dcrat | df025008bab8a9d1b780276526007d60abaafb894af2cca82bc633c715945ec5

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43e3cf7f28351d5c551164a74a93d356.exe
Size

885KB
MD5

43e3cf7f28351d5c551164a74a93d356
SHA1

9437db06357fce38247b3f3ef0f67185b3f5a9f0
SHA256

ed6e748881b649402434d33ab8831f87d239ef339b7909620877678b09c0e6eb
SHA512

c5651323110e6af4400664baab5238b5b5ab55835737b64d2e0cb971694023e8bce2307d26dcbfc7b7a2a2a53b4bb3c157f55156ba095795d081fe19208516cc
SSDEEP

12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:8lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	5556	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5204	5556	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	5556	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5444	5556	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	5556	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	5556	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5160	5556	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	5556	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	5556	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	5556	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	5556	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	5556	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	5556	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	5556	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	5556	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/3060-1-0x0000000000D60000-0x0000000000E44000-memory.dmp	dcrat
behavioral2/files/0x0007000000024333-19.dat	dcrat

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	43e3cf7f28351d5c551164a74a93d356.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	sysmon.exe

Executes dropped EXE 12 IoCs

pid	Process
2204	sysmon.exe
3096	sysmon.exe
4552	sysmon.exe
3720	sysmon.exe
1032	sysmon.exe
4272	sysmon.exe
4548	sysmon.exe
1416	sysmon.exe
2212	sysmon.exe
3872	sysmon.exe
1448	sysmon.exe
4860	sysmon.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\121e5b5079f7c0	43e3cf7f28351d5c551164a74a93d356.exe
File opened for modification	C:\Program Files\edge_BITS_4740_303449538\RCXCF0C.tmp	43e3cf7f28351d5c551164a74a93d356.exe
File opened for modification	C:\Program Files\edge_BITS_4740_303449538\RCXCF1C.tmp	43e3cf7f28351d5c551164a74a93d356.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCXCF41.tmp	43e3cf7f28351d5c551164a74a93d356.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCXCF51.tmp	43e3cf7f28351d5c551164a74a93d356.exe
File created	C:\Program Files\edge_BITS_4740_303449538\taskhostw.exe	43e3cf7f28351d5c551164a74a93d356.exe
File created	C:\Program Files\edge_BITS_4740_303449538\ea9f0e6c9e2dcd	43e3cf7f28351d5c551164a74a93d356.exe
File created	C:\Program Files (x86)\Google\Update\sysmon.exe	43e3cf7f28351d5c551164a74a93d356.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Setup\State\55b276f4edf653	43e3cf7f28351d5c551164a74a93d356.exe
File opened for modification	C:\Windows\Setup\State\RCXCF1D.tmp	43e3cf7f28351d5c551164a74a93d356.exe
File opened for modification	C:\Windows\Setup\State\RCXCF2E.tmp	43e3cf7f28351d5c551164a74a93d356.exe
File created	C:\Windows\Setup\State\StartMenuExperienceHost.exe	43e3cf7f28351d5c551164a74a93d356.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	43e3cf7f28351d5c551164a74a93d356.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	sysmon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
852	schtasks.exe
5056	schtasks.exe
4600	schtasks.exe
4720	schtasks.exe
4736	schtasks.exe
5204	schtasks.exe
5160	schtasks.exe
4444	schtasks.exe
4560	schtasks.exe
5444	schtasks.exe
3444	schtasks.exe
4492	schtasks.exe
3068	schtasks.exe
4624	schtasks.exe
4636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3060	43e3cf7f28351d5c551164a74a93d356.exe
3060	43e3cf7f28351d5c551164a74a93d356.exe
3060	43e3cf7f28351d5c551164a74a93d356.exe
3060	43e3cf7f28351d5c551164a74a93d356.exe
3060	43e3cf7f28351d5c551164a74a93d356.exe
3060	43e3cf7f28351d5c551164a74a93d356.exe
3060	43e3cf7f28351d5c551164a74a93d356.exe
3060	43e3cf7f28351d5c551164a74a93d356.exe
3060	43e3cf7f28351d5c551164a74a93d356.exe
2204	sysmon.exe
3096	sysmon.exe
4552	sysmon.exe
3720	sysmon.exe
1032	sysmon.exe
4272	sysmon.exe
4548	sysmon.exe
1416	sysmon.exe
2212	sysmon.exe
3872	sysmon.exe
1448	sysmon.exe
4860	sysmon.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	43e3cf7f28351d5c551164a74a93d356.exe
Token: SeDebugPrivilege	2204	sysmon.exe
Token: SeDebugPrivilege	3096	sysmon.exe
Token: SeDebugPrivilege	4552	sysmon.exe
Token: SeDebugPrivilege	3720	sysmon.exe
Token: SeDebugPrivilege	1032	sysmon.exe
Token: SeDebugPrivilege	4272	sysmon.exe
Token: SeDebugPrivilege	4548	sysmon.exe
Token: SeDebugPrivilege	1416	sysmon.exe
Token: SeDebugPrivilege	2212	sysmon.exe
Token: SeDebugPrivilege	3872	sysmon.exe
Token: SeDebugPrivilege	1448	sysmon.exe
Token: SeDebugPrivilege	4860	sysmon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 3936	3060	43e3cf7f28351d5c551164a74a93d356.exe	104
PID 3060 wrote to memory of 3936	3060	43e3cf7f28351d5c551164a74a93d356.exe	104
PID 3936 wrote to memory of 5432	3936	cmd.exe	106
PID 3936 wrote to memory of 5432	3936	cmd.exe	106
PID 3936 wrote to memory of 2204	3936	cmd.exe	107
PID 3936 wrote to memory of 2204	3936	cmd.exe	107
PID 2204 wrote to memory of 5468	2204	sysmon.exe	108
PID 2204 wrote to memory of 5468	2204	sysmon.exe	108
PID 2204 wrote to memory of 6112	2204	sysmon.exe	109
PID 2204 wrote to memory of 6112	2204	sysmon.exe	109
PID 5468 wrote to memory of 3096	5468	WScript.exe	110
PID 5468 wrote to memory of 3096	5468	WScript.exe	110
PID 3096 wrote to memory of 404	3096	sysmon.exe	111
PID 3096 wrote to memory of 404	3096	sysmon.exe	111
PID 3096 wrote to memory of 1904	3096	sysmon.exe	112
PID 3096 wrote to memory of 1904	3096	sysmon.exe	112
PID 404 wrote to memory of 4552	404	WScript.exe	113
PID 404 wrote to memory of 4552	404	WScript.exe	113
PID 4552 wrote to memory of 5456	4552	sysmon.exe	114
PID 4552 wrote to memory of 5456	4552	sysmon.exe	114
PID 4552 wrote to memory of 64	4552	sysmon.exe	115
PID 4552 wrote to memory of 64	4552	sysmon.exe	115
PID 5456 wrote to memory of 3720	5456	WScript.exe	119
PID 5456 wrote to memory of 3720	5456	WScript.exe	119
PID 3720 wrote to memory of 6052	3720	sysmon.exe	120
PID 3720 wrote to memory of 6052	3720	sysmon.exe	120
PID 3720 wrote to memory of 3640	3720	sysmon.exe	121
PID 3720 wrote to memory of 3640	3720	sysmon.exe	121
PID 6052 wrote to memory of 1032	6052	WScript.exe	128
PID 6052 wrote to memory of 1032	6052	WScript.exe	128
PID 1032 wrote to memory of 5672	1032	sysmon.exe	129
PID 1032 wrote to memory of 5672	1032	sysmon.exe	129
PID 1032 wrote to memory of 4864	1032	sysmon.exe	130
PID 1032 wrote to memory of 4864	1032	sysmon.exe	130
PID 5672 wrote to memory of 4272	5672	WScript.exe	132
PID 5672 wrote to memory of 4272	5672	WScript.exe	132
PID 4272 wrote to memory of 4460	4272	sysmon.exe	133
PID 4272 wrote to memory of 4460	4272	sysmon.exe	133
PID 4272 wrote to memory of 5100	4272	sysmon.exe	134
PID 4272 wrote to memory of 5100	4272	sysmon.exe	134
PID 4460 wrote to memory of 4548	4460	WScript.exe	138
PID 4460 wrote to memory of 4548	4460	WScript.exe	138
PID 4548 wrote to memory of 3328	4548	sysmon.exe	139
PID 4548 wrote to memory of 3328	4548	sysmon.exe	139
PID 4548 wrote to memory of 1200	4548	sysmon.exe	140
PID 4548 wrote to memory of 1200	4548	sysmon.exe	140
PID 3328 wrote to memory of 1416	3328	WScript.exe	141
PID 3328 wrote to memory of 1416	3328	WScript.exe	141
PID 1416 wrote to memory of 3728	1416	sysmon.exe	142
PID 1416 wrote to memory of 3728	1416	sysmon.exe	142
PID 1416 wrote to memory of 220	1416	sysmon.exe	143
PID 1416 wrote to memory of 220	1416	sysmon.exe	143
PID 3728 wrote to memory of 2212	3728	WScript.exe	144
PID 3728 wrote to memory of 2212	3728	WScript.exe	144
PID 2212 wrote to memory of 6060	2212	sysmon.exe	145
PID 2212 wrote to memory of 6060	2212	sysmon.exe	145
PID 2212 wrote to memory of 3932	2212	sysmon.exe	146
PID 2212 wrote to memory of 3932	2212	sysmon.exe	146
PID 6060 wrote to memory of 3872	6060	WScript.exe	147
PID 6060 wrote to memory of 3872	6060	WScript.exe	147
PID 3872 wrote to memory of 4740	3872	sysmon.exe	148
PID 3872 wrote to memory of 4740	3872	sysmon.exe	148
PID 3872 wrote to memory of 3488	3872	sysmon.exe	149
PID 3872 wrote to memory of 3488	3872	sysmon.exe	149

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\43e3cf7f28351d5c551164a74a93d356.exe
"C:\Users\Admin\AppData\Local\Temp\43e3cf7f28351d5c551164a74a93d356.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IzAeSBr3N2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5432
- - C:\Program Files (x86)\Google\Update\sysmon.exe
    "C:\Program Files (x86)\Google\Update\sysmon.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fec9a69d-1455-4d2a-8bca-83dbf607c09d.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5468
    - - C:\Program Files (x86)\Google\Update\sysmon.exe
        
        "C:\Program Files (x86)\Google\Update\sysmon.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3096
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07f1d1d9-b6e9-440b-92d8-b383a5a51e8f.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Program Files (x86)\Google\Update\sysmon.exe
        
        "C:\Program Files (x86)\Google\Update\sysmon.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a6d1129-5f4c-4893-857e-396750162086.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5456
        
        C:\Program Files (x86)\Google\Update\sysmon.exe
        
        "C:\Program Files (x86)\Google\Update\sysmon.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f938a971-5962-492b-805f-0aea9a5239f8.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:6052
        
        C:\Program Files (x86)\Google\Update\sysmon.exe
        
        "C:\Program Files (x86)\Google\Update\sysmon.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21abe1a1-7984-4c5f-925d-f15f2762fde7.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5672
        
        C:\Program Files (x86)\Google\Update\sysmon.exe
        
        "C:\Program Files (x86)\Google\Update\sysmon.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04cd7cf0-992c-42a3-a0f7-13747d3172d5.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Program Files (x86)\Google\Update\sysmon.exe
        
        "C:\Program Files (x86)\Google\Update\sysmon.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea254d42-9fd4-4077-87a0-dfbb9228dc10.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Program Files (x86)\Google\Update\sysmon.exe
        
        "C:\Program Files (x86)\Google\Update\sysmon.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df48e3ee-499a-49d5-b849-87909e46d42e.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Program Files (x86)\Google\Update\sysmon.exe
        
        "C:\Program Files (x86)\Google\Update\sysmon.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0831dbe-0ba7-4fcb-a043-5d9e28a1a556.vbs"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:6060
        
        C:\Program Files (x86)\Google\Update\sysmon.exe
        
        "C:\Program Files (x86)\Google\Update\sysmon.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c28d4461-2718-4fd3-a0d3-3d05773367cd.vbs"
        22⤵
        
        PID:4740
        
        C:\Program Files (x86)\Google\Update\sysmon.exe
        
        "C:\Program Files (x86)\Google\Update\sysmon.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40f96927-690b-4e3b-a341-14de61c9ed8c.vbs"
        24⤵
        
        PID:1576
        
        C:\Program Files (x86)\Google\Update\sysmon.exe
        
        "C:\Program Files (x86)\Google\Update\sysmon.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd067452-5bb6-4971-a41a-ca420c492db5.vbs"
        26⤵
        
        PID:4244
        
        C:\Program Files (x86)\Google\Update\sysmon.exe
        
        "C:\Program Files (x86)\Google\Update\sysmon.exe"
        27⤵
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ec78aba-5498-4ea9-a4a4-8263855a62a4.vbs"
        26⤵
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78f23b61-5957-4594-846d-9063ea316ab3.vbs"
        24⤵
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8679a04-eaa9-4f01-ba34-085a4a5e8327.vbs"
        22⤵
        
        PID:3488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a394358b-9e12-4c6f-841d-1d8e8d158813.vbs"
        20⤵
        
        PID:3932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe48c599-25c6-44a8-8d51-7c196c6fbe6a.vbs"
        18⤵
        
        PID:220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b75de3b7-0605-4905-a606-3998800461b0.vbs"
        16⤵
        
        PID:1200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8194660f-4bed-4a70-a295-4f64b3cd1153.vbs"
        14⤵
        
        PID:5100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd497e22-e866-4885-a72d-3c7529cd3426.vbs"
        12⤵
        
        PID:4864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03849f8d-2897-415d-ab0f-db04724d1a54.vbs"
        10⤵
        
        PID:3640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e66b658-985a-4fa2-98b2-88d8d69e080d.vbs"
        8⤵
        
        PID:64
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cd233d7-2780-4c67-ad02-d1833da18ab0.vbs"
        6⤵
        
        PID:1904
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db396822-f0be-4838-ba10-88eae2142cb4.vbs"
      4⤵
      PID:6112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "43e3cf7f28351d5c551164a74a93d3564" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\43e3cf7f28351d5c551164a74a93d356.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "43e3cf7f28351d5c551164a74a93d356" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\43e3cf7f28351d5c551164a74a93d356.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "43e3cf7f28351d5c551164a74a93d3564" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\43e3cf7f28351d5c551164a74a93d356.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files\edge_BITS_4740_303449538\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4740_303449538\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4740_303449538\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Setup\State\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\sysmon.exe

Filesize
885KB

MD5
43e3cf7f28351d5c551164a74a93d356

SHA1
9437db06357fce38247b3f3ef0f67185b3f5a9f0

SHA256
ed6e748881b649402434d33ab8831f87d239ef339b7909620877678b09c0e6eb

SHA512
c5651323110e6af4400664baab5238b5b5ab55835737b64d2e0cb971694023e8bce2307d26dcbfc7b7a2a2a53b4bb3c157f55156ba095795d081fe19208516cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\04cd7cf0-992c-42a3-a0f7-13747d3172d5.vbs

Filesize
723B

MD5
ae34b6b74b6aed410bcd85be4842d03f

SHA1
eb4468da5a5d794c56eb7e62f51218eade90c98b

SHA256
e3b074ab50943759bbe9475a35b4205f902c81dd13f889fbf35d67aaf5e55b9a

SHA512
e1ce99714458946b95d516b6534755212cc2328c26ae195741cf2d206d9a14daedcbc9b2e3b63dce8310dd386fb897a58bf66ac2078aa3efbda426020d864597

Download Submit
C:\Users\Admin\AppData\Local\Temp\07f1d1d9-b6e9-440b-92d8-b383a5a51e8f.vbs

Filesize
723B

MD5
5cd294bc21fc7b24b71d2293f132fe0e

SHA1
1cf9ac27431fc5c0d50224a384ba09afe74e8df9

SHA256
9339239acdc2b59fcf654c4a7047486735ac3d4c71dcd7114f6a0c24835ecff7

SHA512
6acbb3379ff32df91ff4460e36b1af6e575af0596cbbc13e8dbf6d5a0c5acd3df8123c74ab8b1e0af8470f44c9bc7c07f9a0873b39365f7b41ee60a62221978d

Download Submit
C:\Users\Admin\AppData\Local\Temp\21abe1a1-7984-4c5f-925d-f15f2762fde7.vbs

Filesize
723B

MD5
39f0ddde024bef3ed8baff0f7920a149

SHA1
b970cbc10608eaff1dbd0a2383e470ffdd7a7ce3

SHA256
fa455bc027dd48120a947e38a3fe1f4deee4bec20089b5737382cf93583fd892

SHA512
47655d58912a332b8a25b63572fdf29f3cacec15021d9b4120d6f0415ad11061daa440121d089f18ca1d1d119f580351117f50ac3c6ae09128a750cbfff10b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\40f96927-690b-4e3b-a341-14de61c9ed8c.vbs

Filesize
723B

MD5
8caa64f8751c7c3dd9d732373c593306

SHA1
70d65ef92a4c0c0d2e6ffee6e232db3e5fc4cdd7

SHA256
1cabe6539c191919e8f5fdd8ad60918dfabce30bc0a17aaf41c3765770b57176

SHA512
eaa72bd747e0c75714620f3bc34bdfd6f8b805ca81e718834d861adc21e05bdc7e80dec13dfc791e5a157a7331d258d4566c857645ffaa1cdd97e2be5b7fafe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a6d1129-5f4c-4893-857e-396750162086.vbs

Filesize
723B

MD5
b134fc51cef1c5c1bf9e3527c27fa705

SHA1
3728d0b0b53bae1f61158652b4b327251ceab671

SHA256
a43db004827209a6a4d57c41d3ee44af27e55aa3b8b7c54b18f021e1c149770b

SHA512
1464c6da0c5836a2fdf02b58ba80d43a19901b160a49926a45e93c73218fa1675a5f11c719fb0cd132bb1a121105531661b9f1dec366708789727893be434f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IzAeSBr3N2.bat

Filesize
212B

MD5
83e1e790cd9055f9a01fe8ba80637e6a

SHA1
4e8ed3176d7433ae0c459f8a69815f2eee6aeed8

SHA256
f639b1eeb6fa751922c5e8638478c1c0c26aac071e49b082e7d92019f22909f2

SHA512
70bcba8a33bc6656d97090d0b1164324e86ebaa08cabfc3170b63617e2a238b3cd21b2060d3d64163464d3c4f36bd7706d8109db209c86a03016801ffbd1469c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd067452-5bb6-4971-a41a-ca420c492db5.vbs

Filesize
723B

MD5
fae88de8963b37506f70b1c645729faf

SHA1
20f983b1a39337efdce2027e8ed3fb123d218e45

SHA256
bb35d7e832f2c73fd3b00b0a344645e47742af64d56cc6a2b2f758c03e38ed11

SHA512
a32bcc5d6e51c77e92b9a3445e9f6b1a4f0ad633e89c7a86a5220285d6db51149f12da23c5c71e2e1da4911be916f964013ef26a4ec25101672764b065c35091

Download Submit
C:\Users\Admin\AppData\Local\Temp\c28d4461-2718-4fd3-a0d3-3d05773367cd.vbs

Filesize
723B

MD5
a6e1a4b5a47bfa2a2f9d16f8b31b9ae5

SHA1
b74d5354c964c2c0e36cd9daa4135f754004a92a

SHA256
822869d3eb65f52020ccf7eb5489e38b49e49bcc9a5b406111d623419b344199

SHA512
89065f7264865a9fa786bcd8eb297f5cc5d9a7fd67f2244baf302cee8ee57a674893e0bc2279dfab5526b3b11d3f5e7d75b3b05f994b9681e36bf2558ca1be56

Download Submit
C:\Users\Admin\AppData\Local\Temp\db396822-f0be-4838-ba10-88eae2142cb4.vbs

Filesize
499B

MD5
c04be5c918b922d748db3d61546a231c

SHA1
08ad0e272252e2c13fc78d8c42be2e3cb834bc27

SHA256
12ba26c93ab33a2d9d4222c1eeb7a87878c7905028752065dc9cf509486f808c

SHA512
e71c80e43e9035adffc92dcda17ba90f01dd5d80fb3107b99a72a253b40a9c2f5cabe705dcdad59cb6c1b063ca8ba802046428a783326c260f06cee425b43bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\df48e3ee-499a-49d5-b849-87909e46d42e.vbs

Filesize
723B

MD5
0f3cbf1060b481e50230533fd10ec9b1

SHA1
2766bfa19ed0cf1a9567c7bd0243dd5d7737d502

SHA256
e1c6b0aac5f24a793e8562538a37a21a585736beafbc1accf24573453d382f8f

SHA512
9cf7fc15df58ef2faa7c75889e634c51577fc44eb857ff7f2139860c97041b5c5e208b0cd5e4c5fe696fbaa969fb5de499c6dea866e8954385ca75345efe61ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0831dbe-0ba7-4fcb-a043-5d9e28a1a556.vbs

Filesize
723B

MD5
104f38c7f7085cde1f3cdaf4b9aa6453

SHA1
ef43137ac8646b4c713e0a12afe0088f8776c0e7

SHA256
63fee537b706633fd212ea92de6640e89a1e264af23d812d6214b717b9dd584f

SHA512
70a76906ce09114d2fd155a97cc310020f6250d64e8109567961de624d7e8e86cd7b71868b31ef0250fc2d4646a599a70fa483d53571ea5c34936df8a0189728

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea254d42-9fd4-4077-87a0-dfbb9228dc10.vbs

Filesize
723B

MD5
870727a644df01ed88a77771fd9997ba

SHA1
6d900f34d9d54d6f23ae4ef4e98d2e4655c98cad

SHA256
8ed8407e1694776610d176658ec16c5e2a56326e28498a72d3bb4a7fa3097251

SHA512
d1f384e2c1954b0bf429e18eaa36a6351659e772d87c60e5d1059c8aa1aa5fa49ecf8b6687c782953f56887bd9c39548f04c17418dcf8bd030bc5320b70d7186

Download Submit
C:\Users\Admin\AppData\Local\Temp\f938a971-5962-492b-805f-0aea9a5239f8.vbs

Filesize
723B

MD5
6b3bdfe2c31b2b2434245772ae19c4bf

SHA1
17b63d22e64b35edd0859f5377d9e5dd72e51cc6

SHA256
d97061fbf4ee8518af8de98a87f6c7a2882ce6f6d7d3cd52ee680de8c07f12ed

SHA512
a4f8e85a212e8606c5f49572051485da8c17631b65da0ded215513e098bd7ebcb5cec99060e2122589121c0d82d7c55ed0240bf0043dee847b6453ab5dc1c7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\fec9a69d-1455-4d2a-8bca-83dbf607c09d.vbs

Filesize
723B

MD5
e3bfc581c628c444918f8a2058e16ebd

SHA1
3a065862f5a55bd498b1c52bfc8a4a9a4521bb50

SHA256
788a93596c1bc659fa521b1b2a16b337205425e8d25dd6bba269e50e7d3838c0

SHA512
c620d3ad4654536a1016f441ea32bba2de0440388fcd34796a6c405294a0e605800c52ce874b914c8d449963d5a5b5a0010e8d734bff622e7c6dc2b4dd9bb670

Download Submit
memory/3060-0-0x00007FFB95533000-0x00007FFB95535000-memory.dmp

Filesize
8KB

Download
memory/3060-87-0x00007FFB95530000-0x00007FFB95FF1000-memory.dmp

Filesize
10.8MB

Download
memory/3060-9-0x0000000002FC0000-0x0000000002FC8000-memory.dmp

Filesize
32KB

Download
memory/3060-10-0x0000000002FD0000-0x0000000002FDC000-memory.dmp

Filesize
48KB

Download
memory/3060-6-0x0000000002F80000-0x0000000002F96000-memory.dmp

Filesize
88KB

Download
memory/3060-7-0x0000000002FA0000-0x0000000002FAA000-memory.dmp

Filesize
40KB

Download
memory/3060-8-0x0000000002FB0000-0x0000000002FBE000-memory.dmp

Filesize
56KB

Download
memory/3060-5-0x0000000002F00000-0x0000000002F10000-memory.dmp

Filesize
64KB

Download
memory/3060-3-0x0000000002F60000-0x0000000002F7C000-memory.dmp

Filesize
112KB

Download
memory/3060-4-0x000000001B9C0000-0x000000001BA10000-memory.dmp

Filesize
320KB

Download
memory/3060-2-0x00007FFB95530000-0x00007FFB95FF1000-memory.dmp

Filesize
10.8MB

Download
memory/3060-1-0x0000000000D60000-0x0000000000E44000-memory.dmp

Filesize
912KB

Download