dcrat | 87b0a9e1d76ecaff218f701b021e0e068d230afb10173f52d292906937cd61d3

Analysis

max time kernel
120s
max time network
185s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-02-2025 10:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c51e336ccce286f7dc77f757453b758a.exe
Size

3.2MB
MD5

c51e336ccce286f7dc77f757453b758a
SHA1

7f417599de5435e88a6088e4ce3cf427ec4f7114
SHA256

87b0a9e1d76ecaff218f701b021e0e068d230afb10173f52d292906937cd61d3
SHA512

97d8668b383f88422286bccb4440abafa7881b00c2a7dc801e50af9a125b362b918a37b3ac481c1b95c72987bf6a017c649319c336cc4a0fc9f8f44a1efa976d
SSDEEP

24576:nr3wZURPUxmbXPKbzZzKglPxkDX8UUz8AYdps+c5m9+ATIir683R+bNwoDlVF:nEZFmb4gglZWrzs+cIw2683sbuoD

Score

10^/10

dcrat discovery execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2896	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2416	powershell.exe
112	powershell.exe
2132	powershell.exe
2428	powershell.exe
2636	powershell.exe
776	powershell.exe
1796	powershell.exe
1876	powershell.exe
2100	powershell.exe
2264	powershell.exe
1816	powershell.exe
432	powershell.exe
1492	powershell.exe
1928	powershell.exe
2464	powershell.exe
2420	powershell.exe
2440	powershell.exe
1808	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1992	csrss.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\6203df4a6bafc7	c51e336ccce286f7dc77f757453b758a.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\services.exe	c51e336ccce286f7dc77f757453b758a.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\c5b4cb5e9653cc	c51e336ccce286f7dc77f757453b758a.exe
File created	C:\Program Files\Microsoft Games\Hearts\ja-JP\csrss.exe	c51e336ccce286f7dc77f757453b758a.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\taskhost.exe	c51e336ccce286f7dc77f757453b758a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\taskhost.exe	c51e336ccce286f7dc77f757453b758a.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\b75386f1303e64	c51e336ccce286f7dc77f757453b758a.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe	c51e336ccce286f7dc77f757453b758a.exe
File created	C:\Program Files\Microsoft Games\Hearts\ja-JP\886983d96e3d3e	c51e336ccce286f7dc77f757453b758a.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2320	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2320	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2724	schtasks.exe
1180	schtasks.exe
1032	schtasks.exe
3028	schtasks.exe
2316	schtasks.exe
2780	schtasks.exe
2332	schtasks.exe
1972	schtasks.exe
836	schtasks.exe
1960	schtasks.exe
1096	schtasks.exe
1976	schtasks.exe
2008	schtasks.exe
2680	schtasks.exe
2656	schtasks.exe
1460	schtasks.exe
1880	schtasks.exe
2024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe
2600	c51e336ccce286f7dc77f757453b758a.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	c51e336ccce286f7dc77f757453b758a.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1992	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2428	2600	c51e336ccce286f7dc77f757453b758a.exe	49
PID 2600 wrote to memory of 2428	2600	c51e336ccce286f7dc77f757453b758a.exe	49
PID 2600 wrote to memory of 2428	2600	c51e336ccce286f7dc77f757453b758a.exe	49
PID 2600 wrote to memory of 2636	2600	c51e336ccce286f7dc77f757453b758a.exe	50
PID 2600 wrote to memory of 2636	2600	c51e336ccce286f7dc77f757453b758a.exe	50
PID 2600 wrote to memory of 2636	2600	c51e336ccce286f7dc77f757453b758a.exe	50
PID 2600 wrote to memory of 2416	2600	c51e336ccce286f7dc77f757453b758a.exe	51
PID 2600 wrote to memory of 2416	2600	c51e336ccce286f7dc77f757453b758a.exe	51
PID 2600 wrote to memory of 2416	2600	c51e336ccce286f7dc77f757453b758a.exe	51
PID 2600 wrote to memory of 2420	2600	c51e336ccce286f7dc77f757453b758a.exe	52
PID 2600 wrote to memory of 2420	2600	c51e336ccce286f7dc77f757453b758a.exe	52
PID 2600 wrote to memory of 2420	2600	c51e336ccce286f7dc77f757453b758a.exe	52
PID 2600 wrote to memory of 2264	2600	c51e336ccce286f7dc77f757453b758a.exe	54
PID 2600 wrote to memory of 2264	2600	c51e336ccce286f7dc77f757453b758a.exe	54
PID 2600 wrote to memory of 2264	2600	c51e336ccce286f7dc77f757453b758a.exe	54
PID 2600 wrote to memory of 2132	2600	c51e336ccce286f7dc77f757453b758a.exe	56
PID 2600 wrote to memory of 2132	2600	c51e336ccce286f7dc77f757453b758a.exe	56
PID 2600 wrote to memory of 2132	2600	c51e336ccce286f7dc77f757453b758a.exe	56
PID 2600 wrote to memory of 2100	2600	c51e336ccce286f7dc77f757453b758a.exe	57
PID 2600 wrote to memory of 2100	2600	c51e336ccce286f7dc77f757453b758a.exe	57
PID 2600 wrote to memory of 2100	2600	c51e336ccce286f7dc77f757453b758a.exe	57
PID 2600 wrote to memory of 1808	2600	c51e336ccce286f7dc77f757453b758a.exe	58
PID 2600 wrote to memory of 1808	2600	c51e336ccce286f7dc77f757453b758a.exe	58
PID 2600 wrote to memory of 1808	2600	c51e336ccce286f7dc77f757453b758a.exe	58
PID 2600 wrote to memory of 112	2600	c51e336ccce286f7dc77f757453b758a.exe	59
PID 2600 wrote to memory of 112	2600	c51e336ccce286f7dc77f757453b758a.exe	59
PID 2600 wrote to memory of 112	2600	c51e336ccce286f7dc77f757453b758a.exe	59
PID 2600 wrote to memory of 2464	2600	c51e336ccce286f7dc77f757453b758a.exe	60
PID 2600 wrote to memory of 2464	2600	c51e336ccce286f7dc77f757453b758a.exe	60
PID 2600 wrote to memory of 2464	2600	c51e336ccce286f7dc77f757453b758a.exe	60
PID 2600 wrote to memory of 1928	2600	c51e336ccce286f7dc77f757453b758a.exe	64
PID 2600 wrote to memory of 1928	2600	c51e336ccce286f7dc77f757453b758a.exe	64
PID 2600 wrote to memory of 1928	2600	c51e336ccce286f7dc77f757453b758a.exe	64
PID 2600 wrote to memory of 1492	2600	c51e336ccce286f7dc77f757453b758a.exe	65
PID 2600 wrote to memory of 1492	2600	c51e336ccce286f7dc77f757453b758a.exe	65
PID 2600 wrote to memory of 1492	2600	c51e336ccce286f7dc77f757453b758a.exe	65
PID 2600 wrote to memory of 1876	2600	c51e336ccce286f7dc77f757453b758a.exe	66
PID 2600 wrote to memory of 1876	2600	c51e336ccce286f7dc77f757453b758a.exe	66
PID 2600 wrote to memory of 1876	2600	c51e336ccce286f7dc77f757453b758a.exe	66
PID 2600 wrote to memory of 1796	2600	c51e336ccce286f7dc77f757453b758a.exe	67
PID 2600 wrote to memory of 1796	2600	c51e336ccce286f7dc77f757453b758a.exe	67
PID 2600 wrote to memory of 1796	2600	c51e336ccce286f7dc77f757453b758a.exe	67
PID 2600 wrote to memory of 2440	2600	c51e336ccce286f7dc77f757453b758a.exe	68
PID 2600 wrote to memory of 2440	2600	c51e336ccce286f7dc77f757453b758a.exe	68
PID 2600 wrote to memory of 2440	2600	c51e336ccce286f7dc77f757453b758a.exe	68
PID 2600 wrote to memory of 432	2600	c51e336ccce286f7dc77f757453b758a.exe	69
PID 2600 wrote to memory of 432	2600	c51e336ccce286f7dc77f757453b758a.exe	69
PID 2600 wrote to memory of 432	2600	c51e336ccce286f7dc77f757453b758a.exe	69
PID 2600 wrote to memory of 776	2600	c51e336ccce286f7dc77f757453b758a.exe	70
PID 2600 wrote to memory of 776	2600	c51e336ccce286f7dc77f757453b758a.exe	70
PID 2600 wrote to memory of 776	2600	c51e336ccce286f7dc77f757453b758a.exe	70
PID 2600 wrote to memory of 1816	2600	c51e336ccce286f7dc77f757453b758a.exe	71
PID 2600 wrote to memory of 1816	2600	c51e336ccce286f7dc77f757453b758a.exe	71
PID 2600 wrote to memory of 1816	2600	c51e336ccce286f7dc77f757453b758a.exe	71
PID 2600 wrote to memory of 2088	2600	c51e336ccce286f7dc77f757453b758a.exe	79
PID 2600 wrote to memory of 2088	2600	c51e336ccce286f7dc77f757453b758a.exe	79
PID 2600 wrote to memory of 2088	2600	c51e336ccce286f7dc77f757453b758a.exe	79
PID 2088 wrote to memory of 2992	2088	cmd.exe	87
PID 2088 wrote to memory of 2992	2088	cmd.exe	87
PID 2088 wrote to memory of 2992	2088	cmd.exe	87
PID 2088 wrote to memory of 2320	2088	cmd.exe	88
PID 2088 wrote to memory of 2320	2088	cmd.exe	88
PID 2088 wrote to memory of 2320	2088	cmd.exe	88
PID 2088 wrote to memory of 1992	2088	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c51e336ccce286f7dc77f757453b758a.exe
"C:\Users\Admin\AppData\Local\Temp\c51e336ccce286f7dc77f757453b758a.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Hearts\ja-JP\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\CLIPART\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c51e336ccce286f7dc77f757453b758a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CS2mYXTl6R.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2992
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2320
- - C:\Program Files\Microsoft Games\Hearts\ja-JP\csrss.exe
    "C:\Program Files\Microsoft Games\Hearts\ja-JP\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Hearts\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Hearts\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Hearts\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\Sample Videos\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\Sample Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c51e336ccce286f7dc77f757453b758ac" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\c51e336ccce286f7dc77f757453b758a.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c51e336ccce286f7dc77f757453b758a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\c51e336ccce286f7dc77f757453b758a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c51e336ccce286f7dc77f757453b758ac" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\c51e336ccce286f7dc77f757453b758a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Games\Hearts\ja-JP\csrss.exe

Filesize
3.2MB

MD5
c51e336ccce286f7dc77f757453b758a

SHA1
7f417599de5435e88a6088e4ce3cf427ec4f7114

SHA256
87b0a9e1d76ecaff218f701b021e0e068d230afb10173f52d292906937cd61d3

SHA512
97d8668b383f88422286bccb4440abafa7881b00c2a7dc801e50af9a125b362b918a37b3ac481c1b95c72987bf6a017c649319c336cc4a0fc9f8f44a1efa976d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CS2mYXTl6R.bat

Filesize
183B

MD5
7940d4f46a47fa5e1df640944bc6a927

SHA1
da52464ec724446fffc0ba149514746d427eb462

SHA256
a63361569297fe13469bca011db97aa4126c59299c6475d647ac2c08e5ead144

SHA512
5a96ece0dcef86d43aa918174ef97c1e7157a7e1fedaf82015040061df385b7ceaae85f819eb6740fa0b3180e586662571787756780faa38b5e42015fb53560e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1b2d763011d1e75498a210ce4ab4bee8

SHA1
c1cdf280dd73abe9135bf04d8f3ed19406f7cb5d

SHA256
44ae1929329dc5d26991035485e1b7717ee403b1aac1c5ab4e2619112ec5f796

SHA512
574e6a52dbd3e30150f10f4ff7f93805a296ba2dbfd59fbf9bc085becd8d8919b63555391778f0423de2afe11339cf29af2e575a5dc2cf363e77172a357528cd

Download Submit
memory/776-54-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/1992-129-0x0000000000FA0000-0x0000000001182000-memory.dmp

Filesize
1.9MB

Download
memory/2264-56-0x0000000002020000-0x0000000002028000-memory.dmp

Filesize
32KB

Download
memory/2600-16-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/2600-20-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-10-0x0000000000540000-0x000000000055C000-memory.dmp

Filesize
112KB

Download
memory/2600-11-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-12-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-14-0x0000000000A10000-0x0000000000A28000-memory.dmp

Filesize
96KB

Download
memory/2600-0-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/2600-17-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-19-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/2600-8-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/2600-6-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-33-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-34-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-5-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-4-0x000007FEF5DD3000-0x000007FEF5DD4000-memory.dmp

Filesize
4KB

Download
memory/2600-3-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-55-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-90-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-2-0x000007FEF5DD0000-0x000007FEF67BC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-1-0x0000000000A50000-0x0000000000C32000-memory.dmp

Filesize
1.9MB

Download