dcrat | 18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8

Analysis

max time kernel
119s
max time network
102s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
Size

1.7MB
MD5

5adb3b76b3c985bf7eaee7245a0e9f40
SHA1

4c1f2c2a7e5fab59b7c349215411f72c589a5515
SHA256

18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8
SHA512

bf9bec6624e7781991f752f63eff5622f43f7c11aa561138200f8693f50d4b5bca90c85c168de72bc390273649a5c0aeccc3ce4b070e27bbbd69f6d118bd80ee
SSDEEP

49152:D+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:uTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	1336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	1336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	1336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	1336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	1336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	1336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	1336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1336	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	1336	schtasks.exe	30

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2644-1-0x0000000000C00000-0x0000000000DC0000-memory.dmp	dcrat
behavioral1/files/0x0007000000016d67-30.dat	dcrat
behavioral1/files/0x0006000000016df3-40.dat	dcrat
behavioral1/files/0x00480000000120f4-63.dat	dcrat
behavioral1/files/0x0009000000015ec4-74.dat	dcrat
behavioral1/memory/756-115-0x00000000012D0000-0x0000000001490000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1864	powershell.exe
2040	powershell.exe
3040	powershell.exe
2916	powershell.exe
1780	powershell.exe
2960	powershell.exe
3032	powershell.exe
1424	powershell.exe
1240	powershell.exe
2760	powershell.exe
1644	powershell.exe
1928	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe

Executes dropped EXE 3 IoCs

pid	Process
756	spoolsv.exe
2204	spoolsv.exe
736	spoolsv.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\f3b6ecef712a24	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCXB57C.tmp	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCXB5EA.tmp	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\AppCompat\Programs\RCXB7EE.tmp	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
File opened for modification	C:\Windows\AppCompat\Programs\csrss.exe	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
File opened for modification	C:\Windows\DigitalLocker\es-ES\RCXBA61.tmp	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
File opened for modification	C:\Windows\DigitalLocker\es-ES\audiodg.exe	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCXB7EF.tmp	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
File opened for modification	C:\Windows\DigitalLocker\es-ES\RCXB9F3.tmp	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
File created	C:\Windows\AppCompat\Programs\csrss.exe	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
File created	C:\Windows\AppCompat\Programs\886983d96e3d3e	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
File created	C:\Windows\DigitalLocker\es-ES\audiodg.exe	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
File created	C:\Windows\DigitalLocker\es-ES\42af1c969fbb7b	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2840	schtasks.exe
2712	schtasks.exe
3044	schtasks.exe
2900	schtasks.exe
1936	schtasks.exe
2804	schtasks.exe
2864	schtasks.exe
3028	schtasks.exe
2264	schtasks.exe
2996	schtasks.exe
3016	schtasks.exe
2308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
3032	powershell.exe
1928	powershell.exe
1780	powershell.exe
1424	powershell.exe
1240	powershell.exe
1644	powershell.exe
2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
2960	powershell.exe
2040	powershell.exe
2760	powershell.exe
2916	powershell.exe
1864	powershell.exe
3040	powershell.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe
756	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	756	spoolsv.exe
Token: SeDebugPrivilege	2204	spoolsv.exe
Token: SeDebugPrivilege	736	spoolsv.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2760	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	43
PID 2644 wrote to memory of 2760	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	43
PID 2644 wrote to memory of 2760	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	43
PID 2644 wrote to memory of 1644	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	44
PID 2644 wrote to memory of 1644	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	44
PID 2644 wrote to memory of 1644	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	44
PID 2644 wrote to memory of 2916	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	45
PID 2644 wrote to memory of 2916	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	45
PID 2644 wrote to memory of 2916	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	45
PID 2644 wrote to memory of 1928	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	46
PID 2644 wrote to memory of 1928	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	46
PID 2644 wrote to memory of 1928	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	46
PID 2644 wrote to memory of 1780	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	47
PID 2644 wrote to memory of 1780	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	47
PID 2644 wrote to memory of 1780	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	47
PID 2644 wrote to memory of 2960	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	48
PID 2644 wrote to memory of 2960	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	48
PID 2644 wrote to memory of 2960	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	48
PID 2644 wrote to memory of 1864	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	49
PID 2644 wrote to memory of 1864	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	49
PID 2644 wrote to memory of 1864	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	49
PID 2644 wrote to memory of 1240	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	50
PID 2644 wrote to memory of 1240	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	50
PID 2644 wrote to memory of 1240	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	50
PID 2644 wrote to memory of 1424	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	51
PID 2644 wrote to memory of 1424	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	51
PID 2644 wrote to memory of 1424	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	51
PID 2644 wrote to memory of 2040	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	52
PID 2644 wrote to memory of 2040	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	52
PID 2644 wrote to memory of 2040	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	52
PID 2644 wrote to memory of 3032	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	54
PID 2644 wrote to memory of 3032	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	54
PID 2644 wrote to memory of 3032	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	54
PID 2644 wrote to memory of 3040	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	65
PID 2644 wrote to memory of 3040	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	65
PID 2644 wrote to memory of 3040	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	65
PID 2644 wrote to memory of 756	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	67
PID 2644 wrote to memory of 756	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	67
PID 2644 wrote to memory of 756	2644	18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe	67
PID 756 wrote to memory of 2792	756	spoolsv.exe	69
PID 756 wrote to memory of 2792	756	spoolsv.exe	69
PID 756 wrote to memory of 2792	756	spoolsv.exe	69
PID 756 wrote to memory of 2460	756	spoolsv.exe	70
PID 756 wrote to memory of 2460	756	spoolsv.exe	70
PID 756 wrote to memory of 2460	756	spoolsv.exe	70
PID 2792 wrote to memory of 2204	2792	WScript.exe	71
PID 2792 wrote to memory of 2204	2792	WScript.exe	71
PID 2792 wrote to memory of 2204	2792	WScript.exe	71
PID 2204 wrote to memory of 2384	2204	spoolsv.exe	72
PID 2204 wrote to memory of 2384	2204	spoolsv.exe	72
PID 2204 wrote to memory of 2384	2204	spoolsv.exe	72
PID 2204 wrote to memory of 1836	2204	spoolsv.exe	73
PID 2204 wrote to memory of 1836	2204	spoolsv.exe	73
PID 2204 wrote to memory of 1836	2204	spoolsv.exe	73
PID 2384 wrote to memory of 736	2384	WScript.exe	74
PID 2384 wrote to memory of 736	2384	WScript.exe	74
PID 2384 wrote to memory of 736	2384	WScript.exe	74
PID 736 wrote to memory of 1392	736	spoolsv.exe	75
PID 736 wrote to memory of 1392	736	spoolsv.exe	75
PID 736 wrote to memory of 1392	736	spoolsv.exe	75
PID 736 wrote to memory of 2524	736	spoolsv.exe	76
PID 736 wrote to memory of 2524	736	spoolsv.exe	76
PID 736 wrote to memory of 2524	736	spoolsv.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe
"C:\Users\Admin\AppData\Local\Temp\18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe
  "C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5183628-5de3-438f-b14d-7a75f116a41d.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe
      "C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85892c91-a864-4c90-b7df-a3b374cc0856.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe
        
        "C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a069069b-ddad-486d-92b5-cd8157475c91.vbs"
        7⤵
        
        PID:1392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbb7dbe6-0d79-4f1f-a175-708cee3f9cc1.vbs"
        7⤵
        
        PID:2524
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\787710c2-25a1-4e43-9af7-a6a426bfe0eb.vbs"
        5⤵
        
        PID:1836
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec6636d9-67b2-4b01-848f-64e6f06aa799.vbs"
    3⤵
    PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\es-ES\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\ja-JP\spoolsv.exe

Filesize
1.7MB

MD5
32cf6d036e50e0d3595f90e1f72fa366

SHA1
8dbed6bdf8e05fd510a5816272233106adfd61cd

SHA256
47b9d01044818e5230da6060e518d96c1b2a489abe53165ca12e99b237953c21

SHA512
60fab06ea9231fa2fc3a9635a144243de28da206aafd7e9e4438be7a3faf1ffb5c67dce6be10ebbc94d3f8afcb427e2c559d3d1635a48a4ee37b4b10a8d7fa9e

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe

Filesize
1.7MB

MD5
8da4aef6fa8b390a4969b8c6a7613cc2

SHA1
8567d20991a64ea7356de70470d97b5aa3f1b1a8

SHA256
0644fd646234ce4a7b46b57a0e7aa4badf55327db8cb807cece7c4f4a03c8166

SHA512
0c02a9421885b24ef0802a7aaa08a63a558e63308cf74272dd3c97deebf3dec4aebabe26fc3f104e00b81cbf8afabbb1ac37c6430c381709f5db2403df401533

Download Submit
C:\Users\Admin\AppData\Local\Temp\85892c91-a864-4c90-b7df-a3b374cc0856.vbs

Filesize
737B

MD5
29578db2fafe02017d04b4f3442de79f

SHA1
42c211601a3d9faf9434208f32b370baaccb7749

SHA256
3b2f6f26ba63dfe4bd52f6aa5af075c676a283ec191c9aeb5e71197fc80bbe37

SHA512
1248c86e3c741321b55d8f6b35a03894a9b27addf69eb0b6b93966bae78bc4fc50675328303c5f11c97a3bfba501ce77e30835035079e84699c01799958ae361

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXB378.tmp

Filesize
1.7MB

MD5
5adb3b76b3c985bf7eaee7245a0e9f40

SHA1
4c1f2c2a7e5fab59b7c349215411f72c589a5515

SHA256
18be906406264a2010ce805c1d4acb113a7116942516559a2662ae9aa1d551b8

SHA512
bf9bec6624e7781991f752f63eff5622f43f7c11aa561138200f8693f50d4b5bca90c85c168de72bc390273649a5c0aeccc3ce4b070e27bbbd69f6d118bd80ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\a069069b-ddad-486d-92b5-cd8157475c91.vbs

Filesize
736B

MD5
a86c0d996c7a507634743db5ea6b7917

SHA1
954862836342fa923112520003e74d92422ad43f

SHA256
c6247d2f0aef5bafa1d6e761e0960a00c97bd00a7d0aa39d657ea1b05e86fc14

SHA512
5ab3d588e053ab3ea30a194d270bed1d55caef95f1ed3877284cdb2535c5a94ef69ef2e5cab6e910eb79a68655b33468d15d7e4e31c0f4e86bd6348a13cddd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5183628-5de3-438f-b14d-7a75f116a41d.vbs

Filesize
736B

MD5
750da6f32bac3d9b1a6336e2f7ee59fd

SHA1
55995bca24244f14ad9fe5f64bf3247490733f11

SHA256
8d3ee831e35137804be9d285bf4c9519cedf684797bad8a28ad66fe501255e56

SHA512
9d96b1d162a569f1723c40560aa1e2cbb30cd5f225ea08295289fb6161c5966abff3b20ae4193904f935b2df758447891a556b217347c52326526ff68f5d21e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec6636d9-67b2-4b01-848f-64e6f06aa799.vbs

Filesize
513B

MD5
a82b8d35f682c28d33adbd62a5bc1eee

SHA1
88121eeebbbcd3df8b82dcab79994014caacbb56

SHA256
533a08b903b986c8a93bf25171e9791864087a125dee79cc070cb082870f3149

SHA512
b4bce7075f8a76ca40ff9dae079c99dc3e4c6c68069535865f36108426bc1485b56a8e22834ba2d0098d64d95e58fa091a2536cf6dea8f248467ac81cb7459a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
06c46107bfd6373085dae91ef0360844

SHA1
cfb642c400fa1733e91005885424201232161970

SHA256
786af57b802fbf329b31a191fa67b5f9741109f5dcd9c82a1d5e9a2c78e28967

SHA512
3d93dab97f45bdf46d02e20d0635dded57ac417adc3faf9225a72a16ef47c2b3a5f11c8396aae3b16be68a329722b0f99a00d456e320db2ae46dab56c41d658b

Download Submit
C:\Windows\DigitalLocker\es-ES\audiodg.exe

Filesize
1.7MB

MD5
09bdbea01125c0d33e79bc5ca531ad6b

SHA1
1fcf7de2c4173df194790a649ad44c0acbe3df7c

SHA256
ca57210ea341c780edcfbaab44092bcceebbcfb9b1e8a1d6230ed3130521d866

SHA512
548a9cf24e3a12175f0dd8fec20ce49ce1aa0498257e219b8fe3093b5c45f29c7df80d79837f3604166ef73e34f5a50198f3d89dabdb1a11d3ca7f7801947db9

Download Submit
memory/736-169-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/756-147-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/756-115-0x00000000012D0000-0x0000000001490000-memory.dmp

Filesize
1.8MB

Download
memory/2644-17-0x0000000002360000-0x000000000236C000-memory.dmp

Filesize
48KB

Download
memory/2644-6-0x0000000000700000-0x0000000000716000-memory.dmp

Filesize
88KB

Download
memory/2644-16-0x0000000002310000-0x000000000231C000-memory.dmp

Filesize
48KB

Download
memory/2644-15-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/2644-0-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

Filesize
4KB

Download
memory/2644-20-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2644-14-0x00000000021F0000-0x00000000021FE000-memory.dmp

Filesize
56KB

Download
memory/2644-12-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/2644-11-0x0000000000750000-0x0000000000762000-memory.dmp

Filesize
72KB

Download
memory/2644-9-0x0000000000740000-0x0000000000748000-memory.dmp

Filesize
32KB

Download
memory/2644-8-0x0000000000730000-0x000000000073C000-memory.dmp

Filesize
48KB

Download
memory/2644-13-0x00000000021E0000-0x00000000021EA000-memory.dmp

Filesize
40KB

Download
memory/2644-1-0x0000000000C00000-0x0000000000DC0000-memory.dmp

Filesize
1.8MB

Download
memory/2644-2-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2644-136-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

Filesize
9.9MB

Download
memory/2644-7-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/2644-5-0x00000000006F0000-0x0000000000700000-memory.dmp

Filesize
64KB

Download
memory/2644-4-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/2644-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/3032-108-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/3032-109-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download