dcrat | ec9fa98b9c0a55ad5d3b51bf6148b6e2041d1a14c36b4ad98caa9438bc3854e9

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Size

1.6MB
MD5

82d57ff1bfcade0c2a515e8f860739eb
SHA1

01c4325519c55f650dd5fb98e9c41422c987f982
SHA256

fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d
SHA512

7c0477a2289ff1c1c943f3938166cd8c00c898d212329c84de27140942918b028afa2186fff12694bc914fec8cf1141813f0e3024a5d653ebb4dbc6c6d2fe519
SSDEEP

24576:xU5rv4BImFXHPqAv21Y9odIq+gnEJWoOyrHDBEPkyFzN3AAkzvL+x:hpftpodIq+sEJWArjBEPk4z61vL+

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\edge_BITS_4664_660643336\\RuntimeBroker.exe\", \"C:\\4fc20efa2b2ad5aa4b35f8fcca90f7df\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\4fc20efa2b2ad5aa4b35f8fcca90f7df\\csrss.exe\""	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\edge_BITS_4664_660643336\\RuntimeBroker.exe\", \"C:\\4fc20efa2b2ad5aa4b35f8fcca90f7df\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\4fc20efa2b2ad5aa4b35f8fcca90f7df\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe\""	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\edge_BITS_4664_660643336\\RuntimeBroker.exe\""	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\edge_BITS_4664_660643336\\RuntimeBroker.exe\", \"C:\\4fc20efa2b2ad5aa4b35f8fcca90f7df\\SppExtComObj.exe\""	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\edge_BITS_4664_660643336\\RuntimeBroker.exe\", \"C:\\4fc20efa2b2ad5aa4b35f8fcca90f7df\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\""	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\edge_BITS_4664_660643336\\RuntimeBroker.exe\", \"C:\\4fc20efa2b2ad5aa4b35f8fcca90f7df\\SppExtComObj.exe\", \"C:\\Recovery\\WindowsRE\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5056	powershell.exe
5032	powershell.exe
5024	powershell.exe
1780	powershell.exe
388	powershell.exe
2532	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe\""	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe\""	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\edge_BITS_4664_660643336\\RuntimeBroker.exe\""	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\edge_BITS_4664_660643336\\RuntimeBroker.exe\""	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\4fc20efa2b2ad5aa4b35f8fcca90f7df\\SppExtComObj.exe\""	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\4fc20efa2b2ad5aa4b35f8fcca90f7df\\SppExtComObj.exe\""	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\""	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Recovery\\WindowsRE\\Registry.exe\""	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\4fc20efa2b2ad5aa4b35f8fcca90f7df\\csrss.exe\""	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\""	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\4fc20efa2b2ad5aa4b35f8fcca90f7df\\csrss.exe\""	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC88C21C6FE6164A39B6D127B3B17D1640.TMP	csc.exe
File created	\??\c:\Windows\System32\tybfgy.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe
File created	C:\Program Files\edge_BITS_4664_660643336\RuntimeBroker.exe	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
File created	C:\Program Files\edge_BITS_4664_660643336\9e8d7a4ca61bd9	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC46BB5BDC8A9C421291313350C4D15F49.TMP	csc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3824	PING.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3824	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2532	powershell.exe
2532	powershell.exe
5024	powershell.exe
5024	powershell.exe
5056	powershell.exe
5056	powershell.exe
1780	powershell.exe
1780	powershell.exe
5032	powershell.exe
5032	powershell.exe
388	powershell.exe
388	powershell.exe
388	powershell.exe
2532	powershell.exe
5056	powershell.exe
5032	powershell.exe
1780	powershell.exe
5024	powershell.exe
2524	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2524	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
2524	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2524	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	2524	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 4232	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe	90
PID 2208 wrote to memory of 4232	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe	90
PID 4232 wrote to memory of 548	4232	csc.exe	92
PID 4232 wrote to memory of 548	4232	csc.exe	92
PID 2208 wrote to memory of 3700	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe	93
PID 2208 wrote to memory of 3700	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe	93
PID 3700 wrote to memory of 1460	3700	csc.exe	95
PID 3700 wrote to memory of 1460	3700	csc.exe	95
PID 2208 wrote to memory of 2532	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe	96
PID 2208 wrote to memory of 2532	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe	96
PID 2208 wrote to memory of 388	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe	97
PID 2208 wrote to memory of 388	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe	97
PID 2208 wrote to memory of 1780	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe	98
PID 2208 wrote to memory of 1780	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe	98
PID 2208 wrote to memory of 5024	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe	99
PID 2208 wrote to memory of 5024	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe	99
PID 2208 wrote to memory of 5032	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe	100
PID 2208 wrote to memory of 5032	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe	100
PID 2208 wrote to memory of 5056	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe	101
PID 2208 wrote to memory of 5056	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe	101
PID 2208 wrote to memory of 2076	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe	108
PID 2208 wrote to memory of 2076	2208	fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe	108
PID 2076 wrote to memory of 5336	2076	cmd.exe	110
PID 2076 wrote to memory of 5336	2076	cmd.exe	110
PID 2076 wrote to memory of 3824	2076	cmd.exe	111
PID 2076 wrote to memory of 3824	2076	cmd.exe	111
PID 2076 wrote to memory of 2524	2076	cmd.exe	118
PID 2076 wrote to memory of 2524	2076	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
"C:\Users\Admin\AppData\Local\Temp\fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k4xeumul\k4xeumul.cmdline"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9599.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC46BB5BDC8A9C421291313350C4D15F49.TMP"
    3⤵
    PID:548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1jrsljth\1jrsljth.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A7B.tmp" "c:\Windows\System32\CSC88C21C6FE6164A39B6D127B3B17D1640.TMP"
    3⤵
    PID:1460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4664_660643336\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rtZfXZy9Na.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5336
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3824
- - C:\Users\Admin\AppData\Local\Temp\fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe
    "C:\Users\Admin\AppData\Local\Temp\fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\edge_BITS_4664_660643336\RuntimeBroker.exe

Filesize
1.6MB

MD5
82d57ff1bfcade0c2a515e8f860739eb

SHA1
01c4325519c55f650dd5fb98e9c41422c987f982

SHA256
fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d

SHA512
7c0477a2289ff1c1c943f3938166cd8c00c898d212329c84de27140942918b028afa2186fff12694bc914fec8cf1141813f0e3024a5d653ebb4dbc6c6d2fe519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fe402f76d319a9f80cd522e793223efbc3f914bfe149da1801c999b8539c964d.exe.log

Filesize
1KB

MD5
4ef3ab577fdbd5c7dd815e496ecd5601

SHA1
8dd86865a8e5f1c4c77a21cc2b26cc31e8330ad8

SHA256
72a639b0e0027ca8e0bb9d3cbd12b56797c431a9171acaea9217aff387961964

SHA512
ffe35302cf9922fb22d681c989162a46220b949b5dcaf076eadb1ced347ff0b7a77421ce6ee06514faf9c5364e2094f5a2ec239a537c28c88d32e21262501c9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d670b8afc1f95fa27664d1d5e1aedbd9

SHA1
812b6782aaaae476d0fc15084109ab1b353db9b1

SHA256
f51a65f1321a8bf64493baf04ab9d3c3eaa2643f007947cca51c8be012765cf4

SHA512
8d05512ae3a77e4c4caf8cc4e19e22e0a4a646bffd3cec3518e45bdb7aeb9feac44837b12e03a60046f5558e91729aa646b2c8ac8192d9e6e98feecdbe6eaa07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3930c254bc452c4fd482e3059b51aa04

SHA1
1c4bdb41f3a7c9d4ee3b8006cc1c495eedb072e2

SHA256
dc600748250d0dd0ffa2678049fd27ec8e56e262601f3d8a1fd7165b03f97fb8

SHA512
888565d3356b5fc9c5b55d6842c520487219bc2220df2a56cb74686cc36ebd0fbd1ab9f2a17f93e9c15031c8d6366031a4fd2c1f8a6f8cf96bc3a5939f31a083

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9599.tmp

Filesize
1KB

MD5
8aa51e9abe27f1686100911d52b44cab

SHA1
0912f6c7808f0f81c911836107724282c5958a78

SHA256
81125bb4d57d943c95cdcc343f9cef0082fa1fb1ff91e304c9909c527a72f28a

SHA512
1a1431af86e02920a3b2b9b58b2ca0d963f20afdb6638bfba941becf8cd4973b7becb442860b6550189e3fa76f65cd04130de0605591524a5ee604adadea0ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9A7B.tmp

Filesize
1KB

MD5
6bb902d0ae73b3b54fa25b87c8a56e4f

SHA1
f09dffbe932b8cb4c3e4d5c8f99583d23517329f

SHA256
d8c32d3f3124dea1590cc8a2fdfd1e54b371e63667904e2694605eb04de2fb46

SHA512
246bfc98f828ebeff0d82a6f4a9ddd45066bcc24bbeb29b0eceb9b558041fb847c9e703ba8d7a604352002c8e1335518bc577d05d13bff2f505dbb87e116158c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ljwwqzkt.e35.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rtZfXZy9Na.bat

Filesize
230B

MD5
2517453353d545bbb89af063ffc893fb

SHA1
7f322372c07bbad9e8d7590762312f1929ceddb8

SHA256
624aa2c01e04a989a2dda3a0d75198c742f90d640f9c18718808a00dba4a7235

SHA512
670b05981f424b980964649abf4971550b51bd3da42f6da12a96a6136e712aacb05401de2ec23bcb58279bdd2e19bc7133270b187fc71d18ea6eba5f56af30bd

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC46BB5BDC8A9C421291313350C4D15F49.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1jrsljth\1jrsljth.0.cs

Filesize
391B

MD5
a30c0f3e80e5ed67978085c38c66e61f

SHA1
490a1e66ff65c9c647dd7cb3b8184e3e7a3ca368

SHA256
003f21ab04fcd108f3fb047eca081da97af8ce0f0f326ce02ab590e1d73ed9cb

SHA512
0f6830f5a774b11dc139ac4416d9097f01ed8f9233d53106b4595bcfd97695c54ccd856596fc3319df0697c1f0f1aa327bd609102389054323d9cd4e52d1bee0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1jrsljth\1jrsljth.cmdline

Filesize
235B

MD5
007988b22a7527ad131da84a62e51be9

SHA1
e4a6843ba6c79de8b6808ebe2d58b1bb2d7f7b38

SHA256
5fe876996eda394eca06e8e2c50968047155a524d0c7d40ae46b70f2a1c13207

SHA512
65a0d785c7f7c49a770076a6af254350b5a3b19562479d1f10b9858788104278b3df6e1d28f018ff3c478d1401d6241099c561c0ec4b14efb3e60936526236c0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k4xeumul\k4xeumul.0.cs

Filesize
421B

MD5
a683c429179e263267b613f14864e126

SHA1
1d4445d1efb1b78498a37d47a80a739697526753

SHA256
a5679323b71233c280a67cfd4f631d82b436467dc35d14bba66349e54526617e

SHA512
6e0660724b8c9d205e96a1e56ee8815097a5805a3343f0ce84de7948282235c81d0d56efb13c5780fc158c5f54921ee0dd4ebf6001db6751f36affa05bdaa5a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k4xeumul\k4xeumul.cmdline

Filesize
265B

MD5
dc7b15453cbe8da06bf925432ab2e5b8

SHA1
da196b67fcf9af582f7458fdbe41e349d4c78da2

SHA256
ffee77b735f8ebb3499abe004c4ca558432552433b0319a1ce70408cdbf951c8

SHA512
02988d90020f675859d6aa2ea9e935471b0a7a824e9b045e56f3f436c37020d6729162cb6f34d4ae34f224f82ccbf0d191528b2866f29a5cb26445a9eb645fe2

Download Submit
\??\c:\Windows\System32\CSC88C21C6FE6164A39B6D127B3B17D1640.TMP

Filesize
1KB

MD5
47c2c093d947e0ac02da7b691bc6fce5

SHA1
cea2d7ae6980b07a96341527b162067d0382f07a

SHA256
ed7a05f9a0b94b9625377eecd69e9741bb3c59a03f1acc19c488349da4fb391e

SHA512
eaaa26d251e9d622168daf15ee1c881e5b9a7817251411d0c0e2badad42739e4cfdd62befed0298bf8f8c65850d343c4485b89853d7124cb086949a2d04f02e5

Download Submit
memory/2208-9-0x00007FF969710000-0x00007FF96A1D1000-memory.dmp

Filesize
10.8MB

Download
memory/2208-24-0x00007FF969710000-0x00007FF96A1D1000-memory.dmp

Filesize
10.8MB

Download
memory/2208-25-0x00007FF969710000-0x00007FF96A1D1000-memory.dmp

Filesize
10.8MB

Download
memory/2208-0-0x00007FF969713000-0x00007FF969715000-memory.dmp

Filesize
8KB

Download
memory/2208-52-0x00007FF969710000-0x00007FF96A1D1000-memory.dmp

Filesize
10.8MB

Download
memory/2208-8-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/2208-6-0x0000000000BD0000-0x0000000000BDE000-memory.dmp

Filesize
56KB

Download
memory/2208-4-0x00007FF969710000-0x00007FF96A1D1000-memory.dmp

Filesize
10.8MB

Download
memory/2208-3-0x00007FF969710000-0x00007FF96A1D1000-memory.dmp

Filesize
10.8MB

Download
memory/2208-2-0x00007FF969710000-0x00007FF96A1D1000-memory.dmp

Filesize
10.8MB

Download
memory/2208-1-0x0000000000260000-0x000000000040A000-memory.dmp

Filesize
1.7MB

Download
memory/2524-125-0x0000000002C50000-0x0000000002CBB000-memory.dmp

Filesize
428KB

Download
memory/2532-64-0x000001FC7DC30000-0x000001FC7DC52000-memory.dmp

Filesize
136KB

Download