dcrat | df025008bab8a9d1b780276526007d60abaafb894af2cca82bc633c715945ec5

Analysis

max time kernel
147s
max time network
146s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4454ceb4919130c9dd9ac71aefa53879.exe
Size

885KB
MD5

4454ceb4919130c9dd9ac71aefa53879
SHA1

718ee7efda5afef9a41513902c33a767d3eba95c
SHA256

b7c8e0d773962b93371cd3a7f5617d0ced09ed117b3082fdabe319954cc2c59d
SHA512

7a7a4f2bca12d9a518d8e5dbee655a4a210c13eb44edd1d93597bd6a010a4fe9ede1c0ef6d9baca14f411ca27524ccdee486758cfb36bc67727b9c42ecca7cd1
SSDEEP

12288:clNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:clNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2740	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2740	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2740	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2740	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2740	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2740	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2740	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2740	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2740	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2740	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2740	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2740	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2740	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2740	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2740	schtasks.exe	31

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral9/memory/1684-1-0x0000000000B10000-0x0000000000BF4000-memory.dmp	dcrat
behavioral9/files/0x0005000000019456-18.dat	dcrat
behavioral9/files/0x000500000001961b-44.dat	dcrat
behavioral9/memory/1272-85-0x0000000001170000-0x0000000001254000-memory.dmp	dcrat
behavioral9/memory/2764-141-0x0000000000340000-0x0000000000424000-memory.dmp	dcrat
behavioral9/memory/1688-153-0x0000000000D80000-0x0000000000E64000-memory.dmp	dcrat
behavioral9/memory/2240-176-0x0000000001130000-0x0000000001214000-memory.dmp	dcrat

Executes dropped EXE 11 IoCs

pid	Process
1272	lsm.exe
868	lsm.exe
1792	lsm.exe
2644	lsm.exe
1740	lsm.exe
2764	lsm.exe
1688	lsm.exe
1352	lsm.exe
2240	lsm.exe
1628	lsm.exe
2164	lsm.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\lsm.exe	4454ceb4919130c9dd9ac71aefa53879.exe
File created	C:\Program Files\VideoLAN\VLC\101b941d020240	4454ceb4919130c9dd9ac71aefa53879.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCXFC32.tmp	4454ceb4919130c9dd9ac71aefa53879.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\RCXFC43.tmp	4454ceb4919130c9dd9ac71aefa53879.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1940	schtasks.exe
2076	schtasks.exe
2672	schtasks.exe
2972	schtasks.exe
2812	schtasks.exe
2808	schtasks.exe
2248	schtasks.exe
2788	schtasks.exe
2624	schtasks.exe
2616	schtasks.exe
2356	schtasks.exe
2776	schtasks.exe
2440	schtasks.exe
2936	schtasks.exe
1464	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1684	4454ceb4919130c9dd9ac71aefa53879.exe
1272	lsm.exe
868	lsm.exe
1792	lsm.exe
2644	lsm.exe
1740	lsm.exe
2764	lsm.exe
1688	lsm.exe
1352	lsm.exe
2240	lsm.exe
1628	lsm.exe
2164	lsm.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	4454ceb4919130c9dd9ac71aefa53879.exe
Token: SeDebugPrivilege	1272	lsm.exe
Token: SeDebugPrivilege	868	lsm.exe
Token: SeDebugPrivilege	1792	lsm.exe
Token: SeDebugPrivilege	2644	lsm.exe
Token: SeDebugPrivilege	1740	lsm.exe
Token: SeDebugPrivilege	2764	lsm.exe
Token: SeDebugPrivilege	1688	lsm.exe
Token: SeDebugPrivilege	1352	lsm.exe
Token: SeDebugPrivilege	2240	lsm.exe
Token: SeDebugPrivilege	1628	lsm.exe
Token: SeDebugPrivilege	2164	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1272	1684	4454ceb4919130c9dd9ac71aefa53879.exe	47
PID 1684 wrote to memory of 1272	1684	4454ceb4919130c9dd9ac71aefa53879.exe	47
PID 1684 wrote to memory of 1272	1684	4454ceb4919130c9dd9ac71aefa53879.exe	47
PID 1272 wrote to memory of 2380	1272	lsm.exe	48
PID 1272 wrote to memory of 2380	1272	lsm.exe	48
PID 1272 wrote to memory of 2380	1272	lsm.exe	48
PID 1272 wrote to memory of 2468	1272	lsm.exe	49
PID 1272 wrote to memory of 2468	1272	lsm.exe	49
PID 1272 wrote to memory of 2468	1272	lsm.exe	49
PID 2380 wrote to memory of 868	2380	WScript.exe	50
PID 2380 wrote to memory of 868	2380	WScript.exe	50
PID 2380 wrote to memory of 868	2380	WScript.exe	50
PID 868 wrote to memory of 2424	868	lsm.exe	51
PID 868 wrote to memory of 2424	868	lsm.exe	51
PID 868 wrote to memory of 2424	868	lsm.exe	51
PID 868 wrote to memory of 944	868	lsm.exe	52
PID 868 wrote to memory of 944	868	lsm.exe	52
PID 868 wrote to memory of 944	868	lsm.exe	52
PID 2424 wrote to memory of 1792	2424	WScript.exe	53
PID 2424 wrote to memory of 1792	2424	WScript.exe	53
PID 2424 wrote to memory of 1792	2424	WScript.exe	53
PID 1792 wrote to memory of 2608	1792	lsm.exe	54
PID 1792 wrote to memory of 2608	1792	lsm.exe	54
PID 1792 wrote to memory of 2608	1792	lsm.exe	54
PID 1792 wrote to memory of 1676	1792	lsm.exe	55
PID 1792 wrote to memory of 1676	1792	lsm.exe	55
PID 1792 wrote to memory of 1676	1792	lsm.exe	55
PID 2608 wrote to memory of 2644	2608	WScript.exe	56
PID 2608 wrote to memory of 2644	2608	WScript.exe	56
PID 2608 wrote to memory of 2644	2608	WScript.exe	56
PID 2644 wrote to memory of 3012	2644	lsm.exe	57
PID 2644 wrote to memory of 3012	2644	lsm.exe	57
PID 2644 wrote to memory of 3012	2644	lsm.exe	57
PID 2644 wrote to memory of 2244	2644	lsm.exe	58
PID 2644 wrote to memory of 2244	2644	lsm.exe	58
PID 2644 wrote to memory of 2244	2644	lsm.exe	58
PID 3012 wrote to memory of 1740	3012	WScript.exe	59
PID 3012 wrote to memory of 1740	3012	WScript.exe	59
PID 3012 wrote to memory of 1740	3012	WScript.exe	59
PID 1740 wrote to memory of 1268	1740	lsm.exe	60
PID 1740 wrote to memory of 1268	1740	lsm.exe	60
PID 1740 wrote to memory of 1268	1740	lsm.exe	60
PID 1740 wrote to memory of 1144	1740	lsm.exe	61
PID 1740 wrote to memory of 1144	1740	lsm.exe	61
PID 1740 wrote to memory of 1144	1740	lsm.exe	61
PID 1268 wrote to memory of 2764	1268	WScript.exe	62
PID 1268 wrote to memory of 2764	1268	WScript.exe	62
PID 1268 wrote to memory of 2764	1268	WScript.exe	62
PID 2764 wrote to memory of 348	2764	lsm.exe	63
PID 2764 wrote to memory of 348	2764	lsm.exe	63
PID 2764 wrote to memory of 348	2764	lsm.exe	63
PID 2764 wrote to memory of 832	2764	lsm.exe	64
PID 2764 wrote to memory of 832	2764	lsm.exe	64
PID 2764 wrote to memory of 832	2764	lsm.exe	64
PID 348 wrote to memory of 1688	348	WScript.exe	65
PID 348 wrote to memory of 1688	348	WScript.exe	65
PID 348 wrote to memory of 1688	348	WScript.exe	65
PID 1688 wrote to memory of 1644	1688	lsm.exe	66
PID 1688 wrote to memory of 1644	1688	lsm.exe	66
PID 1688 wrote to memory of 1644	1688	lsm.exe	66
PID 1688 wrote to memory of 2884	1688	lsm.exe	67
PID 1688 wrote to memory of 2884	1688	lsm.exe	67
PID 1688 wrote to memory of 2884	1688	lsm.exe	67
PID 1644 wrote to memory of 1352	1644	WScript.exe	69

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4454ceb4919130c9dd9ac71aefa53879.exe
"C:\Users\Admin\AppData\Local\Temp\4454ceb4919130c9dd9ac71aefa53879.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Program Files\VideoLAN\VLC\lsm.exe
  "C:\Program Files\VideoLAN\VLC\lsm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\517d0a97-049a-4b87-8ac7-851879b253b8.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Program Files\VideoLAN\VLC\lsm.exe
      "C:\Program Files\VideoLAN\VLC\lsm.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:868
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f58af527-18a8-49f1-9ac9-6b1ddc1f11cd.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Program Files\VideoLAN\VLC\lsm.exe
        
        "C:\Program Files\VideoLAN\VLC\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efdc5b73-b184-47b7-9423-57eed9f46f02.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Program Files\VideoLAN\VLC\lsm.exe
        
        "C:\Program Files\VideoLAN\VLC\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\663c30fe-b5c4-4693-a56e-fc4870c69b1d.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Program Files\VideoLAN\VLC\lsm.exe
        
        "C:\Program Files\VideoLAN\VLC\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5014163b-c3f4-4fa6-b4bc-c24f3f382f00.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Program Files\VideoLAN\VLC\lsm.exe
        
        "C:\Program Files\VideoLAN\VLC\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\725a7790-e7e6-4caf-a440-a9ddd00a3451.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Program Files\VideoLAN\VLC\lsm.exe
        
        "C:\Program Files\VideoLAN\VLC\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\577c69d2-f850-4aa9-9fcc-9694703f7fc4.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Program Files\VideoLAN\VLC\lsm.exe
        
        "C:\Program Files\VideoLAN\VLC\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b209ea84-3429-49f7-8cc6-2a6d7a7ef019.vbs"
        17⤵
        
        PID:1732
        
        C:\Program Files\VideoLAN\VLC\lsm.exe
        
        "C:\Program Files\VideoLAN\VLC\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07dd7519-8b90-47c7-9519-e970662a6dc4.vbs"
        19⤵
        
        PID:1504
        
        C:\Program Files\VideoLAN\VLC\lsm.exe
        
        "C:\Program Files\VideoLAN\VLC\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a904e711-b690-41a5-9935-b3ff46aa302a.vbs"
        21⤵
        
        PID:1820
        
        C:\Program Files\VideoLAN\VLC\lsm.exe
        
        "C:\Program Files\VideoLAN\VLC\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\982788bd-eae0-4910-bdd2-c9a23e3cc203.vbs"
        23⤵
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94448716-f894-4cd7-9bc8-9c256bea8822.vbs"
        23⤵
        
        PID:1488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a5699f6-cd36-4d80-8da3-4d05b38f6a24.vbs"
        21⤵
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b067f31-038e-4301-bb0d-641b9adc3b4f.vbs"
        19⤵
        
        PID:1048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2051daba-6e94-4c26-a8c5-622f26b582af.vbs"
        17⤵
        
        PID:264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31dc6ef1-d2a3-4b8d-8a6a-44462e4a1e0f.vbs"
        15⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\394d3ec1-94c8-4695-b64c-b77bfa2ded64.vbs"
        13⤵
        
        PID:832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\667bc687-c58b-43d7-93e8-07bb4b41cbae.vbs"
        11⤵
        
        PID:1144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e672b78-8cae-43eb-8c31-7f47a4a4cacc.vbs"
        9⤵
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82c7d71e-dab9-474d-959b-99dda1df91d3.vbs"
        7⤵
        
        PID:1676
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88ef6c1c-0bcf-4a7c-a6d9-a22321eaeff2.vbs"
        5⤵
        
        PID:944
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66badf64-0319-4d47-80ad-791f873079ce.vbs"
    3⤵
    PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4454ceb4919130c9dd9ac71aefa538794" /sc MINUTE /mo 5 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\4454ceb4919130c9dd9ac71aefa53879.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4454ceb4919130c9dd9ac71aefa53879" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\4454ceb4919130c9dd9ac71aefa53879.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4454ceb4919130c9dd9ac71aefa538794" /sc MINUTE /mo 13 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\4454ceb4919130c9dd9ac71aefa53879.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Recent\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Recent\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\lsass.exe

Filesize
885KB

MD5
27571ff35438c91277b3b9836d11c0c8

SHA1
92db1a7cd310d4822515b56716bcd4847df92475

SHA256
09defc971e2e01dcdf7cc67cb69f135340771509662a0fd050b60d27317d0189

SHA512
b8dc35559bd8b71066d1ca76da7af6983e865ac9841edbe65de83a974b946cf75e14cf27126e2d1e30901df97330e135923c2dc4cf35813ae6791b207b47c9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\07dd7519-8b90-47c7-9519-e970662a6dc4.vbs

Filesize
713B

MD5
2f811b539877d9bcaadbc14f5304af30

SHA1
acac42167804cf5d70cf6dce5696fe0e568fd388

SHA256
48e945caafb6fa3b9969eb8c4455b89d1ac4ee2cf59891a2d454244732cfc96a

SHA512
6afaef6a83b580e61161fdb93e92c52c0240881c908ec56a6bbd1a7d53a3e7058803b0d7132914101e1565aa07dfb1cf573a9e942957d4026bae3585fb0ecbd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5014163b-c3f4-4fa6-b4bc-c24f3f382f00.vbs

Filesize
713B

MD5
422c5b8951009363905bf1d15d098c87

SHA1
b9a03cf2b3c721ac4be1546700946b9be8bc99ad

SHA256
05c93f6db735af71628dba500af20d796eed4bd428707909787aa6dc3b48f636

SHA512
5637b4f3e975c2ecc451549972715a2a9482929678038b0f5fbf0855bc96c07d09d5ba5fee1bb9f6146d9be230fa4fbb086560d5042dbadcb7ccd2249a28daeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\517d0a97-049a-4b87-8ac7-851879b253b8.vbs

Filesize
713B

MD5
067fa1fe342ea11ee783f2790940aa0a

SHA1
b8a1fd88dd1b6bd23387a89377fd2bc5612c8080

SHA256
a06325bffbe9b32ea3574a7a293a97455ba97aa3710e61f4dd44992330e895e6

SHA512
453692f1807504269a4cb2159b4589675cab96872d90ee4ed7f93e9711df27b0192a7665cda1b5126aa5e64725cb07535f54002373ed57c901b3a233b0565703

Download Submit
C:\Users\Admin\AppData\Local\Temp\577c69d2-f850-4aa9-9fcc-9694703f7fc4.vbs

Filesize
713B

MD5
d9d5edb150ec73cafe630e7885971669

SHA1
dbab146d1a1140754a81603d59244cb2e343298b

SHA256
46b159845fe4870ce72b61a49976d18c4f36fb5ba3a74bf82a4f5249689a42a8

SHA512
a2ab56371c9bb0811a0d353e3c0e96ae72251a2c627a7a0c7a9112b8e530661b559eb2f64f09ccbbf678c23476f0273db25b242937448bb5b85de1138632806d

Download Submit
C:\Users\Admin\AppData\Local\Temp\663c30fe-b5c4-4693-a56e-fc4870c69b1d.vbs

Filesize
713B

MD5
046ceae3faa5f92a6e39e31d1092f06f

SHA1
9bbef6e148c8e8b5bf5ed3bbf2c4aaf31e70b64a

SHA256
d67d2c755ea5fd388bffc2fe132c9297b0d48fff873ca4c4068ca4afb3ec8a9d

SHA512
5ebf7f04762907a20a2865be72066adb5178434dc72b479ed9dfff7a1ea6d6265a21f60afc20b1605a22482d40fbc6af128dfe2fd01b55efb406952c3bd4bcb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\66badf64-0319-4d47-80ad-791f873079ce.vbs

Filesize
489B

MD5
a209a16fa908f498bdca99b071f716b2

SHA1
70418f9b3a95d7781ebc1ec410921375c3c4be19

SHA256
a7e6b7438a1c3ca03a3c66492a4c7d83c14fc3b49947925b35e98b4f77bbbd5b

SHA512
262e0f3b35d868f8661dee13cf097e4b897da0b814a553fe4059830f372b37018fbe65f56b36d96b4423ca25b62653468ae655c03af374d1202c6b2154574014

Download Submit
C:\Users\Admin\AppData\Local\Temp\725a7790-e7e6-4caf-a440-a9ddd00a3451.vbs

Filesize
713B

MD5
84c2d89d96e700d9a763ab12c6a63250

SHA1
d872ee41ea14deef75b039506867b327242807b5

SHA256
b2bc3c2046aaace03b0bb098bbcfd9c3724bcf45acf03830ab365e145606704d

SHA512
8f91c97bc87c3386548a0678cff06ad4c87125c0b35c9689e6c421defa5fe128bc642216b5d7ae02e7eed31f9485dac5843ac7e3f2b30048f4d335b79ac6b37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\982788bd-eae0-4910-bdd2-c9a23e3cc203.vbs

Filesize
713B

MD5
ee543e434ef66a3d954d658cb63d6a81

SHA1
85a591ec01c8ba4d4aa18d59bd7b5ac5bb7ebac4

SHA256
7fecc6819f46fc37e5de983904d329e174302b5e3dd83996713556fb0848e458

SHA512
cd86d1758903fa50da53c80eb72eea21e3e753d9cc720ae68df26d70ed4fceaae3c5a4e8f1687920434c65e587844ed1656b75187c18de7e0b101971dfc16a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\a904e711-b690-41a5-9935-b3ff46aa302a.vbs

Filesize
713B

MD5
4063cdf0f9b4d59a241b224db2bfa120

SHA1
290cbf3e84377d29fcd023339b8cabaee6059a85

SHA256
6e7963f9ec88e29c16bd0d966fdae88a1c39fbfbea74f28ac246446633433721

SHA512
1346e48efd2139af9aa37f8cafede85270d17cc8fe97c161bdcf71b6715c675baad3d39a31a28a68e4498f870a67c96085fed83e1524b1114644d0c3274c0ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b209ea84-3429-49f7-8cc6-2a6d7a7ef019.vbs

Filesize
713B

MD5
09a2e714b9b93d3dc399a43dfb467f9c

SHA1
9948c2f5f37d865c856a2654d6215a93bf7973ef

SHA256
9ca6dd1848330e41426943dbabfdd8b57e15d2b6d3346227000a0853bb912e90

SHA512
a8f409ed2fe00c26f1e06b02b7e5d42f1f83413c77ad68131bc44f86395691eb522c2dc9ce6b04d713585a2dc27e3007739882f85b200f365e48423ee1d809da

Download Submit
C:\Users\Admin\AppData\Local\Temp\efdc5b73-b184-47b7-9423-57eed9f46f02.vbs

Filesize
713B

MD5
8ed26b58636017a53f6fad23fb5f6ec5

SHA1
7f81b696f98a0c5721704635ecd2c0c3157f4d8a

SHA256
c568da1a71a9914ee58a7688ff7dbf48e25511547d025d9a5cc0fb2baf7ef25b

SHA512
73aede0d48ec8daa3b6ccf98babe2d11384356539fb791abf9ebc0487084f776e0c77f36aaf3d00353016f238ff9cdced0ca5a4ce303a62a4c7eadc20d9f01e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f58af527-18a8-49f1-9ac9-6b1ddc1f11cd.vbs

Filesize
712B

MD5
35fce5423ed862df68fbfabaf2a947a8

SHA1
8c07a99e40bab672a296de1caa6206717ce4c5b4

SHA256
85fd431ccd79c3f15dcd4387f73239c5a961bbdf6e2db011950774676f166e05

SHA512
c429c8177727a6701011fc758fd5581d8249557cf3532bc61d4c0712cf1e5e3a1e9ceebc1b4c033b1a932b6c53a5bec52dde7fb705c147d9f23bff41820054a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\lsm.exe

Filesize
885KB

MD5
4454ceb4919130c9dd9ac71aefa53879

SHA1
718ee7efda5afef9a41513902c33a767d3eba95c

SHA256
b7c8e0d773962b93371cd3a7f5617d0ced09ed117b3082fdabe319954cc2c59d

SHA512
7a7a4f2bca12d9a518d8e5dbee655a4a210c13eb44edd1d93597bd6a010a4fe9ede1c0ef6d9baca14f411ca27524ccdee486758cfb36bc67727b9c42ecca7cd1

Download Submit
memory/1272-85-0x0000000001170000-0x0000000001254000-memory.dmp

Filesize
912KB

Download
memory/1684-4-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/1684-1-0x0000000000B10000-0x0000000000BF4000-memory.dmp

Filesize
912KB

Download
memory/1684-8-0x0000000002140000-0x0000000002148000-memory.dmp

Filesize
32KB

Download
memory/1684-7-0x0000000002130000-0x000000000213E000-memory.dmp

Filesize
56KB

Download
memory/1684-3-0x0000000000AF0000-0x0000000000B0C000-memory.dmp

Filesize
112KB

Download
memory/1684-6-0x0000000000640000-0x000000000064A000-memory.dmp

Filesize
40KB

Download
memory/1684-0-0x000007FEF5593000-0x000007FEF5594000-memory.dmp

Filesize
4KB

Download
memory/1684-5-0x0000000002110000-0x0000000002126000-memory.dmp

Filesize
88KB

Download
memory/1684-2-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/1684-86-0x000007FEF5590000-0x000007FEF5F7C000-memory.dmp

Filesize
9.9MB

Download
memory/1684-9-0x0000000002150000-0x000000000215C000-memory.dmp

Filesize
48KB

Download
memory/1688-153-0x0000000000D80000-0x0000000000E64000-memory.dmp

Filesize
912KB

Download
memory/2240-176-0x0000000001130000-0x0000000001214000-memory.dmp

Filesize
912KB

Download
memory/2764-141-0x0000000000340000-0x0000000000424000-memory.dmp

Filesize
912KB

Download