Analysis

  • max time kernel
    146s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    21-07-2024 04:21

General

  • Target

    F946CEB3DFBC4802323F045E77B9FC63.exe

  • Size

    1.3MB

  • MD5

    f946ceb3dfbc4802323f045e77b9fc63

  • SHA1

    04beac37360d30c5ad933f82f80bfd41ae294cc4

  • SHA256

    682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a

  • SHA512

    7ad0db10f788d63d44a85981ccd9cf7c5acaadad66d1fd4c34554eb77bd1582e49549c917eb39e0c17e7b55b2fc0e262c059e1d85c188f1a3649879368a834e3

  • SSDEEP

    24576:qwwpL4DsvfsODQY2mq7yTK32HbzpEOlM7RJFolBjvmPln0Ep9GKc6NC1t:qw8LnsvQKMzpEOlM7RJqlhgq8rC1

Malware Config

Signatures

  • DcRat 32 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 10 IoCs
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 17 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 14 IoCs
  • Adds Run key to start application 2 TTPs 20 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe
    "C:\Users\Admin\AppData\Local\Temp\F946CEB3DFBC4802323F045E77B9FC63.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
      "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c992be04-a7ce-4e75-aa3e-cc8a031cd069.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
          "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2640
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\554a812c-6e64-4976-917b-b8c217eef133.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2716
            • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
              "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3028
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02b2c8dd-a004-4603-aae9-80f7cfaf0392.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2240
                • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
                  "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"
                  8⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2556
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7cba06e-41cb-4db8-bd47-19334d3baca4.vbs"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2380
                    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
                      "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"
                      10⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1056
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2065a06-8de0-4c35-ba5e-115d6eba6aa5.vbs"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2488
                        • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
                          "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"
                          12⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2172
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a3c1dbd-3802-4b93-97d8-13aecdd021d0.vbs"
                            13⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2996
                            • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
                              "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"
                              14⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:2352
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4288ef1-593e-4530-874f-a7d329b8d268.vbs"
                                15⤵
                                • Suspicious use of WriteProcessMemory
                                PID:2316
                                • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
                                  "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"
                                  16⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1552
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db346c40-d642-45cf-9849-6518e8cf2d1c.vbs"
                                    17⤵
                                      PID:1268
                                      • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
                                        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"
                                        18⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1028
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c7e21e4-935b-4538-b9de-dfb21e87e37e.vbs"
                                          19⤵
                                            PID:2432
                                            • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
                                              "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"
                                              20⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2880
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da7b8004-084d-4484-91d8-006a680f7608.vbs"
                                                21⤵
                                                  PID:2512
                                                  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
                                                    "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"
                                                    22⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2680
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25e4086b-0909-44d8-9b28-9637afc4b55c.vbs"
                                                      23⤵
                                                        PID:2120
                                                        • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
                                                          "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"
                                                          24⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3000
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04563bed-1553-414e-ae78-d3a15bcae18a.vbs"
                                                            25⤵
                                                              PID:1480
                                                              • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
                                                                "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"
                                                                26⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1884
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\701ffe59-342a-4b24-9915-1193aba6b6cb.vbs"
                                                                  27⤵
                                                                    PID:872
                                                                    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe
                                                                      "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe"
                                                                      28⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:3040
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0c03932-f6df-44ec-816b-da7d74c9a7b9.vbs"
                                                                        29⤵
                                                                          PID:2492
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\060e3119-32c4-45e5-a453-18e83237504a.vbs"
                                                                          29⤵
                                                                            PID:3020
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85d00136-e2a1-4724-9072-777c88869235.vbs"
                                                                        27⤵
                                                                          PID:2832
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3febb715-348b-4270-8162-8dd91bebd902.vbs"
                                                                      25⤵
                                                                        PID:1768
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\401b26d2-a76d-4803-b5c0-74def1be72dc.vbs"
                                                                    23⤵
                                                                      PID:1544
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\487c5c4b-c9b4-428f-9414-65e1a9d3824a.vbs"
                                                                  21⤵
                                                                    PID:1440
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cd8beea-55b8-4c0e-b305-4fa2a37e99b4.vbs"
                                                                19⤵
                                                                  PID:2428
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85bdd41b-1b41-4b50-9844-8e3048458ffd.vbs"
                                                              17⤵
                                                                PID:764
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\370c6f9d-4807-41f6-8dfd-e3673cf6179e.vbs"
                                                            15⤵
                                                              PID:2076
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46f9be5c-d198-4e86-a936-ed56cd874a47.vbs"
                                                          13⤵
                                                            PID:1968
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf82d430-7ab2-4ae4-97d0-8f3645633a4f.vbs"
                                                        11⤵
                                                          PID:1516
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f39ea6c1-342a-4663-9d88-171aa9b5d1a7.vbs"
                                                      9⤵
                                                        PID:1528
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd2db0de-0ca3-464d-9c91-ecf7699dd997.vbs"
                                                    7⤵
                                                      PID:2300
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d7ba31a-a58b-4465-9145-6a8f84fbacba.vbs"
                                                  5⤵
                                                    PID:2308
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4720d6e-a386-4669-aa34-12891b5e9cb6.vbs"
                                                3⤵
                                                  PID:2724
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2792
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1920
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2960
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\sppsvc.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3040
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2804
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2704
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2688
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2732
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2716
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\services.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1968
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1872
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2244
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2416
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1868
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1124
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2096
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2992
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3012
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2888
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2192
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2240
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "F946CEB3DFBC4802323F045E77B9FC63F" /sc MINUTE /mo 12 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\F946CEB3DFBC4802323F045E77B9FC63.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2484
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "F946CEB3DFBC4802323F045E77B9FC63" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\F946CEB3DFBC4802323F045E77B9FC63.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1784
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "F946CEB3DFBC4802323F045E77B9FC63F" /sc MINUTE /mo 10 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\F946CEB3DFBC4802323F045E77B9FC63.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1552
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsm.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:768
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:628
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:308
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1856
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1916
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • DcRat
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1544

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

                                              Filesize

                                              1.3MB

                                              MD5

                                              f946ceb3dfbc4802323f045e77b9fc63

                                              SHA1

                                              04beac37360d30c5ad933f82f80bfd41ae294cc4

                                              SHA256

                                              682f5e5eb1673b692d4009f655f51b7926031ff7e8c1d4aecfd62cfd1e1d7c2a

                                              SHA512

                                              7ad0db10f788d63d44a85981ccd9cf7c5acaadad66d1fd4c34554eb77bd1582e49549c917eb39e0c17e7b55b2fc0e262c059e1d85c188f1a3649879368a834e3

                                            • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\explorer.exe

                                              Filesize

                                              1.3MB

                                              MD5

                                              d20b47cd8c8fb7139bc0df797bc0f4a5

                                              SHA1

                                              df0fb41b0c82fb1350b844c2e7f76ba005780c3e

                                              SHA256

                                              655d70548ffe3d4d304c22d9d749d9f33dcf0bfee98be38bdc44dfacab484789

                                              SHA512

                                              47700b4bc9aa0cd41ddf67bc43fe160dcf3df713a0cec0958d0535e5fbd63beddf6cb146dfd3e026a8b7d8612936fe518f602c70a3cb87abdb30345ac79c946a

                                            • C:\Recovery\61b388a2-3b13-11ef-902f-d2f1755c8afd\services.exe

                                              Filesize

                                              1.3MB

                                              MD5

                                              33908b9c8646f108b874ee2120df8794

                                              SHA1

                                              b6e2b18df8c32135700418be1a39163d38b1a59f

                                              SHA256

                                              c58850c918f008acf1338ad19e465a7a5a914b6e8b7b0678265d4e0bdde269e4

                                              SHA512

                                              fe2d4f7423c7cbcbb2fb9dd5a4363247d46bd33501424e78f6a7779cefa7848d8b81b181089174e5f8d9413d349e729aaca6086e57a97c1af85abceb7e27a8e8

                                            • C:\Users\Admin\AppData\Local\Temp\02b2c8dd-a004-4603-aae9-80f7cfaf0392.vbs

                                              Filesize

                                              751B

                                              MD5

                                              620ab848e9f58536086699e18fa21b1c

                                              SHA1

                                              4115f07d04a9a41cc7b0fe5cfd2ce6fde08acf93

                                              SHA256

                                              16636201dabcb39d0e9bc447010d4a3b71456c5288dbe1ad188e20b239fd83e3

                                              SHA512

                                              bdca00a4a31f71a23496a6c63a7c8220ceb5b4d432fca925a159db87db8ed47af7ee9e504cbe132282e7223fd431c6118bb4fd260195845bb00cb5f4e5d024f6

                                            • C:\Users\Admin\AppData\Local\Temp\04563bed-1553-414e-ae78-d3a15bcae18a.vbs

                                              Filesize

                                              751B

                                              MD5

                                              b6b3d77090ed5220e1158edb2810f4c0

                                              SHA1

                                              7161a9aaad13dda5adf982708dae8ef5316a2017

                                              SHA256

                                              e08a43ac3512d7e821a418379f9877961328444c865edb4153810d0df3fd9e21

                                              SHA512

                                              b22b0ed29507685cb45d8ef8406bd6cd57a5e1904c43175e2ac9bca706d3f8133e052dca23073b873d7415bee4322da5364d060962c9d6c13391d8f361b420a6

                                            • C:\Users\Admin\AppData\Local\Temp\25e4086b-0909-44d8-9b28-9637afc4b55c.vbs

                                              Filesize

                                              751B

                                              MD5

                                              35d47c774109985e617af58e5a998a9a

                                              SHA1

                                              de2ecac583dd48539260efd2cae7429f10181674

                                              SHA256

                                              4c189b40fb52e13c569128a01c7e70bc5b762ecaaab4b733c13201249cbb7e69

                                              SHA512

                                              b2a9cdb9fc6bbf6df7bdfb3faeb16af4fab8e490c2fb5d86ff7ea59cf000b9733bc9f57be033edef0167ff08b3a07a0a5b1aa7e000cedaad3949ea16c21eac4f

                                            • C:\Users\Admin\AppData\Local\Temp\3a3c1dbd-3802-4b93-97d8-13aecdd021d0.vbs

                                              Filesize

                                              751B

                                              MD5

                                              01bfeef315acd31cacd6407b5221582e

                                              SHA1

                                              b0411d47839dd3daca1106220f25843b217fcd03

                                              SHA256

                                              d90ea2b8dad11187a7ad502e83416fef409bbf070497da4709751b0b9d35d6d0

                                              SHA512

                                              6604350155f82e87b0b4f7a3ed3cf6a454166ab84d530dd4419f8a0b11fe78c74020c933f6f2fa8fd833c4cdc1ebb0e850319c7926bca6783a11c14448a18c04

                                            • C:\Users\Admin\AppData\Local\Temp\554a812c-6e64-4976-917b-b8c217eef133.vbs

                                              Filesize

                                              751B

                                              MD5

                                              b4b9793e171d73f4f53bf62446019dc0

                                              SHA1

                                              572bd8d223028dd90d3723a52f9384631a68bd51

                                              SHA256

                                              008b29395e00983e73c7081983a32206deb22b82c186d560d708787d126d2aff

                                              SHA512

                                              3fd83db78d20023ede1e0309b4e56b7306343bfb5316478407fd3067740ef91e68dfae7b11beb3a0d4c9f3e462613faa00c52c7a6a11991517de290196a9dbad

                                            • C:\Users\Admin\AppData\Local\Temp\701ffe59-342a-4b24-9915-1193aba6b6cb.vbs

                                              Filesize

                                              751B

                                              MD5

                                              de664c5440f3ff742145f65e7ad2203a

                                              SHA1

                                              bbb90f9f6a3ca7067154a327fd07169de2f953cc

                                              SHA256

                                              84c73cf298d6c4b94d43e194f214f2002695c958fed08248b00a47a608aa3b72

                                              SHA512

                                              ffa6f11266bf8b195cf5d06f09a66acce11af4863c9022fbb0ebc63ece9416d78497d5ce37bbc8d563734775fe9489c39c0e2810440391ba96fac0bdd2533405

                                            • C:\Users\Admin\AppData\Local\Temp\7c7e21e4-935b-4538-b9de-dfb21e87e37e.vbs

                                              Filesize

                                              751B

                                              MD5

                                              4efa9f3e47e11638ff92fae33b96f9f9

                                              SHA1

                                              1d5aa9ddfc544de20043585d6e59afb3fb816874

                                              SHA256

                                              18dc5b6055eb49d4b911fcdefa61f780cff60f781f88fe671286909f31a2db80

                                              SHA512

                                              0fda27eb05a9b375070d98ade87000706e53e9c8843b8cfd0c276834d3f3f0d22bf9cd2c3681b7c7ae024437398dc99b4c2ed8f92f718fbafcb69a6297031223

                                            • C:\Users\Admin\AppData\Local\Temp\b2065a06-8de0-4c35-ba5e-115d6eba6aa5.vbs

                                              Filesize

                                              751B

                                              MD5

                                              378b50a5a9479e5b7f105e4618bc9db1

                                              SHA1

                                              8a0b3432a558587b35497cc231b56bcea5291682

                                              SHA256

                                              f4534ea6f308b4238266c4c811ee794316a5ac7c270623cc926257ea5b49e4ba

                                              SHA512

                                              bbf3bce80155d902c73b263955efd2a4944e046a863257924e9f13416782d0401a2b57ff42f6b976fe48c0306808706f43f12b5153c35c891a20ca65386742cc

                                            • C:\Users\Admin\AppData\Local\Temp\c4720d6e-a386-4669-aa34-12891b5e9cb6.vbs

                                              Filesize

                                              527B

                                              MD5

                                              fd345ab88a3a24ceb40d4e572563071c

                                              SHA1

                                              9f09a0fc06ab1c9d7858c721ccda6aeee52b141f

                                              SHA256

                                              658d5a9f24811e2c1671214b25c0641e5b88f4f15d0c1fa4ad965df2a0a30092

                                              SHA512

                                              2265842ec4cc595fcb857fdb568fe8c9643cc22d04cf88e30eaf7e1a8c9e08fa1fb3c1840291f288bf0fa8fdf22ba58105721693e9ff8e4f435940b51db248fe

                                            • C:\Users\Admin\AppData\Local\Temp\c992be04-a7ce-4e75-aa3e-cc8a031cd069.vbs

                                              Filesize

                                              751B

                                              MD5

                                              07b08814d9ab26b307a3a35a6340aac9

                                              SHA1

                                              676d3e39ba17dd133e82a18863acad09768cd4fc

                                              SHA256

                                              da7dd779eb062f0c2af8478628f4621510b503a1e819230266ee6e7f0a719fd6

                                              SHA512

                                              0727c8cc15cd69626fc7d7f47056466bfcf5b12d65f06db58539c8995400f44264e33b17e0e5c6b222a4535fce4c6b224c303754ca72c3934129b9bcc5a49ca8

                                            • C:\Users\Admin\AppData\Local\Temp\d0c03932-f6df-44ec-816b-da7d74c9a7b9.vbs

                                              Filesize

                                              751B

                                              MD5

                                              e52c83bd74eb5bc872a04326f6d76f15

                                              SHA1

                                              a641181fa7038021da59198a12f4c63bb3d9e34e

                                              SHA256

                                              9919b82f4339215a18802f725eb51e794260296137e92a4f7089778d62629ebf

                                              SHA512

                                              a6141f11b6aa1f3a5e896e52893949aa3921a88926db334eb0246ae37b1d7b22730c6bba9278ec55111b4e9b10393b1e31c83c038b799e0d343607503daf0079

                                            • C:\Users\Admin\AppData\Local\Temp\d7cba06e-41cb-4db8-bd47-19334d3baca4.vbs

                                              Filesize

                                              751B

                                              MD5

                                              ca17a62ca57f5e5da5a82e9fc501d06c

                                              SHA1

                                              b745830bb0d7305923991c89b324803d478e3141

                                              SHA256

                                              f8fc4d22013fefa0fe812a8f5549351d4afd907c6bfc408ce6995376379777c9

                                              SHA512

                                              f8167f1966b698cf9ef386c6efc22bc85b9e06e0c982460709bddc4874d10065b9f0d71b911e491623e88e48102e8fb1c0984711f984e7e6268d05622e400702

                                            • C:\Users\Admin\AppData\Local\Temp\da7b8004-084d-4484-91d8-006a680f7608.vbs

                                              Filesize

                                              751B

                                              MD5

                                              996ed5069a54aebd9793e793476be7bc

                                              SHA1

                                              868b1aa1c437c4d7d3aeffb0461d4401396516f6

                                              SHA256

                                              a805d71571ce6746505bf5e626fff76c89af8296bfa05be6b6ce08a384df434e

                                              SHA512

                                              4ebcca56c3f4fa32c8786080340aa2cd3e8b8effb419a0f9e929517a34b2b8dbc91fd5543f4670d5437f54e94500e9a03d7a4e3eac8c6aa79ef106286050ec64

                                            • C:\Users\Admin\AppData\Local\Temp\db346c40-d642-45cf-9849-6518e8cf2d1c.vbs

                                              Filesize

                                              751B

                                              MD5

                                              c3aa4be60fc2518b170904ce4421fcd5

                                              SHA1

                                              5f7e428be348d501d00b975347a4f39cf0e6e81d

                                              SHA256

                                              e0bc8cafd2bfdd67d016253f556b631c33ccf51b99001e5d582b0f4ddc1fb868

                                              SHA512

                                              75e1a65723f96360e85761e612dd85b822fbff8cd20044b2c5103302b85b4a6569330a271992836f7a892b54c4772f3e6037b154eb9f3a824d57477996dbf1d2

                                            • C:\Users\Admin\AppData\Local\Temp\e4288ef1-593e-4530-874f-a7d329b8d268.vbs

                                              Filesize

                                              751B

                                              MD5

                                              db00feccbeec544cfe8003790ad8bbad

                                              SHA1

                                              24b0e0e306efda4df0303b42e19316ee36096c4f

                                              SHA256

                                              548046919c71044c7d782c2aa31a08f40a3d50b75747b8207b4517d7b1142339

                                              SHA512

                                              7fc0f3d518adbd876a0f9da14982ff1be7b602d2dec95ef4c593a16f0851de2ecc731c127579e51f39b4479ff1cbba47cd5db909438327cff39dd518bac326b8

                                            • C:\Users\Default\winlogon.exe

                                              Filesize

                                              1.3MB

                                              MD5

                                              9d85ea32d592002b1bf3a6c84c63132e

                                              SHA1

                                              0bf3d081e789ef9b0def8584548600a39210632d

                                              SHA256

                                              8bdd1737e6baa661940c3db3c40a0039b7f12950acd07124f76c6698dc2b11b2

                                              SHA512

                                              e5e9df1a84dd8fabce056a394c45beda5c2f219d2399ca3ea025403b78f7c59dc9626e7630cb9b8c865a87981a490a8d27fcd46c03a51d0c30296e719734e98a

                                            • memory/884-7-0x0000000000330000-0x000000000033A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/884-157-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/884-9-0x0000000000320000-0x0000000000328000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/884-8-0x00000000005D0000-0x00000000005DE000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/884-0-0x000007FEF5743000-0x000007FEF5744000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/884-6-0x0000000000310000-0x0000000000318000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/884-5-0x0000000000270000-0x0000000000286000-memory.dmp

                                              Filesize

                                              88KB

                                            • memory/884-4-0x0000000000260000-0x0000000000270000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/884-3-0x0000000000140000-0x000000000015C000-memory.dmp

                                              Filesize

                                              112KB

                                            • memory/884-2-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/884-1-0x0000000000AB0000-0x0000000000C0A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/1028-250-0x0000000000D10000-0x0000000000E6A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/1552-238-0x0000000000060000-0x00000000001BA000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/1752-156-0x00000000010B0000-0x000000000120A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/1884-298-0x0000000000E00000-0x0000000000F5A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/2352-226-0x00000000002A0000-0x00000000003FA000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/2556-192-0x0000000001380000-0x00000000014DA000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/2640-168-0x0000000000100000-0x000000000025A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/2680-274-0x00000000000A0000-0x00000000001FA000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/2880-262-0x00000000011F0000-0x000000000134A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/3000-286-0x0000000000300000-0x000000000045A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/3028-180-0x0000000000110000-0x000000000026A000-memory.dmp

                                              Filesize

                                              1.4MB

                                            • memory/3040-310-0x0000000001130000-0x000000000128A000-memory.dmp

                                              Filesize

                                              1.4MB