dcrat | df025008bab8a9d1b780276526007d60abaafb894af2cca82bc633c715945ec5

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

454e6ce92c1c3a8c55164afd9b2d4f08.exe
Size

1.6MB
MD5

454e6ce92c1c3a8c55164afd9b2d4f08
SHA1

fe300937097e5e84fe9b9ee61292a8aa4462cec2
SHA256

f2931e5d0ed208b3ff25ea01cb1b3c2f9e03990b9e5ac912a6abce922aa16501
SHA512

91f631962f40a284638509a4c5087327b39fc1f65d3eb2e69369a611f0dffc0e60ba69aaa2061682a2ed979e42cad2b3c8c95483031f492acfce13b31662483a
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral29/memory/2456-1-0x00000000009A0000-0x0000000000B42000-memory.dmp	dcrat
behavioral29/files/0x0005000000019616-25.dat	dcrat
behavioral29/memory/3044-149-0x0000000000B50000-0x0000000000CF2000-memory.dmp	dcrat
behavioral29/memory/2732-160-0x0000000000FF0000-0x0000000001192000-memory.dmp	dcrat
behavioral29/memory/3032-172-0x0000000000150000-0x00000000002F2000-memory.dmp	dcrat
behavioral29/memory/852-184-0x00000000011F0000-0x0000000001392000-memory.dmp	dcrat
behavioral29/memory/820-196-0x0000000000110000-0x00000000002B2000-memory.dmp	dcrat
behavioral29/memory/2784-208-0x0000000000C20000-0x0000000000DC2000-memory.dmp	dcrat
behavioral29/memory/3036-220-0x00000000013A0000-0x0000000001542000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2272	powershell.exe
1856	powershell.exe
2600	powershell.exe
1608	powershell.exe
468	powershell.exe
852	powershell.exe
1868	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
3044	explorer.exe
2732	explorer.exe
3032	explorer.exe
852	explorer.exe
820	explorer.exe
2784	explorer.exe
3036	explorer.exe
1688	explorer.exe
2904	explorer.exe
2364	explorer.exe
2300	explorer.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\System.exe	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\RCXDBB5.tmp	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\RCXD9B1.tmp	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\services.exe	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File created	C:\Program Files\Common Files\SpeechEngines\7a0fd90576e088	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXD73E.tmp	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\RCXDBB6.tmp	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCXE1D3.tmp	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\System.exe	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File created	C:\Program Files\Common Files\SpeechEngines\explorer.exe	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXD73F.tmp	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\explorer.exe	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCXE1D4.tmp	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\886983d96e3d3e	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\services.exe	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\c5b4cb5e9653cc	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\27d1bcfc3c54e0	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\RCXD943.tmp	454e6ce92c1c3a8c55164afd9b2d4f08.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe	454e6ce92c1c3a8c55164afd9b2d4f08.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3060	schtasks.exe
2016	schtasks.exe
1472	schtasks.exe
2976	schtasks.exe
2248	schtasks.exe
2452	schtasks.exe
2932	schtasks.exe
1984	schtasks.exe
2140	schtasks.exe
2316	schtasks.exe
2920	schtasks.exe
1600	schtasks.exe
1560	schtasks.exe
2024	schtasks.exe
2020	schtasks.exe
2744	schtasks.exe
2844	schtasks.exe
2952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe
2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe
2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe
852	powershell.exe
1868	powershell.exe
1856	powershell.exe
2272	powershell.exe
468	powershell.exe
2600	powershell.exe
1608	powershell.exe
3044	explorer.exe
2732	explorer.exe
3032	explorer.exe
852	explorer.exe
820	explorer.exe
2784	explorer.exe
3036	explorer.exe
1688	explorer.exe
2904	explorer.exe
2364	explorer.exe
2300	explorer.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	468	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	3044	explorer.exe
Token: SeDebugPrivilege	2732	explorer.exe
Token: SeDebugPrivilege	3032	explorer.exe
Token: SeDebugPrivilege	852	explorer.exe
Token: SeDebugPrivilege	820	explorer.exe
Token: SeDebugPrivilege	2784	explorer.exe
Token: SeDebugPrivilege	3036	explorer.exe
Token: SeDebugPrivilege	1688	explorer.exe
Token: SeDebugPrivilege	2904	explorer.exe
Token: SeDebugPrivilege	2364	explorer.exe
Token: SeDebugPrivilege	2300	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1868	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	50
PID 2456 wrote to memory of 1868	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	50
PID 2456 wrote to memory of 1868	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	50
PID 2456 wrote to memory of 852	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	76
PID 2456 wrote to memory of 852	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	76
PID 2456 wrote to memory of 852	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	76
PID 2456 wrote to memory of 468	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	52
PID 2456 wrote to memory of 468	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	52
PID 2456 wrote to memory of 468	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	52
PID 2456 wrote to memory of 1608	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	55
PID 2456 wrote to memory of 1608	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	55
PID 2456 wrote to memory of 1608	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	55
PID 2456 wrote to memory of 2600	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	56
PID 2456 wrote to memory of 2600	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	56
PID 2456 wrote to memory of 2600	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	56
PID 2456 wrote to memory of 1856	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	57
PID 2456 wrote to memory of 1856	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	57
PID 2456 wrote to memory of 1856	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	57
PID 2456 wrote to memory of 2272	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	58
PID 2456 wrote to memory of 2272	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	58
PID 2456 wrote to memory of 2272	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	58
PID 2456 wrote to memory of 2512	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	64
PID 2456 wrote to memory of 2512	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	64
PID 2456 wrote to memory of 2512	2456	454e6ce92c1c3a8c55164afd9b2d4f08.exe	64
PID 2512 wrote to memory of 1344	2512	cmd.exe	66
PID 2512 wrote to memory of 1344	2512	cmd.exe	66
PID 2512 wrote to memory of 1344	2512	cmd.exe	66
PID 2512 wrote to memory of 3044	2512	cmd.exe	67
PID 2512 wrote to memory of 3044	2512	cmd.exe	67
PID 2512 wrote to memory of 3044	2512	cmd.exe	67
PID 3044 wrote to memory of 1704	3044	explorer.exe	68
PID 3044 wrote to memory of 1704	3044	explorer.exe	68
PID 3044 wrote to memory of 1704	3044	explorer.exe	68
PID 3044 wrote to memory of 2920	3044	explorer.exe	69
PID 3044 wrote to memory of 2920	3044	explorer.exe	69
PID 3044 wrote to memory of 2920	3044	explorer.exe	69
PID 1704 wrote to memory of 2732	1704	WScript.exe	70
PID 1704 wrote to memory of 2732	1704	WScript.exe	70
PID 1704 wrote to memory of 2732	1704	WScript.exe	70
PID 2732 wrote to memory of 1148	2732	explorer.exe	71
PID 2732 wrote to memory of 1148	2732	explorer.exe	71
PID 2732 wrote to memory of 1148	2732	explorer.exe	71
PID 2732 wrote to memory of 2892	2732	explorer.exe	72
PID 2732 wrote to memory of 2892	2732	explorer.exe	72
PID 2732 wrote to memory of 2892	2732	explorer.exe	72
PID 1148 wrote to memory of 3032	1148	WScript.exe	73
PID 1148 wrote to memory of 3032	1148	WScript.exe	73
PID 1148 wrote to memory of 3032	1148	WScript.exe	73
PID 3032 wrote to memory of 2296	3032	explorer.exe	74
PID 3032 wrote to memory of 2296	3032	explorer.exe	74
PID 3032 wrote to memory of 2296	3032	explorer.exe	74
PID 3032 wrote to memory of 1652	3032	explorer.exe	75
PID 3032 wrote to memory of 1652	3032	explorer.exe	75
PID 3032 wrote to memory of 1652	3032	explorer.exe	75
PID 2296 wrote to memory of 852	2296	WScript.exe	76
PID 2296 wrote to memory of 852	2296	WScript.exe	76
PID 2296 wrote to memory of 852	2296	WScript.exe	76
PID 852 wrote to memory of 1640	852	explorer.exe	77
PID 852 wrote to memory of 1640	852	explorer.exe	77
PID 852 wrote to memory of 1640	852	explorer.exe	77
PID 852 wrote to memory of 2492	852	explorer.exe	78
PID 852 wrote to memory of 2492	852	explorer.exe	78
PID 852 wrote to memory of 2492	852	explorer.exe	78
PID 1640 wrote to memory of 820	1640	WScript.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\454e6ce92c1c3a8c55164afd9b2d4f08.exe
"C:\Users\Admin\AppData\Local\Temp\454e6ce92c1c3a8c55164afd9b2d4f08.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\454e6ce92c1c3a8c55164afd9b2d4f08.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\SpeechEngines\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NbfAEkYJIe.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1344
- - C:\Program Files\Common Files\SpeechEngines\explorer.exe
    "C:\Program Files\Common Files\SpeechEngines\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8993c39-ba60-4a3b-89b5-e6baab5368b1.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Program Files\Common Files\SpeechEngines\explorer.exe
        
        "C:\Program Files\Common Files\SpeechEngines\explorer.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02bc2c30-2736-49b0-91f1-f02a1816904b.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Program Files\Common Files\SpeechEngines\explorer.exe
        
        "C:\Program Files\Common Files\SpeechEngines\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb1e06df-3458-4f8d-af8f-21e1ad84317c.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Program Files\Common Files\SpeechEngines\explorer.exe
        
        "C:\Program Files\Common Files\SpeechEngines\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a15b006-d58b-4487-8f74-f1811eadcfe4.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Program Files\Common Files\SpeechEngines\explorer.exe
        
        "C:\Program Files\Common Files\SpeechEngines\explorer.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92cc8f1e-c44b-44d6-bd51-73b763f9a5ad.vbs"
        12⤵
        
        PID:484
        
        C:\Program Files\Common Files\SpeechEngines\explorer.exe
        
        "C:\Program Files\Common Files\SpeechEngines\explorer.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0678ec84-380b-4dc1-bbbd-f93b98ad7e93.vbs"
        14⤵
        
        PID:1060
        
        C:\Program Files\Common Files\SpeechEngines\explorer.exe
        
        "C:\Program Files\Common Files\SpeechEngines\explorer.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26a380c1-aabb-4dc7-bfb8-0713a6887f50.vbs"
        16⤵
        
        PID:888
        
        C:\Program Files\Common Files\SpeechEngines\explorer.exe
        
        "C:\Program Files\Common Files\SpeechEngines\explorer.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\456de983-d27e-4f2b-adf6-c8bfbd6d7837.vbs"
        18⤵
        
        PID:436
        
        C:\Program Files\Common Files\SpeechEngines\explorer.exe
        
        "C:\Program Files\Common Files\SpeechEngines\explorer.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75fce41e-00b1-41fc-9de0-f4da252efe7a.vbs"
        20⤵
        
        PID:2604
        
        C:\Program Files\Common Files\SpeechEngines\explorer.exe
        
        "C:\Program Files\Common Files\SpeechEngines\explorer.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56c47a19-9284-41db-a22b-7f770aef67dd.vbs"
        22⤵
        
        PID:2912
        
        C:\Program Files\Common Files\SpeechEngines\explorer.exe
        
        "C:\Program Files\Common Files\SpeechEngines\explorer.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11be03ba-9785-407a-ba6a-25b4065a0d3e.vbs"
        24⤵
        
        PID:2524
        
        C:\Program Files\Common Files\SpeechEngines\explorer.exe
        
        "C:\Program Files\Common Files\SpeechEngines\explorer.exe"
        25⤵
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f2a1b14-ba3a-4147-b83c-e399d0924953.vbs"
        24⤵
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c561d6c5-3f46-4b62-830f-cc22a194db6d.vbs"
        22⤵
        
        PID:300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eed058d5-f1b5-48d5-b225-85714e02e836.vbs"
        20⤵
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f6812c6-477c-43b9-b099-948b850920d0.vbs"
        18⤵
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96a5f212-e0de-4fc6-9096-9e1012658070.vbs"
        16⤵
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\265da8f7-f0a1-4fa9-a509-554ecaa5776e.vbs"
        14⤵
        
        PID:988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25ed74f5-1ec7-4982-80a1-1f929f40981e.vbs"
        12⤵
        
        PID:1600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aee9c726-8a4b-4ce0-b03e-42eb784dc928.vbs"
        10⤵
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d041e41c-40a0-4b2a-a97b-ee690cebf379.vbs"
        8⤵
        
        PID:1652
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d11d1ed1-6a26-4d77-ae35-81cd16e59a85.vbs"
        6⤵
        
        PID:2892
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9720440-0b88-4b20-b09a-bde2c56cbea9.vbs"
      4⤵
      PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\SpeechEngines\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\SpeechEngines\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\winlogon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\System.exe

Filesize
1.6MB

MD5
454e6ce92c1c3a8c55164afd9b2d4f08

SHA1
fe300937097e5e84fe9b9ee61292a8aa4462cec2

SHA256
f2931e5d0ed208b3ff25ea01cb1b3c2f9e03990b9e5ac912a6abce922aa16501

SHA512
91f631962f40a284638509a4c5087327b39fc1f65d3eb2e69369a611f0dffc0e60ba69aaa2061682a2ed979e42cad2b3c8c95483031f492acfce13b31662483a

Download Submit
C:\Users\Admin\AppData\Local\Temp\02bc2c30-2736-49b0-91f1-f02a1816904b.vbs

Filesize
732B

MD5
c9716c9e28a92279b69f616bd4568d70

SHA1
357784b57e93f3c445b0884ce6a8d162d2f1bf42

SHA256
85d4117e72c283f42ea3d2292106d8547651f36c8ec8737294e6d3bac6449a60

SHA512
9d839001897c0439b5cd5cbb42c1f66387c749e9bda76521cbb058636a1d5f4302aca59a05116fcc654ca33eb1b12e702fb6e63033d108fdb5a5c8c3496adc87

Download Submit
C:\Users\Admin\AppData\Local\Temp\0678ec84-380b-4dc1-bbbd-f93b98ad7e93.vbs

Filesize
732B

MD5
37556b09571df682d56aa4a95aa04bed

SHA1
00ba60999e3e7ff6c62f63dff2482bfe94aa7bf5

SHA256
94dfb9be3e0fc283f6b3458a1e18012bc5d0e1eeb2729c1f6f2545d5a2914064

SHA512
a2dd66aa572f266b2d437a905cf6f9e1fd74ef186fd391df6c94d2c9cb3d65491b8c9e185e91d1ca2b18abef1e8350c87e105c46884e29397802562968bda6ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\11be03ba-9785-407a-ba6a-25b4065a0d3e.vbs

Filesize
732B

MD5
76db1637160117f681991de2f9c40c2e

SHA1
94260970e9b5798856c4992c8d585c237cfb4b59

SHA256
18061f7fb83828ea1e29ec9fe4be0154299d791e349fb1b9adbd80b26828f410

SHA512
3e2e39f1a1767cfaa0f976fcd4ecc396e0a7b534981089ec63831a1c23c4058add476d77f4553b32dfb12e0551cbaff14ad0a68bd21c9daccb18506e353e626c

Download Submit
C:\Users\Admin\AppData\Local\Temp\26a380c1-aabb-4dc7-bfb8-0713a6887f50.vbs

Filesize
732B

MD5
b9a07357dd5cf4244e363b6b952a0c94

SHA1
77bc4506cb8e3185fa44572db6a998abf83b9f62

SHA256
5d147bb55ab5a18fb5c2905195ece16c15e90388829634dba21b2f1a1408d74b

SHA512
1e95be40fb99dff325025739569da0014cd15e83503105af405c5a9d9161ce31beed3e237f2ef09bab1abbabda9115170c9f3b12b373f8aa46a6b11b017ccf21

Download Submit
C:\Users\Admin\AppData\Local\Temp\456de983-d27e-4f2b-adf6-c8bfbd6d7837.vbs

Filesize
732B

MD5
269d92a512d6dbb8f07e403401420a84

SHA1
be7f41308657bc4918cf78b690e46e1d160db7c3

SHA256
955decaedf58974d72b026ce745e8e9a36fa2a3b0a608b30eacc0876e12788a1

SHA512
96e504f072b34c16febc14f87b98ea2c8e240406953f50d2db5ab5f772de6841c588a6a5273924da8cedddc641a6b2ffbccd0ff7653c936956401e20275802fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\56c47a19-9284-41db-a22b-7f770aef67dd.vbs

Filesize
732B

MD5
e466a58c94e7d86f9bba15db947d629f

SHA1
0b60fdb631b473ae5ef161f84384310364fa7d74

SHA256
fb2a1e40dac304e096796e576a83aea066b95fca5eead89dfb688a345116bbd5

SHA512
43143ecae210141ca5e1af78ec490ef486cd7a4e4bbd5f085aaef1b0d340f95b18b6240578b1ce12080a30ab6c16a7baf61f5d191a405c0cec62e275f82bcc05

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a15b006-d58b-4487-8f74-f1811eadcfe4.vbs

Filesize
731B

MD5
380de03eb3f51da50a42f77400fb479b

SHA1
0e43c6542cc1a1f79ad8c8d13bb595332fd4c29f

SHA256
7b04687e8a194056ffe593b910507a95316aa5c6ad0a336545be903b3909c17d

SHA512
148ce929182a0106487bb684bd3982833f6e00b2ca6acc3288ea4c8db48534b5a43f76ed0ec8e96102962db23c7d2211027abc60be7f34fee95dff8409c35722

Download Submit
C:\Users\Admin\AppData\Local\Temp\75fce41e-00b1-41fc-9de0-f4da252efe7a.vbs

Filesize
732B

MD5
012b85c8a78e28925c7f1c15c66969a7

SHA1
a8cf263bc41b46f1c24353bf89b6e2fbbc9ce2f0

SHA256
0464c953503d4063b62a51651534962189e114e1ef033571f96943dbb5c5b2eb

SHA512
278ad34b66be82658bace6545e1ac1025d484f5f44a5c9021b4c5c8daf75873c81908222a1899139b55ace5a7926436268c2862c04b9faf21b58a02243a07a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\92cc8f1e-c44b-44d6-bd51-73b763f9a5ad.vbs

Filesize
731B

MD5
6f771e8948a8af3386eb6913a0d8c349

SHA1
0725838cbadac5bdbd063141baacf3445ab45f4a

SHA256
0935c228d8cf3382387370c96de7170ef7af4a4612cc176840de29c2a2d7ae38

SHA512
10e6ff4b5bab735f657c6b1e08e76ad3ad4272197691a5d8099dc25fc6fb34c7ba0e6792aa177c6a00fb608eb7ec857617057a92f0538a5c92cc96c969122251

Download Submit
C:\Users\Admin\AppData\Local\Temp\NbfAEkYJIe.bat

Filesize
221B

MD5
9d524fcce4e418546af30d6e7d33d450

SHA1
8b7f8b89b1b070c050693c105129824f1308498e

SHA256
5e387e12adbd661c51b15015535e1d0e5e21cf1090b0c8c7197d9225d270cdd4

SHA512
1dc11e4b65457f40dfeae1da9aafc4edf8204e4e3ca4684bf210be8b2ca3a0f51f8a9bd65eef6076efcb74024e04b41f1d4b2e8e29444d7e1b827c12d7804922

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8993c39-ba60-4a3b-89b5-e6baab5368b1.vbs

Filesize
732B

MD5
20a915d80250645e08772285cd579d1b

SHA1
a13452ffef364efff1acccde40d3430305a6ec8e

SHA256
1f7a230cc3e68157b344a03ae7cc087ab04bdf5a1b4b163b4dd69925b9ac23c7

SHA512
f2d326c5f5ff87c55085d50686264029fe56632b94b28b8466b541465bc28843cbd9ea17a25988f4fe69dda1ba0a5160ecfd12b365a6033c1c23e94559d74769

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb1e06df-3458-4f8d-af8f-21e1ad84317c.vbs

Filesize
732B

MD5
0e209bdea217b65bf5d3ad8c2d3c437e

SHA1
1c06c88ef97eccce023105518b95b56467c81f97

SHA256
0cedd041b5da069005728a39afcc812cf94fd572a6f3f11496359c10c85ca7ea

SHA512
82444a072033f76f28f4e226da76796142b300ecfdb78799577733b9ac13852f42ead940dca846f6af1343359b8db1e4eb031a2d8f901091dbb96b56433c3fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9720440-0b88-4b20-b09a-bde2c56cbea9.vbs

Filesize
508B

MD5
96affdad47aa8c9e0d6d1bf2cba9e9a2

SHA1
e62726a8278d3c7cc090e594257f4323193f257c

SHA256
609a2172127fbeff631ff8e461ab27047dbacce837935267d8f9e9a10a7d9e4a

SHA512
ae4d39d179db5d4d9697d9356ebc0c2c1763a1c513be3099c2c9355ba7a41c8c7a45c87ec4721d8e044596020158d3b4c9761c5922f432068638d7b1df0a1b6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
117ffeab455244ff089a6318c7d2abf2

SHA1
86c64494982ad8409eb89e77134f4734c10e7a56

SHA256
572bad1962bd9998c8d9531c4c6a8ccf86800ed97bd01c37a29367096f114240

SHA512
99aacaa7c81a2211e6550edc3a2bb9e93a11c31a558a0abea135d74cf824e42350219707c416b20f555fc309f5e0c17fd5f2e285bb4d9892dc784de9b6733eec

Download Submit
memory/820-196-0x0000000000110000-0x00000000002B2000-memory.dmp

Filesize
1.6MB

Download
memory/852-118-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/852-184-0x00000000011F0000-0x0000000001392000-memory.dmp

Filesize
1.6MB

Download
memory/1868-117-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2456-13-0x0000000002160000-0x0000000002168000-memory.dmp

Filesize
32KB

Download
memory/2456-12-0x0000000002150000-0x000000000215E000-memory.dmp

Filesize
56KB

Download
memory/2456-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2456-6-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/2456-1-0x00000000009A0000-0x0000000000B42000-memory.dmp

Filesize
1.6MB

Download
memory/2456-7-0x0000000000940000-0x0000000000950000-memory.dmp

Filesize
64KB

Download
memory/2456-8-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/2456-2-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/2456-9-0x0000000000950000-0x000000000095C000-memory.dmp

Filesize
48KB

Download
memory/2456-4-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/2456-11-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/2456-126-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/2456-0-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

Filesize
4KB

Download
memory/2456-14-0x0000000002170000-0x0000000002178000-memory.dmp

Filesize
32KB

Download
memory/2456-15-0x0000000002200000-0x000000000220A000-memory.dmp

Filesize
40KB

Download
memory/2456-5-0x0000000000660000-0x0000000000676000-memory.dmp

Filesize
88KB

Download
memory/2456-16-0x0000000002210000-0x000000000221C000-memory.dmp

Filesize
48KB

Download
memory/2456-10-0x0000000000980000-0x000000000098C000-memory.dmp

Filesize
48KB

Download
memory/2732-160-0x0000000000FF0000-0x0000000001192000-memory.dmp

Filesize
1.6MB

Download
memory/2784-208-0x0000000000C20000-0x0000000000DC2000-memory.dmp

Filesize
1.6MB

Download
memory/3032-172-0x0000000000150000-0x00000000002F2000-memory.dmp

Filesize
1.6MB

Download
memory/3036-220-0x00000000013A0000-0x0000000001542000-memory.dmp

Filesize
1.6MB

Download
memory/3044-149-0x0000000000B50000-0x0000000000CF2000-memory.dmp

Filesize
1.6MB

Download