dcrat | 6681cb73deb0effc4f44f704c6bddb07e98c1f8da4c8478cca7ddd49abdb0c3f

Analysis

max time kernel
148s
max time network
156s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
Size

1.6MB
MD5

8b03d1f60bdf0b6465c0623109e7269e
SHA1

33fb1f09f53ca182e1112ed973fce8fa97e4398f
SHA256

1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf
SHA512

8c79bf16fdce864799bb6893565aa06f35737f91897537f08129bfe842ad46f39f4081dcc59760df59e416af3ec848fd2dec179d42900defad7d94b4678f2de0
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2652	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2652	schtasks.exe	31

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral17/memory/2164-1-0x00000000003B0000-0x0000000000552000-memory.dmp	dcrat
behavioral17/files/0x000500000001a09f-28.dat	dcrat
behavioral17/files/0x000500000001a443-38.dat	dcrat
behavioral17/files/0x0012000000013a51-61.dat	dcrat
behavioral17/memory/1652-105-0x00000000009A0000-0x0000000000B42000-memory.dmp	dcrat
behavioral17/memory/1536-117-0x0000000001280000-0x0000000001422000-memory.dmp	dcrat
behavioral17/memory/2608-129-0x0000000001330000-0x00000000014D2000-memory.dmp	dcrat
behavioral17/memory/1616-141-0x00000000003A0000-0x0000000000542000-memory.dmp	dcrat
behavioral17/memory/1148-153-0x00000000011F0000-0x0000000001392000-memory.dmp	dcrat
behavioral17/memory/872-176-0x0000000001390000-0x0000000001532000-memory.dmp	dcrat
behavioral17/memory/1504-188-0x0000000000060000-0x0000000000202000-memory.dmp	dcrat
behavioral17/memory/2880-200-0x0000000000CF0000-0x0000000000E92000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1524	powershell.exe
1944	powershell.exe
1148	powershell.exe
2012	powershell.exe
1740	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
1652	smss.exe
1536	smss.exe
2608	smss.exe
1616	smss.exe
1148	smss.exe
680	smss.exe
872	smss.exe
1504	smss.exe
2880	smss.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\dllhost.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Windows Portable Devices\System.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\Google\RCXEE87.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXF08B.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\System.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files\Google\dllhost.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files\Google\5940a34987c991	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\Google\RCXEE18.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXF08A.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\spoolsv.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Windows\LiveKernelReports\f3b6ecef712a24	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXF28F.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXF2FD.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Windows\LiveKernelReports\spoolsv.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Windows\schemas\EAPHost\WmiPrvSE.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2852	schtasks.exe
2752	schtasks.exe
2808	schtasks.exe
2608	schtasks.exe
648	schtasks.exe
2932	schtasks.exe
2592	schtasks.exe
2532	schtasks.exe
2548	schtasks.exe
2784	schtasks.exe
2708	schtasks.exe
2732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
1740	powershell.exe
2012	powershell.exe
1524	powershell.exe
1148	powershell.exe
1944	powershell.exe
1652	smss.exe
1536	smss.exe
2608	smss.exe
1616	smss.exe
1148	smss.exe
680	smss.exe
872	smss.exe
1504	smss.exe
2880	smss.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1652	smss.exe
Token: SeDebugPrivilege	1536	smss.exe
Token: SeDebugPrivilege	2608	smss.exe
Token: SeDebugPrivilege	1616	smss.exe
Token: SeDebugPrivilege	1148	smss.exe
Token: SeDebugPrivilege	680	smss.exe
Token: SeDebugPrivilege	872	smss.exe
Token: SeDebugPrivilege	1504	smss.exe
Token: SeDebugPrivilege	2880	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 1148	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	44
PID 2164 wrote to memory of 1148	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	44
PID 2164 wrote to memory of 1148	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	44
PID 2164 wrote to memory of 2012	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	45
PID 2164 wrote to memory of 2012	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	45
PID 2164 wrote to memory of 2012	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	45
PID 2164 wrote to memory of 1944	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	46
PID 2164 wrote to memory of 1944	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	46
PID 2164 wrote to memory of 1944	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	46
PID 2164 wrote to memory of 1740	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	47
PID 2164 wrote to memory of 1740	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	47
PID 2164 wrote to memory of 1740	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	47
PID 2164 wrote to memory of 1524	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	49
PID 2164 wrote to memory of 1524	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	49
PID 2164 wrote to memory of 1524	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	49
PID 2164 wrote to memory of 1652	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	54
PID 2164 wrote to memory of 1652	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	54
PID 2164 wrote to memory of 1652	2164	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	54
PID 1652 wrote to memory of 2816	1652	smss.exe	55
PID 1652 wrote to memory of 2816	1652	smss.exe	55
PID 1652 wrote to memory of 2816	1652	smss.exe	55
PID 1652 wrote to memory of 2172	1652	smss.exe	56
PID 1652 wrote to memory of 2172	1652	smss.exe	56
PID 1652 wrote to memory of 2172	1652	smss.exe	56
PID 2816 wrote to memory of 1536	2816	WScript.exe	57
PID 2816 wrote to memory of 1536	2816	WScript.exe	57
PID 2816 wrote to memory of 1536	2816	WScript.exe	57
PID 1536 wrote to memory of 3016	1536	smss.exe	58
PID 1536 wrote to memory of 3016	1536	smss.exe	58
PID 1536 wrote to memory of 3016	1536	smss.exe	58
PID 1536 wrote to memory of 2752	1536	smss.exe	59
PID 1536 wrote to memory of 2752	1536	smss.exe	59
PID 1536 wrote to memory of 2752	1536	smss.exe	59
PID 3016 wrote to memory of 2608	3016	WScript.exe	60
PID 3016 wrote to memory of 2608	3016	WScript.exe	60
PID 3016 wrote to memory of 2608	3016	WScript.exe	60
PID 2608 wrote to memory of 1860	2608	smss.exe	61
PID 2608 wrote to memory of 1860	2608	smss.exe	61
PID 2608 wrote to memory of 1860	2608	smss.exe	61
PID 2608 wrote to memory of 2316	2608	smss.exe	62
PID 2608 wrote to memory of 2316	2608	smss.exe	62
PID 2608 wrote to memory of 2316	2608	smss.exe	62
PID 1860 wrote to memory of 1616	1860	WScript.exe	63
PID 1860 wrote to memory of 1616	1860	WScript.exe	63
PID 1860 wrote to memory of 1616	1860	WScript.exe	63
PID 1616 wrote to memory of 1692	1616	smss.exe	64
PID 1616 wrote to memory of 1692	1616	smss.exe	64
PID 1616 wrote to memory of 1692	1616	smss.exe	64
PID 1616 wrote to memory of 1676	1616	smss.exe	65
PID 1616 wrote to memory of 1676	1616	smss.exe	65
PID 1616 wrote to memory of 1676	1616	smss.exe	65
PID 1692 wrote to memory of 1148	1692	WScript.exe	66
PID 1692 wrote to memory of 1148	1692	WScript.exe	66
PID 1692 wrote to memory of 1148	1692	WScript.exe	66
PID 1148 wrote to memory of 2156	1148	smss.exe	67
PID 1148 wrote to memory of 2156	1148	smss.exe	67
PID 1148 wrote to memory of 2156	1148	smss.exe	67
PID 1148 wrote to memory of 2116	1148	smss.exe	68
PID 1148 wrote to memory of 2116	1148	smss.exe	68
PID 1148 wrote to memory of 2116	1148	smss.exe	68
PID 2156 wrote to memory of 680	2156	WScript.exe	69
PID 2156 wrote to memory of 680	2156	WScript.exe	69
PID 2156 wrote to memory of 680	2156	WScript.exe	69
PID 680 wrote to memory of 3056	680	smss.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
"C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
  "C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3808695b-b5ed-4f68-882d-73dc19cc241c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
      C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79b3adbd-e901-4b29-8776-4cc37e88e7a5.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09566802-f660-4893-83ea-be245e37ae25.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28cbfb2c-1464-4e99-9cdb-06860736bb33.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8de5dd3f-2d8a-4beb-be72-dde674d9b9da.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f951463-7232-4f2c-8c06-2ec049992cb5.vbs"
        13⤵
        
        PID:3056
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4909cc9-401e-430a-9951-a19e25d569eb.vbs"
        15⤵
        
        PID:2852
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86781a64-29d8-45ef-8da0-9db19ed3b613.vbs"
        17⤵
        
        PID:1792
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
        
        C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cb91bc8-5e0f-4a22-bc39-e3340b8e8ba7.vbs"
        19⤵
        
        PID:2076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7db610c-d9b1-40e9-93ca-83ad555f386e.vbs"
        19⤵
        
        PID:2208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0017d93c-81a3-4f22-83dc-885878a300a4.vbs"
        17⤵
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f35e3c19-dd68-4a81-839d-98e2fa6c497f.vbs"
        15⤵
        
        PID:1188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53f81faa-e186-461c-8df0-4c836a024ec6.vbs"
        13⤵
        
        PID:2740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\934301f6-9907-49f4-88e9-877d43616079.vbs"
        11⤵
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6c89ac4-f539-42f7-a410-3650adea5ad3.vbs"
        9⤵
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4151b8f-1c59-48aa-9584-05f1b7e85770.vbs"
        7⤵
        
        PID:2316
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71089328-2bda-47a9-8612-45614989461b.vbs"
        5⤵
        
        PID:2752
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbefcf26-6e9b-4904-be24-4d0495b8aa70.vbs"
    3⤵
    PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\dllhost.exe

Filesize
1.6MB

MD5
1b94ffdece2669c380920b6f6fc05787

SHA1
d2210081a0e734f920f20845338f311ae2ec029d

SHA256
e1603ce7be11ee694f2c479fe54d7a1fdb7f4cd722c96335b52f78bfbe0068bd

SHA512
0d34160876ad7d88e2cdaecae5ecba9cd6207c5ee824b61ece89e03dcd8d50383f1659b8f4fe48faf7126c983b4fa73c5855d0273dc697568b92ecc899fb4d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\09566802-f660-4893-83ea-be245e37ae25.vbs

Filesize
733B

MD5
b84093cc5f7dfed6bfd0b0530c2fe26a

SHA1
0e1c988cef300652742b51881bed9df9874a6391

SHA256
43b5368733a79694c5beb409f041ae648df92e84d709d2de161b01a1bcc23a9b

SHA512
d7c33af4f60f62acedd6c217c56d1e1258c69b2ed16a11d8a8df56b32f0dbc4ef995762723839e02871fc403092d93730c137be2053b2c7060bb22b9d32709d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f951463-7232-4f2c-8c06-2ec049992cb5.vbs

Filesize
732B

MD5
9b600a16f45a6e02253623a25b38ac02

SHA1
65e3ea07cde173acdafd011593b7df7140dae109

SHA256
c835535ab73a752edc1265e9df335378ec4c8d37dddcbf84e8a3104e6bc313c7

SHA512
614b7e1524d2c254a92322ac3c296896283ce029aebff96051bc206159139850189e0338149bb6451c7267475fb1f9c666df0781e1c111aee6c97df8264fc2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\28cbfb2c-1464-4e99-9cdb-06860736bb33.vbs

Filesize
733B

MD5
28a16126ba86c6ff4d4d96d35f5f8dec

SHA1
33392071c3716e4d5b1b8d281038e5fba5d7b8c9

SHA256
4a62a45aeccf7b9c407446fc3af4020621ad0d9e368e1ba904cb58222fa35cc3

SHA512
75250d59230401327ae4fd00be8ae5775ceb66fb45a52339428d283c086a22dcc625eef682c7daa7d01c6f19086a164a88af450ec4f7b537e3910a26d808aa9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3808695b-b5ed-4f68-882d-73dc19cc241c.vbs

Filesize
733B

MD5
598490620ecebfdc865ac897e289fe34

SHA1
cd3d0c7126bff41b1c28cdc4fdda641497369b09

SHA256
f8f6edd9accd5e05596d259958388dc90632c91be3cc7a7d33043f68f5fb546e

SHA512
e86d1c7375bf3435d6f8766508cdd2b43577b51ab9e4c00c553ba311040488512022b85109c4dfc1b1cf3cd6314e08cd91aaf9876c235c4fc903ea9f81c6c492

Download Submit
C:\Users\Admin\AppData\Local\Temp\6cb91bc8-5e0f-4a22-bc39-e3340b8e8ba7.vbs

Filesize
733B

MD5
953b7b79d97b2c4003b30ff34805cfd1

SHA1
5ba5e444b4dca72c3195d4e1a53641beca6013b3

SHA256
5cb586573c892e50655d46144aec0336898576c67e0eca0e288e28ffb973b475

SHA512
8f9680e8c8228898e3880236fba56076e87769dd75981dba227d2a00b844d8e495dbc39334dcf891a3688c82287d63153e1af25a6004f2fcc5cb4c12f906b76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\79b3adbd-e901-4b29-8776-4cc37e88e7a5.vbs

Filesize
733B

MD5
4fa26e18dd84211a5f425ffc68599744

SHA1
2a431d3a4ead0509d04f88864f134a3f45b1c4c5

SHA256
dd2817a6d0ea657e4f25526c9e02eb0f3a35c65467e437f6e142a41790caa738

SHA512
dd27362ca5d00d89abae86d635c966ad2b16cb7ce6872463fabfe5a111e3c07590d3e04aebc2e478f76f02c2ffec0275e421e65e9ffc48cd3cf80d3de2998509

Download Submit
C:\Users\Admin\AppData\Local\Temp\86781a64-29d8-45ef-8da0-9db19ed3b613.vbs

Filesize
733B

MD5
fe952d16010a2c097bd65598f8d9dbdb

SHA1
79d89eec2b4f1857953d48dd5b195e5e6282cbfe

SHA256
36a433e227c7356b51ba16dce74fd0e91d2ad229c4774a897364754d737172ef

SHA512
36ff1705116c4c96eb3030af6e6d54136e0214bafcf6232e25224098e617c4c4d5212ff7b98aa85654ee63fdb83f83013c3869d74184f02a57fe83d0d1f9e879

Download Submit
C:\Users\Admin\AppData\Local\Temp\8de5dd3f-2d8a-4beb-be72-dde674d9b9da.vbs

Filesize
733B

MD5
248fcf85673292ee3b07eb60bb97a5a5

SHA1
bf4ef537bc7f2174f21f1857ecefa8376a18658f

SHA256
02390a71b4f65232d7e7693010c19be1e075518768aa9b5328e8d0ae989f0275

SHA512
36366c40e7f69076ac0f417d80802684d0117ee6c07ba53f227eae8a3dd8edb71629cd67c69fb32bb211628eb3f67d8b8a754f8777ccbcffad71319192277595

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXEC15.tmp

Filesize
1.6MB

MD5
8b03d1f60bdf0b6465c0623109e7269e

SHA1
33fb1f09f53ca182e1112ed973fce8fa97e4398f

SHA256
1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf

SHA512
8c79bf16fdce864799bb6893565aa06f35737f91897537f08129bfe842ad46f39f4081dcc59760df59e416af3ec848fd2dec179d42900defad7d94b4678f2de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbefcf26-6e9b-4904-be24-4d0495b8aa70.vbs

Filesize
509B

MD5
c433ded079144b90f57050978f3f131c

SHA1
032818910fd24c86e433290cd985e2285124ed08

SHA256
c7b455f2f4cd387574b1a5e08ffe6bf841332114ec791cfa95cb202189c6840f

SHA512
3e0f3cc36eaacb5f460847e0a7f264548f8b4fa2f8219cf43826649cf44cb5ea695477f12e0385cbf59677f2e34184f9a626ace5cdcb4017d73db04ecafe4030

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4909cc9-401e-430a-9951-a19e25d569eb.vbs

Filesize
732B

MD5
02ae326d17895f78243db7ff4c068a5f

SHA1
5c287cbecd700d63e74afd779e8e40195602b2a3

SHA256
cece1dcebe6604fb9a2de65cf8284f7649b172d18bce30695e25fbf61d6d884f

SHA512
0b210a454eebbfd1ea1ffad02f64807d50056730b0620e1213c1092645a89d9f2a986152c833b392135c5496eb7faddcd8edaac05a631263b0d8d525b975f0d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c181fcabd5d4db82a2965976dc7d0782

SHA1
bf3ed984433d2309f6274ae46ed53ae774a52555

SHA256
6618734d87805a39d74c0ff2780e0222cf8f4149727cd7c0c9f060794da2e7d2

SHA512
6e8bb57e9afe80055f7452a5ad0055937e9a9eca0b4ab9ace7036423158566043e19d9a05c8cd752620beb4dcbd4c4735eba6c93acca94e403191fec80d4a827

Download Submit
C:\Windows\LiveKernelReports\spoolsv.exe

Filesize
1.6MB

MD5
294e86b19dc9d397ca7bf2a16e52f5e5

SHA1
604013d841fb5af5b06e12a11c3c825c962cb43f

SHA256
cbda464b7c254ef90a7c0261642ff50e850b011de75a25806975ca7bff454644

SHA512
fe50d588f74d06cf8754fcac3dca1e73d8bffb29a9d73852ec1425587ee88b28b7be27b06bdb6a5c4833705678622d95e5b9478cceed21e25f87e878e13acfd4

Download Submit
memory/872-176-0x0000000001390000-0x0000000001532000-memory.dmp

Filesize
1.6MB

Download
memory/1148-153-0x00000000011F0000-0x0000000001392000-memory.dmp

Filesize
1.6MB

Download
memory/1504-188-0x0000000000060000-0x0000000000202000-memory.dmp

Filesize
1.6MB

Download
memory/1536-117-0x0000000001280000-0x0000000001422000-memory.dmp

Filesize
1.6MB

Download
memory/1616-141-0x00000000003A0000-0x0000000000542000-memory.dmp

Filesize
1.6MB

Download
memory/1652-105-0x00000000009A0000-0x0000000000B42000-memory.dmp

Filesize
1.6MB

Download
memory/1740-99-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/1944-98-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2164-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

Filesize
4KB

Download
memory/2164-4-0x0000000000610000-0x0000000000620000-memory.dmp

Filesize
64KB

Download
memory/2164-106-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2164-12-0x00000000023A0000-0x00000000023AE000-memory.dmp

Filesize
56KB

Download
memory/2164-13-0x00000000023B0000-0x00000000023B8000-memory.dmp

Filesize
32KB

Download
memory/2164-11-0x0000000002390000-0x000000000239A000-memory.dmp

Filesize
40KB

Download
memory/2164-14-0x0000000002440000-0x0000000002448000-memory.dmp

Filesize
32KB

Download
memory/2164-1-0x00000000003B0000-0x0000000000552000-memory.dmp

Filesize
1.6MB

Download
memory/2164-15-0x0000000002450000-0x000000000245A000-memory.dmp

Filesize
40KB

Download
memory/2164-9-0x0000000002340000-0x000000000234C000-memory.dmp

Filesize
48KB

Download
memory/2164-16-0x0000000002460000-0x000000000246C000-memory.dmp

Filesize
48KB

Download
memory/2164-5-0x0000000002310000-0x0000000002326000-memory.dmp

Filesize
88KB

Download
memory/2164-10-0x0000000002380000-0x000000000238C000-memory.dmp

Filesize
48KB

Download
memory/2164-7-0x0000000002350000-0x0000000002360000-memory.dmp

Filesize
64KB

Download
memory/2164-6-0x0000000000820000-0x0000000000828000-memory.dmp

Filesize
32KB

Download
memory/2164-3-0x0000000000570000-0x000000000058C000-memory.dmp

Filesize
112KB

Download
memory/2164-8-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/2164-2-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-129-0x0000000001330000-0x00000000014D2000-memory.dmp

Filesize
1.6MB

Download
memory/2880-200-0x0000000000CF0000-0x0000000000E92000-memory.dmp

Filesize
1.6MB

Download