\RCX1AC8.tmp	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File created	C:\Windows\Migration\WTR\spoolsv.exe	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File created	C:\Windows\Migration\WTR\f3b6ecef712a24	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File created	C:\Windows\addins\c5b4cb5e9653cc	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File opened for modification	C:\Windows\Migration\WTR\RCX1856.tmp	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File opened for modification	C:\Windows\addins\RCX1A5A.tmp	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File opened for modification	C:\Windows\addins\services.exe	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File created	C:\Windows\CSC\v2.0.6\taskhost.exe	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File created	C:\Windows\addins\services.exe	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File opened for modification	C:\Windows\Migration\WTR\RCX1855.tmp	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
File opened for modification	C:\Windows\Migration\WTR\spoolsv.exe	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2568	schtasks.exe
2652	schtasks.exe
2732	schtasks.exe
2764	schtasks.exe
2964	schtasks.exe
2892	schtasks.exe
2648	schtasks.exe
2784	schtasks.exe
2612	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
1256	powershell.exe
1004	powershell.exe
404	powershell.exe
1836	powershell.exe
1636	powershell.exe
2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
2504	powershell.exe
896	powershell.exe
2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
1776	powershell.exe
2124	powershell.exe
1012	powershell.exe
1700	powershell.exe
576	powershell.exe
2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe
1576	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1576	spoolsv.exe
Token: SeDebugPrivilege	1976	spoolsv.exe
Token: SeDebugPrivilege	836	spoolsv.exe
Token: SeDebugPrivilege	1884	spoolsv.exe
Token: SeDebugPrivilege	2704	spoolsv.exe
Token: SeDebugPrivilege	1052	spoolsv.exe
Token: SeDebugPrivilege	1868	spoolsv.exe
Token: SeDebugPrivilege	2220	spoolsv.exe
Token: SeDebugPrivilege	1756	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1256	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	40
PID 2396 wrote to memory of 1256	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	40
PID 2396 wrote to memory of 1256	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	40
PID 2396 wrote to memory of 1836	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	41
PID 2396 wrote to memory of 1836	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	41
PID 2396 wrote to memory of 1836	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	41
PID 2396 wrote to memory of 2124	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	43
PID 2396 wrote to memory of 2124	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	43
PID 2396 wrote to memory of 2124	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	43
PID 2396 wrote to memory of 896	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	44
PID 2396 wrote to memory of 896	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	44
PID 2396 wrote to memory of 896	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	44
PID 2396 wrote to memory of 1776	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	45
PID 2396 wrote to memory of 1776	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	45
PID 2396 wrote to memory of 1776	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	45
PID 2396 wrote to memory of 1636	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	46
PID 2396 wrote to memory of 1636	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	46
PID 2396 wrote to memory of 1636	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	46
PID 2396 wrote to memory of 576	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	47
PID 2396 wrote to memory of 576	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	47
PID 2396 wrote to memory of 576	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	47
PID 2396 wrote to memory of 1004	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	48
PID 2396 wrote to memory of 1004	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	48
PID 2396 wrote to memory of 1004	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	48
PID 2396 wrote to memory of 404	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	49
PID 2396 wrote to memory of 404	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	49
PID 2396 wrote to memory of 404	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	49
PID 2396 wrote to memory of 2504	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	50
PID 2396 wrote to memory of 2504	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	50
PID 2396 wrote to memory of 2504	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	50
PID 2396 wrote to memory of 1012	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	51
PID 2396 wrote to memory of 1012	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	51
PID 2396 wrote to memory of 1012	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	51
PID 2396 wrote to memory of 1700	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	52
PID 2396 wrote to memory of 1700	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	52
PID 2396 wrote to memory of 1700	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	52
PID 2396 wrote to memory of 1576	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	64
PID 2396 wrote to memory of 1576	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	64
PID 2396 wrote to memory of 1576	2396	9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe	64
PID 1576 wrote to memory of 2764	1576	spoolsv.exe	65
PID 1576 wrote to memory of 2764	1576	spoolsv.exe	65
PID 1576 wrote to memory of 2764	1576	spoolsv.exe	65
PID 1576 wrote to memory of 2060	1576	spoolsv.exe	66
PID 1576 wrote to memory of 2060	1576	spoolsv.exe	66
PID 1576 wrote to memory of 2060	1576	spoolsv.exe	66
PID 2764 wrote to memory of 1976	2764	WScript.exe	67
PID 2764 wrote to memory of 1976	2764	WScript.exe	67
PID 2764 wrote to memory of 1976	2764	WScript.exe	67
PID 1976 wrote to memory of 1768	1976	spoolsv.exe	68
PID 1976 wrote to memory of 1768	1976	spoolsv.exe	68
PID 1976 wrote to memory of 1768	1976	spoolsv.exe	68
PID 1976 wrote to memory of 2472	1976	spoolsv.exe	69
PID 1976 wrote to memory of 2472	1976	spoolsv.exe	69
PID 1976 wrote to memory of 2472	1976	spoolsv.exe	69
PID 1768 wrote to memory of 836	1768	WScript.exe	70
PID 1768 wrote to memory of 836	1768	WScript.exe	70
PID 1768 wrote to memory of 836	1768	WScript.exe	70
PID 836 wrote to memory of 2252	836	spoolsv.exe	71
PID 836 wrote to memory of 2252	836	spoolsv.exe	71
PID 836 wrote to memory of 2252	836	spoolsv.exe	71
PID 836 wrote to memory of 1256	836	spoolsv.exe	72
PID 836 wrote to memory of 1256	836	spoolsv.exe	72
PID 836 wrote to memory of 1256	836	spoolsv.exe	72
PID 2252 wrote to memory of 1884	2252	WScript.exe	73

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe
"C:\Users\Admin\AppData\Local\Temp\9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\Migration\WTR\spoolsv.exe
  "C:\Windows\Migration\WTR\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8aecc1a7-dcb4-42ad-b98d-0cec42d3aff2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\Migration\WTR\spoolsv.exe
      C:\Windows\Migration\WTR\spoolsv.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18066e66-6c81-4973-ba7e-8e32433ed1e1.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Windows\Migration\WTR\spoolsv.exe
        
        C:\Windows\Migration\WTR\spoolsv.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a72b2b03-9245-46ae-97d2-57852008d41a.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\Migration\WTR\spoolsv.exe
        
        C:\Windows\Migration\WTR\spoolsv.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81ec752b-2fcd-43ac-86ad-5fae8eb490d2.vbs"
        9⤵
        
        PID:2760
        
        C:\Windows\Migration\WTR\spoolsv.exe
        
        C:\Windows\Migration\WTR\spoolsv.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8816f51-0e72-455a-bd04-8f853925a310.vbs"
        11⤵
        
        PID:1252
        
        C:\Windows\Migration\WTR\spoolsv.exe
        
        C:\Windows\Migration\WTR\spoolsv.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30ed5ef9-0287-47e8-9ecd-7688c57cf1ec.vbs"
        13⤵
        
        PID:1320
        
        C:\Windows\Migration\WTR\spoolsv.exe
        
        C:\Windows\Migration\WTR\spoolsv.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05b42dee-b25c-4851-8148-76e9ce4a513d.vbs"
        15⤵
        
        PID:984
        
        C:\Windows\Migration\WTR\spoolsv.exe
        
        C:\Windows\Migration\WTR\spoolsv.exe
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec7a4de9-e9e3-405b-902d-eb1a243bd19a.vbs"
        17⤵
        
        PID:664
        
        C:\Windows\Migration\WTR\spoolsv.exe
        
        C:\Windows\Migration\WTR\spoolsv.exe
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bda09386-31da-402b-9109-2c6350f80745.vbs"
        19⤵
        
        PID:880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4a12ac4-19b9-411f-a4e3-271ef07df93c.vbs"
        19⤵
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04b7193b-7f7a-4bc2-9a78-81a0e5048260.vbs"
        17⤵
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9955146d-59c1-4a59-86ba-b45a6630df7d.vbs"
        15⤵
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99f51c86-ec68-48b7-8fce-79b38bc9a615.vbs"
        13⤵
        
        PID:1348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7cb4f44-07be-4cb3-819d-02abfe562150.vbs"
        11⤵
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4ce9784-7af9-488a-896e-acd6e623babb.vbs"
        9⤵
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03b61738-8dc2-43e7-96a3-1a8d0fd9454b.vbs"
        7⤵
        
        PID:1256
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\629a02e1-9ea6-423e-bfd4-28e89e24efaf.vbs"
        5⤵
        
        PID:2472
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b44f908e-92c2-4b11-b9f7-1056f623872b.vbs"
    3⤵
    PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\addins\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\05b42dee-b25c-4851-8148-76e9ce4a513d.vbs

Filesize
712B

MD5
5fb673be0049f7a079bddaaada511af2

SHA1
abf3819ca07ae256c45e50b3a84739c4bac0a38e

SHA256
3746c5c62279314235739075ed0c8985f8a27d1b255e7ebce10ede0338ab69c5

SHA512
cd9cc5e2d6b42567d629b0a6a972446326821eae21cb5877b09349d4fd5d6f1ff555a59ed0f2369314a55bb7a53b8c45ae1a88f8db76901c257208fc72e596d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\18066e66-6c81-4973-ba7e-8e32433ed1e1.vbs

Filesize
712B

MD5
ad243e6caf6ec10ba2ae3866773a6da0

SHA1
d043857deb043e49aa95f440fb0419e3690c44f6

SHA256
184b7077623b425464620b553db48a06a9b21b5f35a39308ebf9171e63cc67c8

SHA512
d3655ed9fbb71e13b0b314b19fa466da27dced637e5b69f36a83ed7651d87d9774568159c89bea5f53975894fdc39eba222492f672e2c4c1e1dc1f7fba1c58b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\30ed5ef9-0287-47e8-9ecd-7688c57cf1ec.vbs

Filesize
712B

MD5
2606e317771c7018adce8dcc4bda879e

SHA1
5c15af82a72c069edbb02f7bad861ff7a7489205

SHA256
5515f207474e8c4f676f5583aa4a102645b7e96ee092472580710bc274d0ad66

SHA512
fcaa27f60e3ece21b9f583c6dd8dc5afdca4fdce16b170981c8a749c6e9aa631f630d6d0299bd5541c9f1e79b75ee355314df8d2e5d61144b34ad7802a7949c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\81ec752b-2fcd-43ac-86ad-5fae8eb490d2.vbs

Filesize
712B

MD5
346977ed52857f52935a6ef570455534

SHA1
71f9dd05b847773bfc93bbe1210f0150ff9cb186

SHA256
a7983eba45d20f705af41f3b51634ec512d215a7a6cd36157cf7c78da775923f

SHA512
a8ca1acf35562ddec2b7efa27f53f262e34832e313c7965653cfc9c55ed58dad9e69f84b1bd914cab0d5f66e937f9f1f34a766c4fe9a044e455445f2cea5abaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\8aecc1a7-dcb4-42ad-b98d-0cec42d3aff2.vbs

Filesize
712B

MD5
26699a4c8988b4b0ebaa666cc528828f

SHA1
e24ff7dd0f9d53a448c9a478f4539d175e0930b0

SHA256
32cf9ec6e591803f631bc3bb48fe95c14c4e92960f94c2d4918cebf52ee8ec61

SHA512
4cfdf45adced1841dc54939a1b7c69e25448f894f967e97224d72cf24edf8d8a6f99d5b4a706796387a60b6bc4eb0168cbf69e244f59495e6eaf4b93470ed2d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX144D.tmp

Filesize
1.7MB

MD5
2ee8bf268f50f97db5231d71e3023c37

SHA1
0dd823f60b08b9b307c4be5f59c3b275caa2e1d5

SHA256
9dec0c7146d6ef962682852c34afe177826f2560a33f59150843b46985530cc7

SHA512
294877dccd8c04d4c134ca29a9ebebe746f4b4a67bd7761cd581f27fcfe6a7b0866cde35d1c819e1f63b9fb829424e6d77711a494427ea73b84c53b48a2d6f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a72b2b03-9245-46ae-97d2-57852008d41a.vbs

Filesize
711B

MD5
8b560d5af54302583fea6bf4296826ef

SHA1
95c7fecb539095e3b9f577c267df7afcc274cb16

SHA256
2fefa09c960f16729ba11cbad6a5d309cd5fec515a9b67313bf2545757d5c70f

SHA512
bf63d6358b9490c0e714a02847c276c37c77ff24e94d814eecca9fafec502829307dd6b90681285ae3e62550d0c9fe43127a0f11b9f301e0d90338bf4c8cb862

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8816f51-0e72-455a-bd04-8f853925a310.vbs

Filesize
712B

MD5
a1cd1026942522de52d1bfa07beb6456

SHA1
5f056566f04b6351e67ce1ee781a06dacf9e6ad7

SHA256
699fb2b987a20f58def213bf2374d1370cb1971b6b5e28e803309c063c817aa9

SHA512
8e5cadabfc1a5e44bdf4ade35acff1091de8c99e050c86abc2404f4c61a69c37450dbbe8f457724706944d58d158fe4af0e665e2014546beedee3413cb1e6313

Download Submit
C:\Users\Admin\AppData\Local\Temp\b44f908e-92c2-4b11-b9f7-1056f623872b.vbs

Filesize
488B

MD5
196ff174ad0b5252d79c2d8278d58482

SHA1
253d36f97b7af4c45e8bd38bed36a7216d4ff5a5

SHA256
706704ae2c0a755ddf8b35b67519bc90f4d2a330ec50b7738e3e3bdb18732310

SHA512
f78e45eb4f4eabfd5220668ce646a8e4412ce8c3ff4de56ab0c0adfb1ab123385240ae389fd051d57570f3a0fb7bde9d99eea746dee1f4c3588ecd4a2444e1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\bda09386-31da-402b-9109-2c6350f80745.vbs

Filesize
712B

MD5
dc011fa93f4f6ea5acae9a84b90a0482

SHA1
f0968bff4849fc880aa27b335cdae2c683bd91eb

SHA256
20b71fb2aa9d65727b1ae5acf238262462134d78ff40e4d1d4f08c0e88d88fd1

SHA512
a7e236cd692a4ca9301f9006b5349fec4eba61101878678b90a0e07c502ee5086aaac3f2c022d3e926551a4e59cdd3a21affb27282fb92cffb832b318699d378

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec7a4de9-e9e3-405b-902d-eb1a243bd19a.vbs

Filesize
712B

MD5
760e72831c0267650428ee03a229266f

SHA1
092b088be76c64805569cb193516fb73d9892f6a

SHA256
afe602ab37ee34db4daa8c59daa0ebf9bccac6cc8d225b0721a7249d7f33ce06

SHA512
8f064ab09dc975805b1ec0711122256fe76e066b8475103cfd7f31d28fe470bed059992fa71a47fe0fe299fc60d8d2704354a6f604f3f5dfa03656fda78d81c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
12262ec5cb559a3154c28ff9201254a8

SHA1
c2f3cb345713116e56bf359fa863d8521b3c1e47

SHA256
65d1a5d2afa13d58ff3353431722157efe35aec9e0656bdecb0d489b64ad4b3f

SHA512
fb92d59b01b27484494618191be7f59f7961dfd51e268b2dcf5733a6c68c8207d6864db01e0102932b67aa150816bd112ef974428f6703d2ef78e9dc1cb4e8f7

Download Submit
C:\Windows\addins\services.exe

Filesize
1.7MB

MD5
4f816cecf1310d6d5d20da98c0f1ab72

SHA1
a991bade9e1c19c6e8f5bf30dc8297b4cf00ff1c

SHA256
5828e0f4e2c538a7df45473387d77c6ebc4c07d90a1b1f195c78fc470e113f2e

SHA512
dda7330bc469edc3b593e40b2feb3096e8552b8927f780e2267e96c8d9432e35637adfe80cdcd65cc245733d4f87d45a6bbbba7e55b785589bbb9c61aa5d62b2

Download Submit
memory/836-157-0x0000000000F50000-0x0000000001110000-memory.dmp

Filesize
1.8MB

Download
memory/1052-191-0x0000000000220000-0x00000000003E0000-memory.dmp

Filesize
1.8MB

Download
memory/1256-71-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1256-82-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/1576-134-0x0000000002080000-0x0000000002092000-memory.dmp

Filesize
72KB

Download
memory/1756-227-0x0000000000E60000-0x0000000001020000-memory.dmp

Filesize
1.8MB

Download
memory/1868-203-0x0000000001170000-0x0000000001330000-memory.dmp

Filesize
1.8MB

Download
memory/1976-145-0x00000000000A0000-0x0000000000260000-memory.dmp

Filesize
1.8MB

Download
memory/2220-215-0x00000000002B0000-0x0000000000470000-memory.dmp

Filesize
1.8MB

Download
memory/2396-1-0x00000000000B0000-0x0000000000270000-memory.dmp

Filesize
1.8MB

Download
memory/2396-6-0x00000000021D0000-0x00000000021E6000-memory.dmp

Filesize
88KB

Download
memory/2396-0-0x000007FEF50D3000-0x000007FEF50D4000-memory.dmp

Filesize
4KB

Download
memory/2396-11-0x0000000002320000-0x0000000002332000-memory.dmp

Filesize
72KB

Download
memory/2396-17-0x000000001AC80000-0x000000001AC8C000-memory.dmp

Filesize
48KB

Download
memory/2396-15-0x000000001AC60000-0x000000001AC68000-memory.dmp

Filesize
32KB

Download
memory/2396-16-0x000000001AC70000-0x000000001AC7C000-memory.dmp

Filesize
48KB

Download
memory/2396-13-0x000000001A870000-0x000000001A87A000-memory.dmp

Filesize
40KB

Download
memory/2396-7-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/2396-133-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-5-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/2396-14-0x000000001AC50000-0x000000001AC5E000-memory.dmp

Filesize
56KB

Download
memory/2396-4-0x0000000000630000-0x0000000000638000-memory.dmp

Filesize
32KB

Download
memory/2396-8-0x0000000002300000-0x000000000230C000-memory.dmp

Filesize
48KB

Download
memory/2396-3-0x0000000000610000-0x000000000062C000-memory.dmp

Filesize
112KB

Download
memory/2396-12-0x000000001A860000-0x000000001A86C000-memory.dmp

Filesize
48KB

Download
memory/2396-2-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-18-0x000007FEF50D0000-0x000007FEF5ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2396-9-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download