dcrat | 000996e02592d6f5216a77464baff2591739b5cb35a8ad930a5424c9099c7e11

Analysis

max time kernel
113s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
Size

1.6MB
MD5

1ce9d2fa35466d6d37d1d56f63408884
SHA1

a389a7bcde0ed2e53bfe20379fd42ec9db7bf8fc
SHA256

0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1
SHA512

f3a939183f5bcac1d5cdf92b3061227e407d8e5d0119f40130ce0e31cdcb63e741ba8978fd0ca9c43e4a6e1e68d5dac54eea2dcc9921fd6e787a799b0c441cb2
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/memory/2520-1-0x0000000000F50000-0x00000000010F2000-memory.dmp	dcrat
behavioral3/files/0x000500000001a4cc-44.dat	dcrat
behavioral3/files/0x0005000000019f9f-25.dat	dcrat
behavioral3/memory/2688-168-0x0000000000BE0000-0x0000000000D82000-memory.dmp	dcrat
behavioral3/memory/2884-179-0x0000000001050000-0x00000000011F2000-memory.dmp	dcrat
behavioral3/memory/784-191-0x0000000001120000-0x00000000012C2000-memory.dmp	dcrat
behavioral3/memory/2072-236-0x0000000000140000-0x00000000002E2000-memory.dmp	dcrat
behavioral3/memory/3036-248-0x0000000000800000-0x00000000009A2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
876	powershell.exe
1508	powershell.exe
2408	powershell.exe
1692	powershell.exe
3068	powershell.exe
2920	powershell.exe
1684	powershell.exe
1700	powershell.exe

Executes dropped EXE 7 IoCs

pid	Process
2688	sppsvc.exe
2884	sppsvc.exe
784	sppsvc.exe
2932	sppsvc.exe
1904	sppsvc.exe
920	sppsvc.exe
2072	sppsvc.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\et-EE\spoolsv.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File created	C:\Windows\SysWOW64\et-EE\f3b6ecef712a24	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Windows\SysWOW64\et-EE\RCXC875.tmp	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Windows\SysWOW64\et-EE\RCXC886.tmp	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Windows\SysWOW64\et-EE\spoolsv.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Services\6203df4a6bafc7	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File created	C:\Program Files\Reference Assemblies\0a1fd5f707cd16	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXC258.tmp	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\RCXC671.tmp	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\RCXC672.tmp	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCXCA8B.tmp	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Program Files\Reference Assemblies\sppsvc.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File created	C:\Program Files (x86)\Common Files\Services\lsass.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\lsass.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RCXC1EA.tmp	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCXCA8A.tmp	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\886983d96e3d3e	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File created	C:\Program Files\Reference Assemblies\sppsvc.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\security\ApplicationId\56085415360792	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Windows\security\ApplicationId\RCXC45C.tmp	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Windows\security\ApplicationId\RCXC46D.tmp	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File opened for modification	C:\Windows\security\ApplicationId\wininit.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
File created	C:\Windows\security\ApplicationId\wininit.exe	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2772	schtasks.exe
2456	schtasks.exe
3020	schtasks.exe
2744	schtasks.exe
2836	schtasks.exe
2848	schtasks.exe
2672	schtasks.exe
2460	schtasks.exe
1900	schtasks.exe
2996	schtasks.exe
2080	schtasks.exe
2816	schtasks.exe
2620	schtasks.exe
1176	schtasks.exe
1596	schtasks.exe
1248	schtasks.exe
1928	schtasks.exe
2644	schtasks.exe
2584	schtasks.exe
1708	schtasks.exe
1748	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2688	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
1700	powershell.exe
876	powershell.exe
2408	powershell.exe
1684	powershell.exe
3068	powershell.exe
1692	powershell.exe
1508	powershell.exe
2920	powershell.exe
2688	sppsvc.exe
2884	sppsvc.exe
784	sppsvc.exe
2932	sppsvc.exe
1904	sppsvc.exe
920	sppsvc.exe
2072	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2688	sppsvc.exe
Token: SeDebugPrivilege	2884	sppsvc.exe
Token: SeDebugPrivilege	784	sppsvc.exe
Token: SeDebugPrivilege	2932	sppsvc.exe
Token: SeDebugPrivilege	1904	sppsvc.exe
Token: SeDebugPrivilege	920	sppsvc.exe
Token: SeDebugPrivilege	2072	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2408	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	53
PID 2520 wrote to memory of 2408	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	53
PID 2520 wrote to memory of 2408	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	53
PID 2520 wrote to memory of 1508	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	54
PID 2520 wrote to memory of 1508	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	54
PID 2520 wrote to memory of 1508	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	54
PID 2520 wrote to memory of 876	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	55
PID 2520 wrote to memory of 876	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	55
PID 2520 wrote to memory of 876	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	55
PID 2520 wrote to memory of 1700	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	56
PID 2520 wrote to memory of 1700	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	56
PID 2520 wrote to memory of 1700	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	56
PID 2520 wrote to memory of 1684	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	57
PID 2520 wrote to memory of 1684	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	57
PID 2520 wrote to memory of 1684	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	57
PID 2520 wrote to memory of 2920	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	59
PID 2520 wrote to memory of 2920	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	59
PID 2520 wrote to memory of 2920	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	59
PID 2520 wrote to memory of 3068	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	61
PID 2520 wrote to memory of 3068	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	61
PID 2520 wrote to memory of 3068	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	61
PID 2520 wrote to memory of 1692	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	62
PID 2520 wrote to memory of 1692	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	62
PID 2520 wrote to memory of 1692	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	62
PID 2520 wrote to memory of 2304	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	69
PID 2520 wrote to memory of 2304	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	69
PID 2520 wrote to memory of 2304	2520	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	69
PID 2304 wrote to memory of 2044	2304	cmd.exe	71
PID 2304 wrote to memory of 2044	2304	cmd.exe	71
PID 2304 wrote to memory of 2044	2304	cmd.exe	71
PID 2304 wrote to memory of 2688	2304	cmd.exe	72
PID 2304 wrote to memory of 2688	2304	cmd.exe	72
PID 2304 wrote to memory of 2688	2304	cmd.exe	72
PID 2304 wrote to memory of 2688	2304	cmd.exe	72
PID 2304 wrote to memory of 2688	2304	cmd.exe	72
PID 2688 wrote to memory of 1248	2688	sppsvc.exe	73
PID 2688 wrote to memory of 1248	2688	sppsvc.exe	73
PID 2688 wrote to memory of 1248	2688	sppsvc.exe	73
PID 2688 wrote to memory of 1900	2688	sppsvc.exe	74
PID 2688 wrote to memory of 1900	2688	sppsvc.exe	74
PID 2688 wrote to memory of 1900	2688	sppsvc.exe	74
PID 1248 wrote to memory of 2884	1248	WScript.exe	75
PID 1248 wrote to memory of 2884	1248	WScript.exe	75
PID 1248 wrote to memory of 2884	1248	WScript.exe	75
PID 1248 wrote to memory of 2884	1248	WScript.exe	75
PID 1248 wrote to memory of 2884	1248	WScript.exe	75
PID 2884 wrote to memory of 1144	2884	sppsvc.exe	76
PID 2884 wrote to memory of 1144	2884	sppsvc.exe	76
PID 2884 wrote to memory of 1144	2884	sppsvc.exe	76
PID 2884 wrote to memory of 1204	2884	sppsvc.exe	77
PID 2884 wrote to memory of 1204	2884	sppsvc.exe	77
PID 2884 wrote to memory of 1204	2884	sppsvc.exe	77
PID 1144 wrote to memory of 784	1144	WScript.exe	78
PID 1144 wrote to memory of 784	1144	WScript.exe	78
PID 1144 wrote to memory of 784	1144	WScript.exe	78
PID 1144 wrote to memory of 784	1144	WScript.exe	78
PID 1144 wrote to memory of 784	1144	WScript.exe	78
PID 784 wrote to memory of 2656	784	sppsvc.exe	79
PID 784 wrote to memory of 2656	784	sppsvc.exe	79
PID 784 wrote to memory of 2656	784	sppsvc.exe	79
PID 784 wrote to memory of 888	784	sppsvc.exe	80
PID 784 wrote to memory of 888	784	sppsvc.exe	80
PID 784 wrote to memory of 888	784	sppsvc.exe	80
PID 2656 wrote to memory of 2932	2656	WScript.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
"C:\Users\Admin\AppData\Local\Temp\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\ApplicationId\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\et-EE\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dcGT0uuCTo.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2044
- - C:\Program Files\Reference Assemblies\sppsvc.exe
    "C:\Program Files\Reference Assemblies\sppsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ce9bae0-d802-4975-b079-0db99b8b8b95.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1248
    - - C:\Program Files\Reference Assemblies\sppsvc.exe
        
        "C:\Program Files\Reference Assemblies\sppsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6094286c-67f3-4d7a-8b74-efb8be61dfb0.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Program Files\Reference Assemblies\sppsvc.exe
        
        "C:\Program Files\Reference Assemblies\sppsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\877aa9b8-7bf0-4950-8b1b-d33431c69537.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Program Files\Reference Assemblies\sppsvc.exe
        
        "C:\Program Files\Reference Assemblies\sppsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7fa057f-c516-42f5-a0eb-33c31f159acd.vbs"
        10⤵
        
        PID:892
        
        C:\Program Files\Reference Assemblies\sppsvc.exe
        
        "C:\Program Files\Reference Assemblies\sppsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c3fbbacd-0f29-4b50-a167-08e3484a8a75.vbs"
        12⤵
        
        PID:692
        
        C:\Program Files\Reference Assemblies\sppsvc.exe
        
        "C:\Program Files\Reference Assemblies\sppsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0344ec0-2faf-428e-9652-7b7a49534475.vbs"
        14⤵
        
        PID:1776
        
        C:\Program Files\Reference Assemblies\sppsvc.exe
        
        "C:\Program Files\Reference Assemblies\sppsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1b55a81-ffbf-4027-ba09-8bc3f61de89b.vbs"
        16⤵
        
        PID:2120
        
        C:\Program Files\Reference Assemblies\sppsvc.exe
        
        "C:\Program Files\Reference Assemblies\sppsvc.exe"
        17⤵
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c7103d2-18d3-4932-b9c8-96855ee54a24.vbs"
        18⤵
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ca6370e-6bce-45bc-93df-d12cbfdb060b.vbs"
        18⤵
        
        PID:2052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1d94ca1-4d0b-4adb-9db3-3335457ccbc9.vbs"
        16⤵
        
        PID:1980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2dda5801-8d47-4910-88db-ec0094dc636e.vbs"
        14⤵
        
        PID:528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\657c5d73-e12b-4c79-9053-a4a81675a2ff.vbs"
        12⤵
        
        PID:2604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41c3c120-daa8-42e5-8dfd-46d12838c57c.vbs"
        10⤵
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a4d4778-6a40-4068-b505-a0383ac71fde.vbs"
        8⤵
        
        PID:888
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfed5876-5090-4697-b24c-6fbb13ffe26e.vbs"
        6⤵
        
        PID:1204
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aca7a118-529e-4beb-b558-c1a6845f3ac4.vbs"
      4⤵
      PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Services\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\security\ApplicationId\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\security\ApplicationId\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\et-EE\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\SysWOW64\et-EE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\et-EE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Services\lsass.exe

Filesize
1.6MB

MD5
849f3acc2cd29723538dd49515b27bbd

SHA1
08eea88f2bd3561c5743cf33f9336fc8528dd1b6

SHA256
5387245f971a2170781fab82d507f498f23e1c7f046cf5fa8a63ad06d00b783f

SHA512
4eae8177ea959b31cf5675e77d2244d6b1acebdc31b9ab36a929f2445a618fb6029a1d5dacd5bbc4ad01aaa5ab6f7259e30b73c4ab4efbd27bb83f374ea9b3c9

Download Submit
C:\Program Files\Reference Assemblies\sppsvc.exe

Filesize
1.6MB

MD5
1ce9d2fa35466d6d37d1d56f63408884

SHA1
a389a7bcde0ed2e53bfe20379fd42ec9db7bf8fc

SHA256
0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1

SHA512
f3a939183f5bcac1d5cdf92b3061227e407d8e5d0119f40130ce0e31cdcb63e741ba8978fd0ca9c43e4a6e1e68d5dac54eea2dcc9921fd6e787a799b0c441cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c7103d2-18d3-4932-b9c8-96855ee54a24.vbs

Filesize
724B

MD5
6ca78fa59b5a688067b728d48843dd9f

SHA1
158d1276050d5db12656407a1659d02f88ef0237

SHA256
504c1ed6d30617f1504c8458970b488a3d27b60867f4c321abbb1703101c44de

SHA512
036e6e208a9d7f4b1b1b34d27bb6c02ebf0f385b915c2ab70c2cae56c6e9eb25f22530b3e0b0e37d7bf6ba774e56e13bfb4a1ee09b0f4aada9eaa4b1f8f6f896

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ce9bae0-d802-4975-b079-0db99b8b8b95.vbs

Filesize
724B

MD5
509805c62e23edd48e2013ebdad3e991

SHA1
a89ff249dce21dace91cb5782d485a9caa36d632

SHA256
f522a02f1464154522c0c72b6647a1880ac89f8033de51fdbff5000babd4487f

SHA512
a23b81ffa03fce880f0c947ba65a4bbbb89abbf1d3811ca613f9cf1510d963a6ce738c6520e52bc80911a900256d43f532bca139dea6aa0030f848f8dc68673d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6094286c-67f3-4d7a-8b74-efb8be61dfb0.vbs

Filesize
724B

MD5
e0e3f3429e21c9a04f303c8da16dea18

SHA1
2b4e644ae85f078b333fcf903eaed014909a179d

SHA256
49851079c58577d2935103f47aba2a4e9743cec9cc458c5d44ceb7929f252502

SHA512
7cb8c35588eb202d27f3d132375d65c9d4fdfffd945049d79a8a6ca810e479764dd46595b7c0bf6e29e7abc8750a8bac63ed74733a5e2899d9cfeb063673ef2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\877aa9b8-7bf0-4950-8b1b-d33431c69537.vbs

Filesize
723B

MD5
83cead7b8b3a10ba88ea7810bd7bda21

SHA1
d5bfb41695e210f3aebeaa7806b5f2ba4ca6e160

SHA256
7bd7fca2c3beedf4cb97b4b0e69b3b05cc1977bf406fa2cba67d425b695dee54

SHA512
232afb73d84b9d9c73d91096c75aae22d6ec6bc35aaa65296257d2f68619a69fe11d48e261e2ca3fb0bf3c814e0abc3882abac78bf12711d1bb882032636bc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1b55a81-ffbf-4027-ba09-8bc3f61de89b.vbs

Filesize
724B

MD5
b1dbba0ae6ebcc3d7817eceee101b05e

SHA1
6e7f561e4efcec01744849ef9ba24898f013f0b5

SHA256
e519e03765ce023c1513923689a5a0d8a31bbd3189a4838768530ac06ef7fd48

SHA512
3163082ba26df3ee4d8450c7bca439f7e9f24a1fb858d0b0061d3cb97d9adddef9a9be2e9f358052c30aa27b863a9c1a8f1354145257f41f442b65f7b26181ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\aca7a118-529e-4beb-b558-c1a6845f3ac4.vbs

Filesize
500B

MD5
8c040830daa36def382b5b1428a8c7f7

SHA1
d447a1f02388d211f8943c3cdac7d2e6dcd8cfb1

SHA256
cf69796bb440d1f63e134bddac38cfbc5250908bcd76f46135fbfdba8b5ddcf8

SHA512
83870a38b1e2418a619f90f41c7de09691a415acc54b9f8c3c39cf79c144462369711b7a8833134d58d8d07526a79b9bf7c8cd696c2bc704168b7670422c3fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\c3fbbacd-0f29-4b50-a167-08e3484a8a75.vbs

Filesize
724B

MD5
0ec969e2000bf57a0a492ccd254d054b

SHA1
b43c62d636b2b5e7bf5f867038a7662e9edd0360

SHA256
6acd27a426bdf60d590baae3ebd0c976621a4e4b15ec10c6db56870b61425b78

SHA512
ddd4225263ba1df506b2717a29ecf11e28331a37884d1b5b0e7134b7f1b518bbf5befc8609d8686b45bdd2543ad85749073aec7d14469673fbbfa511bc9a0f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0344ec0-2faf-428e-9652-7b7a49534475.vbs

Filesize
723B

MD5
604f0b1b891693dd29f84e257a891b95

SHA1
13e29a0e7fd1f0836aa206272e246322cea6951d

SHA256
a75b69c81a0516f592251f597093776a4c4ae5100ee0b4e71096c641c24e3e1e

SHA512
ff25d5d1e03dba0a64e1650de4903de55d39e5a8f66e3295e7a030c12fb7171fcd26c0f022467fb387f3d1eeca5f5998a7c1fde44cf1910aee3874765d116d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7fa057f-c516-42f5-a0eb-33c31f159acd.vbs

Filesize
724B

MD5
78867778b933eb1a7dc3b427cde66a79

SHA1
5e8e1239dfffe93e4feb7142ccb0aa22eb0aa22b

SHA256
688361689594d53fbd81c7c347dddbe70ca22b0695c4a264892eeae36ef407a3

SHA512
b7b4b921ae8f133bb756445604245770fa0fd77d8f82922d4f3f6939077a6211c9b06b55aaac4eb573bf3e7c7ce6890aefb6e3728e03608ec2be4e3b145b42dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcGT0uuCTo.bat

Filesize
213B

MD5
ec3c5be44d67307b4900d865c80ae3d8

SHA1
a172fd2857940a9ebc5c435712556819c7f57412

SHA256
fb29e20e9f74b63d37f9ace4b8f4de53bc5472510a3b63da4c8b4569351187c4

SHA512
c92913302dea713e465185b55d8cb0c74e58fd94e4279ed2351833f96e46af0e87adb3b0c0005f93da32f7e421afe0cb3739c21c6b70963f904ec5b021798d14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1433ba2ba83497b9618b092dc170bc40

SHA1
f002a6298d317e4e36107aa8baa50f206771d0c5

SHA256
05e0398a9dbd94a126b3c3f27d15b7639107f16312bdb759998954b7ad691760

SHA512
ef87bb8a7931d1dc13ea299c1af8589a969934fcce3b6ded874de08b42b4a83d667faa213f07f4e89795274a5d003a2742bb61449c22fed19ade857613a2a889

Download Submit
memory/784-191-0x0000000001120000-0x00000000012C2000-memory.dmp

Filesize
1.6MB

Download
memory/1700-145-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/1700-157-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2072-236-0x0000000000140000-0x00000000002E2000-memory.dmp

Filesize
1.6MB

Download
memory/2520-3-0x0000000000560000-0x000000000057C000-memory.dmp

Filesize
112KB

Download
memory/2520-12-0x0000000000C50000-0x0000000000C5E000-memory.dmp

Filesize
56KB

Download
memory/2520-4-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2520-159-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2520-6-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/2520-7-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/2520-8-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/2520-1-0x0000000000F50000-0x00000000010F2000-memory.dmp

Filesize
1.6MB

Download
memory/2520-9-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/2520-11-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/2520-2-0x000007FEF5390000-0x000007FEF5D7C000-memory.dmp

Filesize
9.9MB

Download
memory/2520-0-0x000007FEF5393000-0x000007FEF5394000-memory.dmp

Filesize
4KB

Download
memory/2520-13-0x0000000000C60000-0x0000000000C68000-memory.dmp

Filesize
32KB

Download
memory/2520-14-0x0000000000C70000-0x0000000000C78000-memory.dmp

Filesize
32KB

Download
memory/2520-15-0x0000000000C80000-0x0000000000C8A000-memory.dmp

Filesize
40KB

Download
memory/2520-16-0x0000000000C90000-0x0000000000C9C000-memory.dmp

Filesize
48KB

Download
memory/2520-10-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/2520-5-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download
memory/2688-168-0x0000000000BE0000-0x0000000000D82000-memory.dmp

Filesize
1.6MB

Download
memory/2884-179-0x0000000001050000-0x00000000011F2000-memory.dmp

Filesize
1.6MB

Download
memory/3036-248-0x0000000000800000-0x00000000009A2000-memory.dmp

Filesize
1.6MB

Download