Overview

overview

10

Static

static

3

7400236c0f...aN.exe

windows7-x64

10

7400236c0f...aN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2024 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7400236c0f5f5fec04649ae26fe2999174eb2dd73fe0e93f54adef12d8d70a1aN.exe

  • Size

    4.9MB

  • MD5

    2b748156c46b12dda0fe68199c2853f0

  • SHA1

    11dc51c0fa65751c1a4747055700c6b54a91e845

  • SHA256

    7400236c0f5f5fec04649ae26fe2999174eb2dd73fe0e93f54adef12d8d70a1a

  • SHA512

    ab8a8c46da9e12024d0d4d5582fb2dc8af12e70db6f1a4c7e33ce34ed988efacac06e93a1ad05d12175eb2d450b71b4c2fa5363fa26e3099c9017a852b902fc5

  • SSDEEP

    49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
dcratevasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat 32 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 30 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Executes dropped EXE 9 IoCs
  • Checks whether UAC is enabled 1 TTPs 20 IoCs
    evasiontrojan
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 30 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\7400236c0f5f5fec04649ae26fe2999174eb2dd73fe0e93f54adef12d8d70a1aN.exe
    "C:\Users\Admin\AppData\Local\Temp\7400236c0f5f5fec04649ae26fe2999174eb2dd73fe0e93f54adef12d8d70a1aN.exe"
    1⤵
    • DcRat
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:828
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1772
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1716
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1708
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1028
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2652
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1852
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1644
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2672
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Users\Admin\AppData\Local\Temp\7400236c0f5f5fec04649ae26fe2999174eb2dd73fe0e93f54adef12d8d70a1aN.exe
      "C:\Users\Admin\AppData\Local\Temp\7400236c0f5f5fec04649ae26fe2999174eb2dd73fe0e93f54adef12d8d70a1aN.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1696
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3004
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1800
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2112
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:796
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2328
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1812
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1404
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2496
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1484
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1760
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:556
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2528
      • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:2648
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30569d60-ae2f-4a5a-b4c3-bf64a7fd63f5.vbs"
          4⤵
            PID:2784
            • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe
              C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • System policy modification
              PID:880
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebe202f7-f9f6-455e-a954-1c483df92d32.vbs"
                6⤵
                  PID:2968
                  • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe
                    C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe
                    7⤵
                    • UAC bypass
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:2176
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44e73e9c-0edc-4df8-9636-eb5cb0be92d3.vbs"
                      8⤵
                        PID:2996
                        • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe
                          C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe
                          9⤵
                          • UAC bypass
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:2308
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ef4f857-8019-420a-9c1d-22e6a040908c.vbs"
                            10⤵
                              PID:468
                              • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe
                                C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe
                                11⤵
                                • UAC bypass
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:2868
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e3bc92e-3e63-405c-a671-604fc3d5c3fd.vbs"
                                  12⤵
                                    PID:1556
                                    • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe
                                      C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe
                                      13⤵
                                      • UAC bypass
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:700
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2eb34f36-030d-4c25-a4de-f19633079b1a.vbs"
                                        14⤵
                                          PID:2388
                                          • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe
                                            C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe
                                            15⤵
                                            • UAC bypass
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:2772
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61332004-acb0-4da5-9be0-68475f22799d.vbs"
                                              16⤵
                                                PID:2296
                                                • C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe
                                                  C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe
                                                  17⤵
                                                  • UAC bypass
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:1808
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d1a1ee3-5371-4517-b4ec-3855d7f43ca8.vbs"
                                                    18⤵
                                                      PID:1628
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ef15a78-3915-46ca-8e3b-b3e337033b0c.vbs"
                                                      18⤵
                                                        PID:2628
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2502e3e-85b5-4d85-b98f-15d5402ad769.vbs"
                                                    16⤵
                                                      PID:2856
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ce3c421-8fd8-4445-a296-5d338b64b239.vbs"
                                                  14⤵
                                                    PID:1316
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10e688e6-af02-43b9-81fa-5a4528d7b53d.vbs"
                                                12⤵
                                                  PID:2852
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31db9356-0abe-4782-8bf2-66ba97532220.vbs"
                                              10⤵
                                                PID:1988
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb9e3364-b120-40d0-877d-7fbd17439cc7.vbs"
                                            8⤵
                                              PID:1776
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13c8ab4a-a47b-4795-a30b-eff15763f708.vbs"
                                          6⤵
                                            PID:2652
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8cf400e-1c70-4e8f-8a0a-a9557e9ce49a.vbs"
                                        4⤵
                                          PID:956
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\csrss.exe'" /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2984
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PLA\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2716
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2432
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\images\dwm.exe'" /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2888
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\dwm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2612
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\images\dwm.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2364
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\Rules\en-US\dllhost.exe'" /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2852
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\en-US\dllhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2596
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Rules\en-US\dllhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2656
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3052
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:3060
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1976
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:484
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2724
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2012
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe'" /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2608
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1832
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1668
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2096
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2412
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2472
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\powershell.exe'" /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:628
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\powershell.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2284
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\powershell.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2812
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe'" /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:2232
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:908
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
                                    1⤵
                                    • DcRat
                                    • Process spawned unexpected child process
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:1328

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\0e3bc92e-3e63-405c-a671-604fc3d5c3fd.vbs
                                    Filesize

                                    737B

                                    MD5

                                    355460ee8286e2159586628044bc090d

                                    SHA1

                                    4da274ef9d698b87edd6f12d637a578acc4cb166

                                    SHA256

                                    5dc1a61e2b94a0101785f1191e918e2ef74a6f33299e208d5f2794b1038f8e9c

                                    SHA512

                                    1733e546d812bd0f5536928b420216acf9da8279dfbed6ba679019bfdd12440ea0576e4c04ccec0d54773d8f05bbd74addd005e5185d45d72942d26dc7253dce

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\1ef4f857-8019-420a-9c1d-22e6a040908c.vbs
                                    Filesize

                                    737B

                                    MD5

                                    164a60a7cc5405f731c5773f149b3cc4

                                    SHA1

                                    81b424e6a78eb289c6d9ebf9efb80275df2c6383

                                    SHA256

                                    6aef80f77cabfee43ff0a13c6e15d5ce7a0e4d807d0a61f3a0bc64a216396bea

                                    SHA512

                                    3c950bbc8fa6731ca1501a19c536ca64200656d7c3ae8c35a969d807cabaec0ee0f6d4d3536b7c2cf73e6b34fb14df89c4a2910532d4a21b6792f98d25ecb6c3

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\2eb34f36-030d-4c25-a4de-f19633079b1a.vbs
                                    Filesize

                                    736B

                                    MD5

                                    986a1b8cd4ebf33515ce7d0ff8baf00a

                                    SHA1

                                    71ec3759f9795483666a9216e88d6d8086222dfc

                                    SHA256

                                    72ad65c59a84b03266af79dd8686b9074dfb99acc4dd35cf580e81919dd64cd8

                                    SHA512

                                    26ed8c7b3cc6132af8ce1dfb663995ab72e9199bd1943463a94a2a8de545e0fd93eae8799753a844fbd02fd9ef9f95f03a4a320b757958996b57d0bf57e70f29

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\30569d60-ae2f-4a5a-b4c3-bf64a7fd63f5.vbs
                                    Filesize

                                    737B

                                    MD5

                                    57ba4a21155a719b6dba0ce01f4e7d9e

                                    SHA1

                                    14f425f163deb3dd3ccec152ac8052736bf2ef39

                                    SHA256

                                    a112098fce0b802000a718c97e85ae4361ee79135c10339b81f958fabbbdf61b

                                    SHA512

                                    428f26aa95ba74bba59b43fe06a62b28cc5cbcdd51026582ce573067c72919a414d631511413d1fc985d2dbc1eebcb4fecc99692bc3c8ac2880a80a31f9993d6

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\44e73e9c-0edc-4df8-9636-eb5cb0be92d3.vbs
                                    Filesize

                                    737B

                                    MD5

                                    477bffedf6cd44fc58f0b9f7148b288a

                                    SHA1

                                    f1f969a39390f95bf6447472a96e30c27c551580

                                    SHA256

                                    89f921dc0131eef49cc70e4215a980e54b96bb94594073283912e76974a2486c

                                    SHA512

                                    2f18086355546c36bb1e613e98e67e08048a9a56a940418a242234fc1a29b1c745b537d7be6a91968e8b65954c444e3b3571565180076689c3a0dfee8adea6f5

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\61332004-acb0-4da5-9be0-68475f22799d.vbs
                                    Filesize

                                    737B

                                    MD5

                                    cdca2c00751cf98f2cb3f296533db9d4

                                    SHA1

                                    d554dbb3dab380e62a6406d3abc11077566b2b81

                                    SHA256

                                    0314329a2a364dcd904c2744f7fc01efa8c8a279792916ce8d9aacca975bf87c

                                    SHA512

                                    07ea11ac7a5cb4b3e62caa7808d41113ec7ef8cbbc34f97ed9819d77e97d1a914551e5a480c4af7b1b93d1a3ca0aad3f8d23a84061c147d47b3de24bcbc97794

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\9d1a1ee3-5371-4517-b4ec-3855d7f43ca8.vbs
                                    Filesize

                                    737B

                                    MD5

                                    62f5e47854e60a0f3c199686754f419f

                                    SHA1

                                    8b8bac700b2a5fdbf06f3cd1b92da3eeb5ee5e17

                                    SHA256

                                    9487a5ddaa456710648bd6e400b413c5d4684441e7078018840a760bc3fc9b5e

                                    SHA512

                                    5e454ff2e1d7bcaebdd4d0fcc112a407110f8589f48eecb31c12dc8688389dbaae91f89ce6cc3b5b65302a4fe4ebfb61a40621e4f5d2f1084b8cc72062b63e59

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\b8cf400e-1c70-4e8f-8a0a-a9557e9ce49a.vbs
                                    Filesize

                                    513B

                                    MD5

                                    8bc27b60ebf0ca4a4947fde096197cb7

                                    SHA1

                                    5baefb2a10a9a8695e7ee69d129e6bcc30ba43b3

                                    SHA256

                                    c56555aceae81165e3d37eab1d7eecfba8bb510c08d01a5764bda38ec8af45cc

                                    SHA512

                                    b4ef6a56fb087896273b06976a81aa49534ae0148b13b9b35a27faa406f88fff74429c5b41a7184a3bb56190bd25fc4c581c0a92a9f1ab107e7f86b08633c625

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\ebe202f7-f9f6-455e-a954-1c483df92d32.vbs
                                    Filesize

                                    736B

                                    MD5

                                    f75856c1cc8559362fc6570311a90ac6

                                    SHA1

                                    2d28cd3f980757f45caffce2282b19ef535fd58c

                                    SHA256

                                    91582f6b396bcede4ed2f3b5d8c2cac132f33d766e6b6dbd3af95d92be5c3cee

                                    SHA512

                                    6d1bde1de3e4008a6a6db5413d54b16fe6e9b32cbf5ed2323733f2e58d6d5f8eb89a2c45e599d9eb5174bce6265ef030c3ad2c3cfba2edf263a4f9f797de1083

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Temp\tmpF0A6.tmp.exe
                                    Filesize

                                    75KB

                                    MD5

                                    e0a68b98992c1699876f818a22b5b907

                                    SHA1

                                    d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                    SHA256

                                    2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                    SHA512

                                    856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
                                    Filesize

                                    7KB

                                    MD5

                                    89bd61d9cf672bf0d8f30dd812e110fc

                                    SHA1

                                    926ba8d4ab839ba86325bd370431313db21529c2

                                    SHA256

                                    74c000b78e69a8aa65665fbc3041f347aa84c07ae5b7582fc8ec0d56d938df4b

                                    SHA512

                                    1a70ad3eb3951fed5404235d192660b7a5771cc74720b27449653d33d2a10dfc3e4b9a62e39acd650488bfbdaa52d2e0584e441f91dfaf3afbfb4f11286a5949

                                    Download Submit

                                  • C:\Windows\PLA\csrss.exe
                                    Filesize

                                    4.9MB

                                    MD5

                                    2b748156c46b12dda0fe68199c2853f0

                                    SHA1

                                    11dc51c0fa65751c1a4747055700c6b54a91e845

                                    SHA256

                                    7400236c0f5f5fec04649ae26fe2999174eb2dd73fe0e93f54adef12d8d70a1a

                                    SHA512

                                    ab8a8c46da9e12024d0d4d5582fb2dc8af12e70db6f1a4c7e33ce34ed988efacac06e93a1ad05d12175eb2d450b71b4c2fa5363fa26e3099c9017a852b902fc5

                                    Download Submit

                                  • memory/828-1-0x0000000001180000-0x0000000001674000-memory.dmp

                                    Filesize

                                    5.0MB

                                    Download

                                  • memory/828-2-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

                                    Filesize

                                    9.9MB

                                    Download

                                  • memory/828-15-0x0000000000B50000-0x0000000000B58000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/828-16-0x0000000000B60000-0x0000000000B6C000-memory.dmp

                                    Filesize

                                    48KB

                                    Download

                                  • memory/828-13-0x0000000000600000-0x000000000060E000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/828-0-0x000007FEF58D3000-0x000007FEF58D4000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/828-94-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

                                    Filesize

                                    9.9MB

                                    Download

                                  • memory/828-12-0x00000000005F0000-0x00000000005FE000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/828-6-0x0000000000530000-0x0000000000540000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/828-14-0x0000000000610000-0x0000000000618000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/828-10-0x00000000005D0000-0x00000000005E2000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/828-3-0x000000001BB00000-0x000000001BC2E000-memory.dmp

                                    Filesize

                                    1.2MB

                                    Download

                                  • memory/828-11-0x00000000005E0000-0x00000000005EA000-memory.dmp

                                    Filesize

                                    40KB

                                    Download

                                  • memory/828-4-0x0000000000410000-0x000000000042C000-memory.dmp

                                    Filesize

                                    112KB

                                    Download

                                  • memory/828-9-0x00000000005C0000-0x00000000005CA000-memory.dmp

                                    Filesize

                                    40KB

                                    Download

                                  • memory/828-8-0x00000000005B0000-0x00000000005C0000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/828-7-0x0000000000590000-0x00000000005A6000-memory.dmp

                                    Filesize

                                    88KB

                                    Download

                                  • memory/828-5-0x0000000000430000-0x0000000000438000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/1404-164-0x0000000002860000-0x0000000002868000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/1404-159-0x000000001B6B0000-0x000000001B992000-memory.dmp

                                    Filesize

                                    2.9MB

                                    Download

                                  • memory/1808-308-0x0000000000820000-0x0000000000832000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/2176-236-0x0000000000D50000-0x0000000000D62000-memory.dmp

                                    Filesize

                                    72KB

                                    Download

                                  • memory/2308-251-0x00000000011A0000-0x0000000001694000-memory.dmp

                                    Filesize

                                    5.0MB

                                    Download

                                  • memory/2648-208-0x0000000000D60000-0x0000000001254000-memory.dmp

                                    Filesize

                                    5.0MB

                                    Download

                                  • memory/2816-121-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

                                    Filesize

                                    2.9MB

                                    Download

                                  • memory/2816-122-0x00000000022D0000-0x00000000022D8000-memory.dmp

                                    Filesize

                                    32KB

                                    Download