dcrat | a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
Size

1.7MB
MD5

60aee14b66a5385404c52533841731f2
SHA1

5fdc7a1d3e168b2b7e2824cd3b50570b03a5d03f
SHA256

a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7
SHA512

5a3eb9d974f43e0a81187d76a779b5995d3645291f15f31fbda165e3c668980d01bed1f3f42561d0a62930e5e09af01a7229dde939e50ad9cc3ce1c413d8dc75
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2860	schtasks.exe	30

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1728-1-0x0000000001230000-0x00000000013E6000-memory.dmp	dcrat
behavioral1/files/0x0005000000019299-27.dat	dcrat
behavioral1/files/0x00090000000120f9-57.dat	dcrat
behavioral1/memory/2892-178-0x0000000000250000-0x0000000000406000-memory.dmp	dcrat
behavioral1/memory/2604-200-0x00000000012C0000-0x0000000001476000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1104	powershell.exe
1608	powershell.exe
1748	powershell.exe
1896	powershell.exe
1796	powershell.exe
2376	powershell.exe
1064	powershell.exe
2964	powershell.exe
1240	powershell.exe
1484	powershell.exe
1508	powershell.exe
1540	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe

Executes dropped EXE 2 IoCs

pid	Process
2892	sppsvc.exe
2604	sppsvc.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\hrtfs\304894a6cb95c6	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\7a0fd90576e088	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\RCX9FAD.tmp	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXA82D.tmp	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXA82E.tmp	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\RCXA01B.tmp	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\twain_32\RCXA424.tmp	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File opened for modification	C:\Windows\twain_32\RCXA425.tmp	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File opened for modification	C:\Windows\TAPI\RCXAA32.tmp	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File opened for modification	C:\Windows\TAPI\smss.exe	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File created	C:\Windows\twain_32\sppsvc.exe	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File created	C:\Windows\twain_32\0a1fd5f707cd16	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File created	C:\Windows\TAPI\smss.exe	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File created	C:\Windows\TAPI\69ddcba757bf72	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File opened for modification	C:\Windows\twain_32\sppsvc.exe	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
File opened for modification	C:\Windows\TAPI\RCXAA33.tmp	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3068	schtasks.exe
1916	schtasks.exe
1716	schtasks.exe
2320	schtasks.exe
2912	schtasks.exe
2268	schtasks.exe
2216	schtasks.exe
2672	schtasks.exe
2664	schtasks.exe
1404	schtasks.exe
3004	schtasks.exe
2344	schtasks.exe
2908	schtasks.exe
2104	schtasks.exe
2724	schtasks.exe
2660	schtasks.exe
2788	schtasks.exe
2616	schtasks.exe
2900	schtasks.exe
2712	schtasks.exe
2840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
1104	powershell.exe
2964	powershell.exe
1796	powershell.exe
2376	powershell.exe
1508	powershell.exe
1748	powershell.exe
1896	powershell.exe
1608	powershell.exe
1064	powershell.exe
1540	powershell.exe
1240	powershell.exe
1484	powershell.exe
2892	sppsvc.exe
2892	sppsvc.exe
2892	sppsvc.exe
2892	sppsvc.exe
2892	sppsvc.exe
2892	sppsvc.exe
2892	sppsvc.exe
2892	sppsvc.exe
2892	sppsvc.exe
2892	sppsvc.exe
2892	sppsvc.exe
2892	sppsvc.exe
2892	sppsvc.exe
2892	sppsvc.exe
2892	sppsvc.exe
2604	sppsvc.exe
2604	sppsvc.exe
2604	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	2892	sppsvc.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	2604	sppsvc.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1540	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	52
PID 1728 wrote to memory of 1540	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	52
PID 1728 wrote to memory of 1540	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	52
PID 1728 wrote to memory of 1796	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	53
PID 1728 wrote to memory of 1796	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	53
PID 1728 wrote to memory of 1796	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	53
PID 1728 wrote to memory of 2376	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	54
PID 1728 wrote to memory of 2376	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	54
PID 1728 wrote to memory of 2376	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	54
PID 1728 wrote to memory of 1896	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	55
PID 1728 wrote to memory of 1896	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	55
PID 1728 wrote to memory of 1896	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	55
PID 1728 wrote to memory of 1064	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	56
PID 1728 wrote to memory of 1064	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	56
PID 1728 wrote to memory of 1064	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	56
PID 1728 wrote to memory of 1104	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	57
PID 1728 wrote to memory of 1104	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	57
PID 1728 wrote to memory of 1104	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	57
PID 1728 wrote to memory of 2964	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	58
PID 1728 wrote to memory of 2964	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	58
PID 1728 wrote to memory of 2964	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	58
PID 1728 wrote to memory of 1608	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	59
PID 1728 wrote to memory of 1608	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	59
PID 1728 wrote to memory of 1608	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	59
PID 1728 wrote to memory of 1240	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	60
PID 1728 wrote to memory of 1240	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	60
PID 1728 wrote to memory of 1240	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	60
PID 1728 wrote to memory of 1484	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	61
PID 1728 wrote to memory of 1484	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	61
PID 1728 wrote to memory of 1484	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	61
PID 1728 wrote to memory of 1508	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	62
PID 1728 wrote to memory of 1508	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	62
PID 1728 wrote to memory of 1508	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	62
PID 1728 wrote to memory of 1748	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	63
PID 1728 wrote to memory of 1748	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	63
PID 1728 wrote to memory of 1748	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	63
PID 1728 wrote to memory of 2892	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	76
PID 1728 wrote to memory of 2892	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	76
PID 1728 wrote to memory of 2892	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	76
PID 1728 wrote to memory of 2892	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	76
PID 1728 wrote to memory of 2892	1728	a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe	76
PID 2892 wrote to memory of 3056	2892	sppsvc.exe	77
PID 2892 wrote to memory of 3056	2892	sppsvc.exe	77
PID 2892 wrote to memory of 3056	2892	sppsvc.exe	77
PID 2892 wrote to memory of 1360	2892	sppsvc.exe	78
PID 2892 wrote to memory of 1360	2892	sppsvc.exe	78
PID 2892 wrote to memory of 1360	2892	sppsvc.exe	78
PID 3056 wrote to memory of 2604	3056	WScript.exe	79
PID 3056 wrote to memory of 2604	3056	WScript.exe	79
PID 3056 wrote to memory of 2604	3056	WScript.exe	79
PID 3056 wrote to memory of 2604	3056	WScript.exe	79
PID 3056 wrote to memory of 2604	3056	WScript.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe
"C:\Users\Admin\AppData\Local\Temp\a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe
  "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20d80449-89e1-404a-ae14-f0eab97617ab.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe
      "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2604
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0edb0035-503a-4ec0-875e-3f3e2065ffd7.vbs"
    3⤵
    PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7a" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7a" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\twain_32\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe

Filesize
1.7MB

MD5
60aee14b66a5385404c52533841731f2

SHA1
5fdc7a1d3e168b2b7e2824cd3b50570b03a5d03f

SHA256
a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7

SHA512
5a3eb9d974f43e0a81187d76a779b5995d3645291f15f31fbda165e3c668980d01bed1f3f42561d0a62930e5e09af01a7229dde939e50ad9cc3ce1c413d8dc75

Download Submit
C:\Program Files\VideoLAN\VLC\hrtfs\a2249bfbc47db7399d868ffb04035b360dadd039fd1de0824500cb26f23adff7.exe

Filesize
1.7MB

MD5
62a6e8a586ac6cddcd858665543b77c9

SHA1
71830898cd889be474cb6e6bbedef6ca551cdb3f

SHA256
54b329c0dfbbe3782250b095511500404f338034f3021eb60ab9f043a38ec4a4

SHA512
a96fc7ec5bbe4b8ea38b6a0305faf36c5e25abfe0f1cf95f7563bb8468e9151361a07400806e214921975a29e626091dd2c54d200cb57e3c763de2d56d3e1730

Download Submit
C:\Users\Admin\AppData\Local\Temp\0edb0035-503a-4ec0-875e-3f3e2065ffd7.vbs

Filesize
525B

MD5
c755bb705cd9dd6359dc59e3de277f41

SHA1
be73a9ada527878292e606f3937351da0f0e7fd0

SHA256
e71149cf6c9ff0c5dc50b50a1d6b1fdbf97a348a529a61bbdf65cff1952e2168

SHA512
eab1de7583c0af7d1dbaec17f50920663006299f82585766f5834a145e32298ea5e030803e62f15d04d1a490effebd02e2de122ef14ad5b93a0187da4e00bfd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\20d80449-89e1-404a-ae14-f0eab97617ab.vbs

Filesize
749B

MD5
ab41215d45f926f3b54c4efb6224f83e

SHA1
79b7976fff3b5b55f32abdfa17d8fcca64903bce

SHA256
193e6c119d36b85ccbe14b98db0eac04e7e89672ced0630d5f4fc34a6b9f109f

SHA512
39346888081ef2793c85a921a39758b8db0ba26a31feeedcac3236bcd28ea17cdbb2cd665ac00f49a9776d5ff4995f74074ddc8a4d54d5502ce2243bb26786a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6bacacb73652fd233e5f1b22f3c86017

SHA1
44f39d7a36e339d860d322563877355e3df28be1

SHA256
2a0683d4f559ba00995ed331c805b1ac60335f752240bd820947cf098aa1f462

SHA512
9d6c9ca72dae16a1b92c182690542e7debe49be87cf3b3ed6dd825a6f3ec279c0ef7d21fe42b804c3dedb1b33d918376017e0a8ae66e1927b470801b984c4ceb

Download Submit
memory/1104-146-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/1104-157-0x0000000002250000-0x0000000002258000-memory.dmp

Filesize
32KB

Download
memory/1728-7-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/1728-0-0x000007FEF5E73000-0x000007FEF5E74000-memory.dmp

Filesize
4KB

Download
memory/1728-9-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/1728-10-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/1728-12-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/1728-16-0x0000000000AD0000-0x0000000000ADC000-memory.dmp

Filesize
48KB

Download
memory/1728-15-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/1728-14-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/1728-13-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/1728-17-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/1728-20-0x000007FEF5E70000-0x000007FEF685C000-memory.dmp

Filesize
9.9MB

Download
memory/1728-8-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/1728-6-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/1728-4-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/1728-5-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/1728-3-0x0000000000550000-0x000000000056C000-memory.dmp

Filesize
112KB

Download
memory/1728-1-0x0000000001230000-0x00000000013E6000-memory.dmp

Filesize
1.7MB

Download
memory/1728-189-0x000007FEF5E70000-0x000007FEF685C000-memory.dmp

Filesize
9.9MB

Download
memory/1728-2-0x000007FEF5E70000-0x000007FEF685C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-200-0x00000000012C0000-0x0000000001476000-memory.dmp

Filesize
1.7MB

Download
memory/2892-178-0x0000000000250000-0x0000000000406000-memory.dmp

Filesize
1.7MB

Download