dcrat | 35e26bdbdea45ece8f73ddac192c584868bc55018cd95fcf669695c0f68260d7

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa9684b8aa290d6ff1b647323a6d35f5.exe
Size

885KB
MD5

fa9684b8aa290d6ff1b647323a6d35f5
SHA1

eaa2e4dec8b464bb28620701b1be6e43c213e353
SHA256

c9fe3fb036b54f47621312aa2237e9b9038c52f1b089c3c5fa047d4d7e5d7eca
SHA512

7f47d4b4b51fdf860ed53cd9710a72898fe14200904542d7a7ec8e0c6c2b617ee094307b061d8cb951c0966a66779e5bfda9a60d9782055b17e2005adcadf1ca
SSDEEP

12288:UlNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:UlNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2020	schtasks.exe	30

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2072-1-0x0000000000100000-0x00000000001E4000-memory.dmp	dcrat
behavioral1/files/0x000500000001a4c9-45.dat	dcrat
behavioral1/files/0x000600000001a478-65.dat	dcrat
behavioral1/files/0x000500000001a4a0-18.dat	dcrat
behavioral1/memory/2192-98-0x0000000000EA0000-0x0000000000F84000-memory.dmp	dcrat
behavioral1/memory/2516-109-0x0000000001120000-0x0000000001204000-memory.dmp	dcrat
behavioral1/memory/2028-143-0x0000000001350000-0x0000000001434000-memory.dmp	dcrat
behavioral1/memory/1336-166-0x0000000000030000-0x0000000000114000-memory.dmp	dcrat
behavioral1/memory/2956-178-0x0000000000210000-0x00000000002F4000-memory.dmp	dcrat
behavioral1/memory/2716-190-0x00000000002D0000-0x00000000003B4000-memory.dmp	dcrat
behavioral1/memory/1628-202-0x0000000000060000-0x0000000000144000-memory.dmp	dcrat
behavioral1/memory/928-214-0x0000000000920000-0x0000000000A04000-memory.dmp	dcrat
behavioral1/memory/2760-226-0x00000000000E0000-0x00000000001C4000-memory.dmp	dcrat
behavioral1/memory/1740-238-0x00000000011B0000-0x0000000001294000-memory.dmp	dcrat

Executes dropped EXE 13 IoCs

pid	Process
2192	smss.exe
2516	smss.exe
1136	smss.exe
2928	smss.exe
2028	smss.exe
900	smss.exe
1336	smss.exe
2956	smss.exe
2716	smss.exe
1628	smss.exe
928	smss.exe
2760	smss.exe
1740	smss.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCXBB97.tmp	fa9684b8aa290d6ff1b647323a6d35f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXBC07.tmp	fa9684b8aa290d6ff1b647323a6d35f5.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXBC75.tmp	fa9684b8aa290d6ff1b647323a6d35f5.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\smss.exe	fa9684b8aa290d6ff1b647323a6d35f5.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\69ddcba757bf72	fa9684b8aa290d6ff1b647323a6d35f5.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe	fa9684b8aa290d6ff1b647323a6d35f5.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\5940a34987c991	fa9684b8aa290d6ff1b647323a6d35f5.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCXBB29.tmp	fa9684b8aa290d6ff1b647323a6d35f5.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\sppsvc.exe	fa9684b8aa290d6ff1b647323a6d35f5.exe
File opened for modification	C:\Windows\de-DE\sppsvc.exe	fa9684b8aa290d6ff1b647323a6d35f5.exe
File created	C:\Windows\de-DE\0a1fd5f707cd16	fa9684b8aa290d6ff1b647323a6d35f5.exe
File opened for modification	C:\Windows\de-DE\RCXBAB9.tmp	fa9684b8aa290d6ff1b647323a6d35f5.exe
File opened for modification	C:\Windows\de-DE\RCXBABA.tmp	fa9684b8aa290d6ff1b647323a6d35f5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1888	schtasks.exe
2980	schtasks.exe
1624	schtasks.exe
2784	schtasks.exe
2884	schtasks.exe
1496	schtasks.exe
1112	schtasks.exe
2056	schtasks.exe
2796	schtasks.exe
2732	schtasks.exe
2736	schtasks.exe
2584	schtasks.exe
2624	schtasks.exe
2832	schtasks.exe
2820	schtasks.exe
1172	schtasks.exe
2676	schtasks.exe
1044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2072	fa9684b8aa290d6ff1b647323a6d35f5.exe
2192	smss.exe
2516	smss.exe
1136	smss.exe
2928	smss.exe
2028	smss.exe
900	smss.exe
1336	smss.exe
2956	smss.exe
2716	smss.exe
1628	smss.exe
928	smss.exe
2760	smss.exe
1740	smss.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	fa9684b8aa290d6ff1b647323a6d35f5.exe
Token: SeDebugPrivilege	2192	smss.exe
Token: SeDebugPrivilege	2516	smss.exe
Token: SeDebugPrivilege	1136	smss.exe
Token: SeDebugPrivilege	2928	smss.exe
Token: SeDebugPrivilege	2028	smss.exe
Token: SeDebugPrivilege	900	smss.exe
Token: SeDebugPrivilege	1336	smss.exe
Token: SeDebugPrivilege	2956	smss.exe
Token: SeDebugPrivilege	2716	smss.exe
Token: SeDebugPrivilege	1628	smss.exe
Token: SeDebugPrivilege	928	smss.exe
Token: SeDebugPrivilege	2760	smss.exe
Token: SeDebugPrivilege	1740	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2392	2072	fa9684b8aa290d6ff1b647323a6d35f5.exe	49
PID 2072 wrote to memory of 2392	2072	fa9684b8aa290d6ff1b647323a6d35f5.exe	49
PID 2072 wrote to memory of 2392	2072	fa9684b8aa290d6ff1b647323a6d35f5.exe	49
PID 2392 wrote to memory of 2496	2392	cmd.exe	51
PID 2392 wrote to memory of 2496	2392	cmd.exe	51
PID 2392 wrote to memory of 2496	2392	cmd.exe	51
PID 2392 wrote to memory of 2192	2392	cmd.exe	53
PID 2392 wrote to memory of 2192	2392	cmd.exe	53
PID 2392 wrote to memory of 2192	2392	cmd.exe	53
PID 2192 wrote to memory of 1652	2192	smss.exe	54
PID 2192 wrote to memory of 1652	2192	smss.exe	54
PID 2192 wrote to memory of 1652	2192	smss.exe	54
PID 2192 wrote to memory of 908	2192	smss.exe	55
PID 2192 wrote to memory of 908	2192	smss.exe	55
PID 2192 wrote to memory of 908	2192	smss.exe	55
PID 1652 wrote to memory of 2516	1652	WScript.exe	56
PID 1652 wrote to memory of 2516	1652	WScript.exe	56
PID 1652 wrote to memory of 2516	1652	WScript.exe	56
PID 2516 wrote to memory of 1908	2516	smss.exe	57
PID 2516 wrote to memory of 1908	2516	smss.exe	57
PID 2516 wrote to memory of 1908	2516	smss.exe	57
PID 2516 wrote to memory of 2268	2516	smss.exe	58
PID 2516 wrote to memory of 2268	2516	smss.exe	58
PID 2516 wrote to memory of 2268	2516	smss.exe	58
PID 1908 wrote to memory of 1136	1908	WScript.exe	59
PID 1908 wrote to memory of 1136	1908	WScript.exe	59
PID 1908 wrote to memory of 1136	1908	WScript.exe	59
PID 1136 wrote to memory of 2632	1136	smss.exe	60
PID 1136 wrote to memory of 2632	1136	smss.exe	60
PID 1136 wrote to memory of 2632	1136	smss.exe	60
PID 1136 wrote to memory of 2948	1136	smss.exe	61
PID 1136 wrote to memory of 2948	1136	smss.exe	61
PID 1136 wrote to memory of 2948	1136	smss.exe	61
PID 2632 wrote to memory of 2928	2632	WScript.exe	62
PID 2632 wrote to memory of 2928	2632	WScript.exe	62
PID 2632 wrote to memory of 2928	2632	WScript.exe	62
PID 2928 wrote to memory of 2384	2928	smss.exe	63
PID 2928 wrote to memory of 2384	2928	smss.exe	63
PID 2928 wrote to memory of 2384	2928	smss.exe	63
PID 2928 wrote to memory of 1244	2928	smss.exe	64
PID 2928 wrote to memory of 1244	2928	smss.exe	64
PID 2928 wrote to memory of 1244	2928	smss.exe	64
PID 2384 wrote to memory of 2028	2384	WScript.exe	65
PID 2384 wrote to memory of 2028	2384	WScript.exe	65
PID 2384 wrote to memory of 2028	2384	WScript.exe	65
PID 2028 wrote to memory of 1732	2028	smss.exe	66
PID 2028 wrote to memory of 1732	2028	smss.exe	66
PID 2028 wrote to memory of 1732	2028	smss.exe	66
PID 2028 wrote to memory of 2392	2028	smss.exe	67
PID 2028 wrote to memory of 2392	2028	smss.exe	67
PID 2028 wrote to memory of 2392	2028	smss.exe	67
PID 1732 wrote to memory of 900	1732	WScript.exe	68
PID 1732 wrote to memory of 900	1732	WScript.exe	68
PID 1732 wrote to memory of 900	1732	WScript.exe	68
PID 900 wrote to memory of 952	900	smss.exe	69
PID 900 wrote to memory of 952	900	smss.exe	69
PID 900 wrote to memory of 952	900	smss.exe	69
PID 900 wrote to memory of 3064	900	smss.exe	70
PID 900 wrote to memory of 3064	900	smss.exe	70
PID 900 wrote to memory of 3064	900	smss.exe	70
PID 952 wrote to memory of 1336	952	WScript.exe	71
PID 952 wrote to memory of 1336	952	WScript.exe	71
PID 952 wrote to memory of 1336	952	WScript.exe	71
PID 1336 wrote to memory of 2656	1336	smss.exe	72

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fa9684b8aa290d6ff1b647323a6d35f5.exe
"C:\Users\Admin\AppData\Local\Temp\fa9684b8aa290d6ff1b647323a6d35f5.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lbKBZUlOPJ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2496
- - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
    "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fa33eb3-9a65-4c86-b7a0-052ae8d5574f.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1652
    - - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2528dfe1-ece8-48fb-80d0-c739d9d5d37d.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaef652a-e651-46d2-a3fe-ec832134d66d.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7262d28-80cd-46b5-8a0b-db6a59707449.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c23e76e0-aa62-4981-919c-fb197567dab5.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f7fcd93-5d97-4844-a91f-5a4bd486e6f2.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a28a0715-970c-4da3-b7fa-17f86665e499.vbs"
        16⤵
        
        PID:2656
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0179ab30-6bbf-4b7c-97d5-a0acd59f8e35.vbs"
        18⤵
        
        PID:1624
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec087621-a1c0-4d16-abd0-a6028839b90c.vbs"
        20⤵
        
        PID:2156
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d3ca148-ae06-4bd7-8d92-5f078c1dd533.vbs"
        22⤵
        
        PID:2416
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e763dece-b4e9-43e5-a975-30beac909127.vbs"
        24⤵
        
        PID:2920
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15005b88-f22f-401e-8a9d-33d5cab2ba2e.vbs"
        26⤵
        
        PID:1456
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98f3131d-db73-482e-b654-601214e6c91c.vbs"
        26⤵
        
        PID:776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1dfaac58-060b-46c4-868a-8bb91a544cdf.vbs"
        24⤵
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8e29dcf-0a69-4337-b39b-56f2dbc3405e.vbs"
        22⤵
        
        PID:1040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\470e88f4-0444-41e9-9edb-fafa89c57227.vbs"
        20⤵
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5ef76c5-e906-4acc-9a0a-fc4c4fc848b7.vbs"
        18⤵
        
        PID:1280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c930cc8-9ace-49c2-a572-a7828621278e.vbs"
        16⤵
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de5de22d-93b9-43fa-a8a2-6e4983dd3e7e.vbs"
        14⤵
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50329555-c015-4152-9da0-310e8ec3d06a.vbs"
        12⤵
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c2c5f4b-afe1-4e1f-8538-bb00ae9de0f7.vbs"
        10⤵
        
        PID:1244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6229cbef-e823-4207-824b-567c906117bc.vbs"
        8⤵
        
        PID:2948
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb029023-62ab-46ec-a3f3-4f848f0b15a7.vbs"
        6⤵
        
        PID:2268
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3fd8604-c776-411b-b57e-356e975983f2.vbs"
      4⤵
      PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\Sample Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe

Filesize
885KB

MD5
11b2bb5f2718280340e170630646cd46

SHA1
74731807e092adc7d82291f6f67a54ce25bbbe83

SHA256
0102e4f313716b152635443315e9e739f43037c44a99f95e2ea7902eb25669b1

SHA512
ef5912a20459e3282abb0b086b36f32b26a6a51f9476f823ac171f60347af5ccd6bc7d94f6e38228df1443f9b747738d91d3413a06898aed3bb4be2a8f4bc245

Download Submit
C:\Program Files\Windows Photo Viewer\es-ES\smss.exe

Filesize
885KB

MD5
6362e6904ffa0f41a9bf22d4da9fe67c

SHA1
0f63ea80bbf432912e37fcd23c3a45a184412a51

SHA256
84b9ef37a70cb4c7d965d71c2b294d31c4e4d7c4bc472b80d6684ed6fa34118f

SHA512
706a5505c4aef2ec792d0a95b633756cfd414c6dc229af79112b0aad6552f6b63b3c1333fec8e182b1707c86263214acdd6a07686d1915afdbf4ea9b08ae4198

Download Submit
C:\Users\Admin\AppData\Local\Temp\0179ab30-6bbf-4b7c-97d5-a0acd59f8e35.vbs

Filesize
733B

MD5
a34c9b3e3f6b62006f12ab94517c7f6b

SHA1
5b61d19dd362c69591e1aef21e56690e56552d6a

SHA256
4a4cd886f0bd07f93ecfc3d36e887f5d8b412fe1b0164a5451636845c59516a5

SHA512
6a073e56a4d2f6cddf977b13777fbbf5bd323f2b957c1965e5d3ab390f6a428b321a866d6e6f62148501625a6915994ccdf610284b1ca9a6053ff9655b3950b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\15005b88-f22f-401e-8a9d-33d5cab2ba2e.vbs

Filesize
733B

MD5
123fb58677839e604a9f301e80d56121

SHA1
85f996bf64b586077c25649c2bd3631d3e012f0a

SHA256
6001b759ce2aa889389a64f057a34a478841a60d138b8cc1f1d48943177290d6

SHA512
610899d0071aee2fe6ed24c394b149b3e8e796b473ad9edca6af588b9d90fa0a10c45721b2dfe09a937c3e22a021950c776dff80fd4474a91860a88c7714873c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2528dfe1-ece8-48fb-80d0-c739d9d5d37d.vbs

Filesize
733B

MD5
b77ec56276c13738d131a43323a4ed8e

SHA1
de175a1e34e582fd00ab8eea1c98d5f4b6c2a517

SHA256
13b516a8196fe4593c4478412d42a6d4de3f25b64357209e363a0be75b483253

SHA512
7842023141bc9fc8190a2a7f43cf5ea16ceb6df930993804ef4469b29598f48d21f90144ed139555a04736b3d2f0265e80d5c54f077f4476bc27695770bb0cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f7fcd93-5d97-4844-a91f-5a4bd486e6f2.vbs

Filesize
732B

MD5
2b73b115bf444bb18616b159b0752a41

SHA1
e961eff78830173fe2aaa1b9aa72f82a2645c00d

SHA256
892cfa9df55dfd9e4540b35205fbcaa528a189e992a3d6a87600e3159834d366

SHA512
c5ac0b6264103776701927bab9b2adaafb523a81093623a47ae652a9bb1c6bad5fb28c28b445fab04123f6f2a2b544f44cf9eb898065eeb136226cffbe4e262e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fa33eb3-9a65-4c86-b7a0-052ae8d5574f.vbs

Filesize
733B

MD5
0fd5f2e44e1a3d571b21b4b3e99af8ed

SHA1
9733b1b0d1265fdd273314ee452ff1e03f63f1ec

SHA256
29d8552db5d0a620f9ddbe171fcd5fb3e9b500a821b688da7351a193c3121c8c

SHA512
cb803708c3e6b8110f37532349558feaa3343a854a38e66bc5bf67230432e1a130cb17439f8a4ef2d5b1ceedc0b5499e4318aff80b02f741612ad246858d2e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d3ca148-ae06-4bd7-8d92-5f078c1dd533.vbs

Filesize
733B

MD5
3966326ac074f72f1ecfb4aaf26ca395

SHA1
6f8cb2c4ae63ff4a0fc2f74151cffe38df27dc2c

SHA256
a4b3498a1a6897ad72acb82a3d768f29df0387733a9851e3c6338b1690e42cd5

SHA512
95310c1e849f93097c3b11f4e0d78d1e44d01cada97939b42c86d7e3641a33f793e8fe4ea5327b52e7e1ac55cf3aeca1f487383763b011a1d19832e6934c6ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a28a0715-970c-4da3-b7fa-17f86665e499.vbs

Filesize
733B

MD5
75eb1b4c771a8bb3675f56c2d49abc89

SHA1
4795a318c4f1201a7e96911d46745b7f68d339a8

SHA256
0c3210b083e12b1eac677fb9fbbb967b07724570c14155f347547d72e8bc866c

SHA512
b0b770f45ea005887defe898151a2e39f99403cca507e3b774b20d1d5c37d6f3bcf4ee865952477a4ca17a2fc64e19634a2f795a21eec4a2002f363b825a7a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7262d28-80cd-46b5-8a0b-db6a59707449.vbs

Filesize
733B

MD5
ae0f20553a2fbe5daf07733f10e2d7d6

SHA1
a0c13295ca752320885a43adbf8a7edf5e57e55b

SHA256
f73480f0b601386593c80457b8f69b7dd0d8747f716f443535ea742102858b07

SHA512
862cc904a2606032f998646518affc6c3884189b7b0413e0b19ca963bee0ec5c02ddf4011c35a4bd49dc6d3d4bc8e593c4fe28d3d90b9d5c13a5eae5b3853c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c23e76e0-aa62-4981-919c-fb197567dab5.vbs

Filesize
733B

MD5
ccf9c1ae7b037eff2d410931702163d4

SHA1
45572a7ffc4d1fe664fc1e211b0760be2c865f94

SHA256
e5b2966934b75fd4b6b0aee972f38f7e2946fba6c33d92ea46b0eae98d23c340

SHA512
39f11a06997dfb625ab2e853234552af80362bfd73c6b1cd83c7606730a7fd573ea5dc11b1bcfd5c4d38700c51a7a6ec18cc366d13862827e2d0cb44e0c805fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\e763dece-b4e9-43e5-a975-30beac909127.vbs

Filesize
732B

MD5
7efaf908cc2d62de4e3f27b73ed89e03

SHA1
965165d0d03eed551be45cbfb290d0fe15d2ed5c

SHA256
edb5020d08c687d557d362f008e99c1af64f8fed3f44653780580707427f2884

SHA512
fa0bae95b30dca54472d174cd32b9d366b419062a40ad073d24293d9d2a4df3b7b7294b1e2a205e1c2c7a92810bc0a8262b10b2f83a73218094787e6f5c7e593

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaef652a-e651-46d2-a3fe-ec832134d66d.vbs

Filesize
733B

MD5
1f95e5631c87c7fed49d17b48e648c49

SHA1
73f6028544009f000129265917252eb787a37d85

SHA256
5bda0c9cabd1b8060d828575b551ab4b1adbadb70abffc60a89f04b1eacf4363

SHA512
43758131e9fd0fbdf380418cf5675e0c3766052c022e48cbeb0a6c46c410033d43af588b5c480323fab78f5f3624a5097c09c6af812e8b1fa6a06ea57ea3e74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec087621-a1c0-4d16-abd0-a6028839b90c.vbs

Filesize
733B

MD5
f8089b651755fd70c9f288d4de043e58

SHA1
6a6c935132dcf2c46065f88691970e459877480c

SHA256
b6205d2ea2f6c83b010ae1a3b5fe2dc1da8bc8806946f6c03020610d0d8be7fc

SHA512
2512341782ad3a49e194de84fc849c8e8fc98840a761b2524fe7a5050e085d2a3ca997cc82ee8b1fcdd1dd399721f3f23c9e556ca212dfc202c87bf214dcdc02

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3fd8604-c776-411b-b57e-356e975983f2.vbs

Filesize
509B

MD5
1d3d31269e17a19e62b80d1c78758eab

SHA1
58bda59638e18dc087d0c0afe74237686bfae7ba

SHA256
eb4d20dc2d73f992e01ad3c1fc1226a633f4fa04b57b9df98d1a5a4ba09f49b8

SHA512
9bf884e11fdb7bbef909b1444bd0f14baf63254fcbcc21622ce800f63f716c01d6d772f372a551842af13b2bd53715bc7e5dcc7b2354acff922cf44194b78569

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbKBZUlOPJ.bat

Filesize
222B

MD5
0e8c3ea9e31455f270dfe2c740fec5d8

SHA1
3a01370d0be40ee09c9903bf2f0de3ba2b47290e

SHA256
aad1eee0ce18802d8f45e0cb885efd41c2cc19569eb5139877c44ac3bbbd75fc

SHA512
1a5ab0eac85108840ee0cc9d86ecbb870572a05c1f6632965c2b1d95c1ab5898c8ba2fafca9f7bf7f64b132867db703dd3e3ad13d674e16e0566798803618b07

Download Submit
C:\Users\Public\Videos\Sample Videos\System.exe

Filesize
885KB

MD5
fa9684b8aa290d6ff1b647323a6d35f5

SHA1
eaa2e4dec8b464bb28620701b1be6e43c213e353

SHA256
c9fe3fb036b54f47621312aa2237e9b9038c52f1b089c3c5fa047d4d7e5d7eca

SHA512
7f47d4b4b51fdf860ed53cd9710a72898fe14200904542d7a7ec8e0c6c2b617ee094307b061d8cb951c0966a66779e5bfda9a60d9782055b17e2005adcadf1ca

Download Submit
memory/928-214-0x0000000000920000-0x0000000000A04000-memory.dmp

Filesize
912KB

Download
memory/1336-166-0x0000000000030000-0x0000000000114000-memory.dmp

Filesize
912KB

Download
memory/1628-202-0x0000000000060000-0x0000000000144000-memory.dmp

Filesize
912KB

Download
memory/1740-238-0x00000000011B0000-0x0000000001294000-memory.dmp

Filesize
912KB

Download
memory/2028-143-0x0000000001350000-0x0000000001434000-memory.dmp

Filesize
912KB

Download
memory/2072-7-0x00000000021D0000-0x00000000021DE000-memory.dmp

Filesize
56KB

Download
memory/2072-0-0x000007FEF5703000-0x000007FEF5704000-memory.dmp

Filesize
4KB

Download
memory/2072-3-0x0000000001EF0000-0x0000000001F0C000-memory.dmp

Filesize
112KB

Download
memory/2072-5-0x00000000021A0000-0x00000000021B6000-memory.dmp

Filesize
88KB

Download
memory/2072-8-0x00000000021E0000-0x00000000021E8000-memory.dmp

Filesize
32KB

Download
memory/2072-2-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-1-0x0000000000100000-0x00000000001E4000-memory.dmp

Filesize
912KB

Download
memory/2072-4-0x0000000002110000-0x0000000002120000-memory.dmp

Filesize
64KB

Download
memory/2072-95-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/2072-6-0x00000000021C0000-0x00000000021CA000-memory.dmp

Filesize
40KB

Download
memory/2072-9-0x00000000021F0000-0x00000000021FC000-memory.dmp

Filesize
48KB

Download
memory/2192-98-0x0000000000EA0000-0x0000000000F84000-memory.dmp

Filesize
912KB

Download
memory/2516-109-0x0000000001120000-0x0000000001204000-memory.dmp

Filesize
912KB

Download
memory/2716-190-0x00000000002D0000-0x00000000003B4000-memory.dmp

Filesize
912KB

Download
memory/2760-226-0x00000000000E0000-0x00000000001C4000-memory.dmp

Filesize
912KB

Download
memory/2956-178-0x0000000000210000-0x00000000002F4000-memory.dmp

Filesize
912KB

Download