dcrat | 58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 22:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe
Size

2.9MB
MD5

4662fe6f5c51595aebafd8121ec36063
SHA1

0659d4c5fbd528ca0029f59c592e7977cb3961c4
SHA256

58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5
SHA512

97cf55835e85bf4663112e2c8e8298f0dea4592253c57c50576a12e25b323915ad1bbce1337dca01d771d3c080b9b7b88a48f5b8facdfb2040c65208b21e7828
SSDEEP

49152:6ZB1G8Y5JpDd0Tv4DmBPO6XXb2m5NtmkGzNgL9eqTHhAL24LvXKpFhkgDoba18sM:g3G7Dd24a95qRgoShmLv+DUap8

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	1636	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	1636	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	1636	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	1636	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	1636	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1636	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1636	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	1636	schtasks.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	1636	schtasks.exe	37

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001535e-26.dat	dcrat
behavioral1/files/0x0007000000015677-47.dat	dcrat
behavioral1/memory/1756-51-0x0000000000060000-0x00000000002F6000-memory.dmp	dcrat
behavioral1/memory/2460-78-0x0000000001070000-0x0000000001306000-memory.dmp	dcrat
behavioral1/memory/2008-90-0x00000000001F0000-0x0000000000486000-memory.dmp	dcrat
behavioral1/memory/2580-102-0x0000000001380000-0x0000000001616000-memory.dmp	dcrat
behavioral1/memory/784-115-0x0000000000350000-0x00000000005E6000-memory.dmp	dcrat
behavioral1/memory/924-128-0x00000000002B0000-0x0000000000546000-memory.dmp	dcrat
behavioral1/memory/3000-140-0x00000000010C0000-0x0000000001356000-memory.dmp	dcrat
behavioral1/memory/1572-177-0x0000000001360000-0x00000000015F6000-memory.dmp	dcrat

Drops startup file 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.bat	58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_259398212	HUI.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCRatBuild.exe	HUI.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCRatBuild.exe	HUI.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\__tmp_rar_sfx_access_check_259397885	58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HUI.exe	58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HUI.exe	58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.bat	58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe

Executes dropped EXE 15 IoCs

pid	Process
2552	HUI.exe
2564	DCRatBuild.exe
1756	Containerwebwin.exe
2460	smss.exe
2008	smss.exe
2580	smss.exe
784	smss.exe
924	smss.exe
3000	smss.exe
2164	smss.exe
3036	smss.exe
1572	smss.exe
1600	smss.exe
2472	smss.exe
2808	smss.exe

Loads dropped DLL 3 IoCs

pid	Process
2744	cmd.exe
2320	cmd.exe
2320	cmd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe	Containerwebwin.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\56085415360792	Containerwebwin.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\audiodg.exe	Containerwebwin.exe
File created	C:\Windows\Downloaded Program Files\42af1c969fbb7b	Containerwebwin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1148	schtasks.exe
3056	schtasks.exe
2068	schtasks.exe
2332	schtasks.exe
1468	schtasks.exe
1284	schtasks.exe
2488	schtasks.exe
2120	schtasks.exe
600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1756	Containerwebwin.exe
1756	Containerwebwin.exe
1756	Containerwebwin.exe
2460	smss.exe
2008	smss.exe
2580	smss.exe
784	smss.exe
924	smss.exe
3000	smss.exe
2164	smss.exe
3036	smss.exe
1572	smss.exe
1600	smss.exe
2472	smss.exe
2808	smss.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	Containerwebwin.exe
Token: SeDebugPrivilege	2460	smss.exe
Token: SeDebugPrivilege	2008	smss.exe
Token: SeDebugPrivilege	2580	smss.exe
Token: SeDebugPrivilege	784	smss.exe
Token: SeDebugPrivilege	924	smss.exe
Token: SeDebugPrivilege	3000	smss.exe
Token: SeDebugPrivilege	2164	smss.exe
Token: SeDebugPrivilege	3036	smss.exe
Token: SeDebugPrivilege	1572	smss.exe
Token: SeDebugPrivilege	1600	smss.exe
Token: SeDebugPrivilege	2472	smss.exe
Token: SeDebugPrivilege	2808	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2744	2848	58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe	28
PID 2848 wrote to memory of 2744	2848	58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe	28
PID 2848 wrote to memory of 2744	2848	58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe	28
PID 2744 wrote to memory of 2552	2744	cmd.exe	30
PID 2744 wrote to memory of 2552	2744	cmd.exe	30
PID 2744 wrote to memory of 2552	2744	cmd.exe	30
PID 2552 wrote to memory of 2564	2552	HUI.exe	31
PID 2552 wrote to memory of 2564	2552	HUI.exe	31
PID 2552 wrote to memory of 2564	2552	HUI.exe	31
PID 2552 wrote to memory of 2564	2552	HUI.exe	31
PID 2564 wrote to memory of 3016	2564	DCRatBuild.exe	32
PID 2564 wrote to memory of 3016	2564	DCRatBuild.exe	32
PID 2564 wrote to memory of 3016	2564	DCRatBuild.exe	32
PID 2564 wrote to memory of 3016	2564	DCRatBuild.exe	32
PID 2564 wrote to memory of 2184	2564	DCRatBuild.exe	33
PID 2564 wrote to memory of 2184	2564	DCRatBuild.exe	33
PID 2564 wrote to memory of 2184	2564	DCRatBuild.exe	33
PID 2564 wrote to memory of 2184	2564	DCRatBuild.exe	33
PID 3016 wrote to memory of 2320	3016	WScript.exe	34
PID 3016 wrote to memory of 2320	3016	WScript.exe	34
PID 3016 wrote to memory of 2320	3016	WScript.exe	34
PID 3016 wrote to memory of 2320	3016	WScript.exe	34
PID 2320 wrote to memory of 1756	2320	cmd.exe	36
PID 2320 wrote to memory of 1756	2320	cmd.exe	36
PID 2320 wrote to memory of 1756	2320	cmd.exe	36
PID 2320 wrote to memory of 1756	2320	cmd.exe	36
PID 1756 wrote to memory of 1420	1756	Containerwebwin.exe	47
PID 1756 wrote to memory of 1420	1756	Containerwebwin.exe	47
PID 1756 wrote to memory of 1420	1756	Containerwebwin.exe	47
PID 1420 wrote to memory of 2752	1420	cmd.exe	49
PID 1420 wrote to memory of 2752	1420	cmd.exe	49
PID 1420 wrote to memory of 2752	1420	cmd.exe	49
PID 1420 wrote to memory of 2460	1420	cmd.exe	50
PID 1420 wrote to memory of 2460	1420	cmd.exe	50
PID 1420 wrote to memory of 2460	1420	cmd.exe	50
PID 2460 wrote to memory of 2572	2460	smss.exe	51
PID 2460 wrote to memory of 2572	2460	smss.exe	51
PID 2460 wrote to memory of 2572	2460	smss.exe	51
PID 2460 wrote to memory of 1304	2460	smss.exe	52
PID 2460 wrote to memory of 1304	2460	smss.exe	52
PID 2460 wrote to memory of 1304	2460	smss.exe	52
PID 2572 wrote to memory of 2008	2572	WScript.exe	53
PID 2572 wrote to memory of 2008	2572	WScript.exe	53
PID 2572 wrote to memory of 2008	2572	WScript.exe	53
PID 2008 wrote to memory of 2728	2008	smss.exe	54
PID 2008 wrote to memory of 2728	2008	smss.exe	54
PID 2008 wrote to memory of 2728	2008	smss.exe	54
PID 2008 wrote to memory of 1644	2008	smss.exe	55
PID 2008 wrote to memory of 1644	2008	smss.exe	55
PID 2008 wrote to memory of 1644	2008	smss.exe	55
PID 2728 wrote to memory of 2580	2728	WScript.exe	58
PID 2728 wrote to memory of 2580	2728	WScript.exe	58
PID 2728 wrote to memory of 2580	2728	WScript.exe	58
PID 2580 wrote to memory of 2564	2580	smss.exe	59
PID 2580 wrote to memory of 2564	2580	smss.exe	59
PID 2580 wrote to memory of 2564	2580	smss.exe	59
PID 2580 wrote to memory of 2184	2580	smss.exe	60
PID 2580 wrote to memory of 2184	2580	smss.exe	60
PID 2580 wrote to memory of 2184	2580	smss.exe	60
PID 2564 wrote to memory of 784	2564	WScript.exe	61
PID 2564 wrote to memory of 784	2564	WScript.exe	61
PID 2564 wrote to memory of 784	2564	WScript.exe	61
PID 784 wrote to memory of 324	784	smss.exe	62
PID 784 wrote to memory of 324	784	smss.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe
"C:\Users\Admin\AppData\Local\Temp\58ecc731f0d4cf939a83cc33adb8c2107c5e10b9171b87c6a901b2ee0275a6e5.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HUI.exe
    HUI.exe -p16336311
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCRatBuild.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCRatBuild.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Blockcommonitor\jZZXJTfXw.vbe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Blockcommonitor\Q8sYjEW8L9fGjuU7hv1qT.bat" "
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Blockcommonitor\Containerwebwin.exe
        
        "C:\Blockcommonitor\Containerwebwin.exe"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wSrIIOLQmD.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2752
        
        C:\Users\Default\Desktop\smss.exe
        
        "C:\Users\Default\Desktop\smss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65a29eb7-6ac9-43cc-a217-634af5e420ad.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Users\Default\Desktop\smss.exe
        
        C:\Users\Default\Desktop\smss.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31d8c5db-ea05-46db-b4fa-7a52bd5f2ad2.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Users\Default\Desktop\smss.exe
        
        C:\Users\Default\Desktop\smss.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d4322e4-e4b6-4500-978e-758765516557.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Users\Default\Desktop\smss.exe
        
        C:\Users\Default\Desktop\smss.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7be93e51-a3f1-45ba-a550-8fe884437d60.vbs"
        16⤵
        
        PID:324
        
        C:\Users\Default\Desktop\smss.exe
        
        C:\Users\Default\Desktop\smss.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df447eba-ba87-44a9-ada7-45569c8084f3.vbs"
        18⤵
        
        PID:452
        
        C:\Users\Default\Desktop\smss.exe
        
        C:\Users\Default\Desktop\smss.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\914720cc-faf8-4d59-a027-839200ade17b.vbs"
        20⤵
        
        PID:1476
        
        C:\Users\Default\Desktop\smss.exe
        
        C:\Users\Default\Desktop\smss.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\682094a4-5ff6-467d-8084-1ed54deb4ca7.vbs"
        22⤵
        
        PID:2812
        
        C:\Users\Default\Desktop\smss.exe
        
        C:\Users\Default\Desktop\smss.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81d3123c-e1a1-49f0-990b-6123cffc99c5.vbs"
        24⤵
        
        PID:2080
        
        C:\Users\Default\Desktop\smss.exe
        
        C:\Users\Default\Desktop\smss.exe
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb837b59-05f6-4d16-8487-206f50b3f007.vbs"
        26⤵
        
        PID:968
        
        C:\Users\Default\Desktop\smss.exe
        
        C:\Users\Default\Desktop\smss.exe
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34e0164a-1058-41ad-a2ba-0791d79655f7.vbs"
        28⤵
        
        PID:2192
        
        C:\Users\Default\Desktop\smss.exe
        
        C:\Users\Default\Desktop\smss.exe
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8078cc36-380b-47e3-ba9f-7a1832408056.vbs"
        30⤵
        
        PID:2388
        
        C:\Users\Default\Desktop\smss.exe
        
        C:\Users\Default\Desktop\smss.exe
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49cd7113-fec3-4fa3-a377-0cc98b7af252.vbs"
        32⤵
        
        PID:1332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc11e69f-7ee1-4ae6-bf35-70caae5f3325.vbs"
        32⤵
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cacbe69-aee4-449c-9c9d-203b7c093cbd.vbs"
        30⤵
        
        PID:2640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6aa4214a-b39a-4223-9287-2c7e9a336626.vbs"
        28⤵
        
        PID:2620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\def2b9f8-1812-4f78-a9c0-e5c0be7196e0.vbs"
        26⤵
        
        PID:2748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e737bab6-8a3b-4051-9c26-e99fae3008ef.vbs"
        24⤵
        
        PID:1484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f719564f-9eea-415f-af52-ba17d4e9d779.vbs"
        22⤵
        
        PID:1940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\807e7dfc-0e07-473a-833a-6d3743e8cb2a.vbs"
        20⤵
        
        PID:1884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c649b59e-a754-4e2c-9263-13fa53a14f97.vbs"
        18⤵
        
        PID:1296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62b8f5cd-6736-416a-b4cc-4b27af83ba41.vbs"
        16⤵
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7fb7936-48fe-402c-900b-d4f8da9c32d4.vbs"
        14⤵
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47592074-7195-44b8-8494-f707152c14c6.vbs"
        12⤵
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62f11461-79e3-4c3b-a738-a132179f247b.vbs"
        10⤵
        
        PID:1304
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Blockcommonitor\file.vbs"
        5⤵
        
        PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Blockcommonitor\Q8sYjEW8L9fGjuU7hv1qT.bat

Filesize
40B

MD5
d68aa7ed0a0ed53939d0996767a56021

SHA1
900609028724f7b980ff505416c483ca7162ae0e

SHA256
c7aeb05c3d3be57d16aa94c28b376e2977a47ebe2566544b3072450d876d489b

SHA512
d1c944ff37b5a52426dfeebc6790fc5b9d9e403ace26a1a95c571ec630d925ff537b7a22a90176efdab17e2d8b77e76e51b04e3a8fdd07ccb6e8e8b03f7379fc

Download Submit
C:\Blockcommonitor\file.vbs

Filesize
34B

MD5
677cc4360477c72cb0ce00406a949c61

SHA1
b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

SHA256
f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

SHA512
7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

Download Submit
C:\Blockcommonitor\jZZXJTfXw.vbe

Filesize
213B

MD5
e36321449d4449688960a4ef8374c9bb

SHA1
2414a6fb6b2752525ee5959b0a4356ec080c5ebf

SHA256
d39231d19b973edcd275ad9cea944942a444d4d1f67ea18b356e248cacef53d6

SHA512
44dd2c67a1d1b73a7fe1bab19048ead24fdc6886ab95b855cde6ae0b8ea0a04ea87d253a0800d0616af618d09fe560813b61ad200e82cd39bf50761f1ac1973f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d4322e4-e4b6-4500-978e-758765516557.vbs

Filesize
709B

MD5
2928b079479ba7988c9cec6321919a76

SHA1
1e2f10cef5804b206c7a05c831fdf03e0c3d45b3

SHA256
84ad68acfebcd23b06730077f5c70ffaba2397250b2b1cca1f14ef5f26ad36cb

SHA512
eecf24a580027cf94fa8cd634f93cd51b7ab183d74ae8011b111a2b23305fe0c8bbf28bb1f6ff1f8f933d054108e4d54a8bfbaed52436cd5b3c09fef92d24272

Download Submit
C:\Users\Admin\AppData\Local\Temp\31d8c5db-ea05-46db-b4fa-7a52bd5f2ad2.vbs

Filesize
709B

MD5
2cc6c5869556f24c7783299ca5060664

SHA1
a1e7650c3d491fb08fb207765abbaf0cc455f68f

SHA256
7005f0cbe66214175d0d6bcc2f4eef806d8efce71544831a1b7b5914a230377d

SHA512
e5faf81755690654c4b59e8716ba296d8fc526cdf8e6acd834dba964681c3ea210611620f3d976a5fd99c6b2eebf2b1fca81c1a511fca3292e6750bbc391e2a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\34e0164a-1058-41ad-a2ba-0791d79655f7.vbs

Filesize
709B

MD5
da0a0937a35975ad09a62652174c6f02

SHA1
913dae6f1fc2a176e709463a9709ac4aeea9f4a2

SHA256
d523b74aa891effb4e11f0e074effd60841ffd8e8c336914f2fc935bfebd33fd

SHA512
19d46f7613f0c4f0628ff3392e20c0ce5720ff579d8e68470749a7db6a280574d946f78cf215164bac00ea4043b8850cb1f759cad48a0d59962348f4f4175803

Download Submit
C:\Users\Admin\AppData\Local\Temp\49cd7113-fec3-4fa3-a377-0cc98b7af252.vbs

Filesize
709B

MD5
ff60593606c3a1199f3c2f2d33a87d12

SHA1
08efcd8a7872802e1645bf36c487ca1fe197578d

SHA256
dc638b3e8d98ebedd0b6db3a72f344ce258483b731f160b82368f8b6b745261e

SHA512
c4576bb497e4a0a5d0b6684014e21d812453770ab8b89183dc2c94ccc7b9be055233da7e2471278703d08651b7fa329f8f4af26bcf0d8c8bc63c752fa7949726

Download Submit
C:\Users\Admin\AppData\Local\Temp\62f11461-79e3-4c3b-a738-a132179f247b.vbs

Filesize
485B

MD5
e4e8e386788491728b1e4bbf1722d7f2

SHA1
d581454f98462fd4ae4de5b9065195d8452ad35e

SHA256
086d3ce734770badbac2230cf6e25b6110f611f0cd7124fe7f9f7ad478180f47

SHA512
8ebc1ef347b3bb49993501aa318a70dc903c7cdb393838151cfee893237613657a18b9401b82741bd168a9e3a5332d62cf3764633ee451c8e8bc4572e822b8a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\65a29eb7-6ac9-43cc-a217-634af5e420ad.vbs

Filesize
709B

MD5
f64edb7f79c8f603a1c22de9a1e338f1

SHA1
eaa34847889bbc49a1dd64472678f099f9d82904

SHA256
b0748f170c388d4f22c3ec3be7b5a963553e5e0453b80597fbc5f54d0ee1a05e

SHA512
8a8f1c74e676e66b259d86c8a9f469c0a133e5d4d1ddff785134618b1353d6ab14eb164d2ce340d1b68f8abc213ad55f2d78d5e19abd087b30a4a194072edc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\682094a4-5ff6-467d-8084-1ed54deb4ca7.vbs

Filesize
709B

MD5
780fde89877af8b8c60c850a803d0e5d

SHA1
a21db8076f165689932232b4ba9c44498e70911b

SHA256
bc99045a63a6d5d64d6a8ba6b2d9232a9e25e19c776e3ba4f949b7a51fea51fa

SHA512
af33948fb6af31d1e4c0fda1e57f3dd5b316bfbde061d29baf06598ef90ff713c20df7a69a66d7b4abc056772fa961a1d11772753da9cf6107cba2f28f6f88da

Download Submit
C:\Users\Admin\AppData\Local\Temp\7be93e51-a3f1-45ba-a550-8fe884437d60.vbs

Filesize
708B

MD5
aa809ccbff09e89afc6bb250c25e9067

SHA1
dd1a1fdd56512e242a2c784434f953295ac05d88

SHA256
bba053ee9a9d73863574667e8a311f0885eb1d43c728a25f276a3b64e69ab52d

SHA512
6c380804559b9abd1b00a51490b9e94bda143e4c77739ac0c109c2bd19f3837d13bd435a65b1b55969a7799f6433fa3652d070df813e4fdb1195414e47a9b304

Download Submit
C:\Users\Admin\AppData\Local\Temp\8078cc36-380b-47e3-ba9f-7a1832408056.vbs

Filesize
709B

MD5
032dc593fce4b6395f330867a5771d65

SHA1
8b75ea911455ca03e957cda1268f67ed79041ad5

SHA256
c0b5f419d97e61e20db969a6e6723998b1780b37ac7b40bf8dc7d066e07e7689

SHA512
88791dc4032d696ab1c6f0567c353ff6a14d78fedac9233b8ad3cb0b95dafb1d00b5e45cb0905e925b0989aac2477cd0ddded2382bb1746c208193e8b69d2099

Download Submit
C:\Users\Admin\AppData\Local\Temp\81d3123c-e1a1-49f0-990b-6123cffc99c5.vbs

Filesize
709B

MD5
6ffa668e75963e42b4b81d44a9282d7b

SHA1
1bac1a729ba3f62e0968aff799d76dccd1fde5d3

SHA256
4a1eaf6115bd912ea6e66e1a473e4d53aa1047656b93c358dca2f9640712ff35

SHA512
1f6dd378bd9dba4888cfab67a42c2a2d28cae2aae669ede22e51471144c2bc59704f57924afad0e4448d3e71fd0605c39b962609a6681624635864d5a25800a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\914720cc-faf8-4d59-a027-839200ade17b.vbs

Filesize
709B

MD5
6b103fdc07c8c11880a48055043ab750

SHA1
fd50dfe1dcbe55fbc95ca852ad6c8aefc924f494

SHA256
25da0f34fde46a3d34f0bc10052b4c08ea1b6972d14e286bdb40ae170214e9f7

SHA512
6aca91b3c2cf3a668aa51681a043300c340017fe9d62643b707ebbd91a87ae7c2af84e8aa3cb60a91a0f3e216f0fe8ee46373dfceee91efc7b2396472a9da5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\df447eba-ba87-44a9-ada7-45569c8084f3.vbs

Filesize
708B

MD5
a612c1c6067c287c0464e6dbd72e0169

SHA1
9e0bfbaef93829c0bb6fa3a9f9e45ca29259975f

SHA256
ab6eca03b81f679c8311298d673a8207019ae7e36e6969c5d125fe16cc1b9be6

SHA512
a5711870ca4cae3a2b25002bd6ae7b1ff707f5ee06a46bfa32bee4c0f5d0537b75e47c93eb9e68efd96e6f4e25e8f3bc283e472ed5afb59ca3ff974b135bb3dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb837b59-05f6-4d16-8487-206f50b3f007.vbs

Filesize
709B

MD5
5e6f7ad5602f05617e635180a22b9eb9

SHA1
c2c187638fc5002a8306394fc2b4fbd0a05c9fab

SHA256
a2324588b4364d2adb90903ce599b5249c215a1df51c4a866fb07b93de4ea960

SHA512
17424257c7e402bde82137d11f4a26f168df9405b2355f5d2891da9141be748b2f912c44ecec4d3b2dc358c7530eeadcbd5edb833054b50d75858fbd76b93e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\wSrIIOLQmD.bat

Filesize
198B

MD5
8e9ab8cf4f1f98b202b415a67c10228c

SHA1
4964ff55241b5c56679c46805725e3ee3ecb385b

SHA256
583c206d5aaee08b532e880263b61d9773e10aa475367cb0304957c05d9531d9

SHA512
8381ebcb803475ab391d73c01542fab2f27cd803e214a871d720227507452c6819c1aa08683d48fe18788603e4be70aea0bcc4692203d40845df3946615329cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCRatBuild.exe

Filesize
2.9MB

MD5
293b6f4b745915079b40780365ed39dd

SHA1
20488972b4e32ba9829467e4241f155dbf044758

SHA256
98eb2ad98cc87ba4360821d2f829bc7d7fa188876c6d10f7698e19d0289a558f

SHA512
de49315a5134a55d1cac17425a3056a77d91a90f5bc726f3e69986f0458ffbf85236fdcf0a1bbd084e25ea952363bb1acfe8290928a71ce5769a1935e742b497

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HUI.exe

Filesize
2.7MB

MD5
afda7cb58731fe6b387ced3d36e46d4f

SHA1
50e44067d2541b1bfd5517c7dc46d51c0f415a05

SHA256
aaa1b9d0ad8da53b5f751de4e9f96add9821d45003777a909ebe064c098dc037

SHA512
50f082f5e802921c04bb467ae1cec6049bfe8e4c6e2f6d969db845cabda80339b4958fa2ed4cbf8d66529e39dcdcb9c8a3a2283ac89c5c8581f12578814c9d7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.bat

Filesize
24B

MD5
e9346834d9fae22f2efbb5ad85499996

SHA1
0ab244641b14e68290dfa98f8d50414c501e8778

SHA256
8776711ae3319db0babedd398b89268cfe69884e265a43d7e1bb7ed0b57ba284

SHA512
0c0e206e4ff9f680f71965cf346ec07f5eb04e5e970fefc1d9c5cd52286b6bd3340de0308cef9dc583e0ec61c9dc0b627c23125cbb1fe9f7cce8dd7a4a0ae995

Download Submit
\Blockcommonitor\Containerwebwin.exe

Filesize
2.6MB

MD5
e105ab45b46d7884e37e6dd909021c71

SHA1
713c42873b09df7b9b2c1a72b4193b75788dc6a6

SHA256
7840d1f25cb39fc847cd1003d095cf10ac9f26fd15397b6e9eaf34f860106a33

SHA512
ded9d015dbfbbae0bdfcb5871cfbf87077e4e339f974d497930acc70b32686157a636b29f23da1cde0a6eee6e899debcb9f5ab4aaec5ec9adaa6375fd264d707

Download Submit
memory/784-116-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/784-115-0x0000000000350000-0x00000000005E6000-memory.dmp

Filesize
2.6MB

Download
memory/924-128-0x00000000002B0000-0x0000000000546000-memory.dmp

Filesize
2.6MB

Download
memory/1572-177-0x0000000001360000-0x00000000015F6000-memory.dmp

Filesize
2.6MB

Download
memory/1572-178-0x00000000007C0000-0x00000000007D2000-memory.dmp

Filesize
72KB

Download
memory/1600-190-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download
memory/1756-56-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/1756-61-0x000000001A910000-0x000000001A91E000-memory.dmp

Filesize
56KB

Download
memory/1756-51-0x0000000000060000-0x00000000002F6000-memory.dmp

Filesize
2.6MB

Download
memory/1756-52-0x00000000005F0000-0x00000000005FE000-memory.dmp

Filesize
56KB

Download
memory/1756-53-0x0000000000800000-0x000000000081C000-memory.dmp

Filesize
112KB

Download
memory/1756-54-0x0000000000840000-0x0000000000856000-memory.dmp

Filesize
88KB

Download
memory/1756-64-0x000000001A940000-0x000000001A94C000-memory.dmp

Filesize
48KB

Download
memory/1756-63-0x000000001A930000-0x000000001A938000-memory.dmp

Filesize
32KB

Download
memory/1756-62-0x000000001A920000-0x000000001A928000-memory.dmp

Filesize
32KB

Download
memory/1756-55-0x000000001A880000-0x000000001A8D6000-memory.dmp

Filesize
344KB

Download
memory/1756-57-0x0000000002170000-0x0000000002178000-memory.dmp

Filesize
32KB

Download
memory/1756-58-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/1756-59-0x000000001A8F0000-0x000000001A8FC000-memory.dmp

Filesize
48KB

Download
memory/1756-60-0x000000001A900000-0x000000001A90A000-memory.dmp

Filesize
40KB

Download
memory/2008-90-0x00000000001F0000-0x0000000000486000-memory.dmp

Filesize
2.6MB

Download
memory/2164-153-0x0000000000590000-0x00000000005E6000-memory.dmp

Filesize
344KB

Download
memory/2460-78-0x0000000001070000-0x0000000001306000-memory.dmp

Filesize
2.6MB

Download
memory/2460-79-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download
memory/2580-102-0x0000000001380000-0x0000000001616000-memory.dmp

Filesize
2.6MB

Download
memory/2580-103-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2808-213-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/3000-141-0x0000000000410000-0x0000000000466000-memory.dmp

Filesize
344KB

Download
memory/3000-140-0x00000000010C0000-0x0000000001356000-memory.dmp

Filesize
2.6MB

Download
memory/3036-165-0x0000000001070000-0x00000000010C6000-memory.dmp

Filesize
344KB

Download