dcrat | add6234329d65ae878b6112d7d63d6641b842d28c0fa2fa5fbbb09a1b835bc0c

Analysis

max time kernel
149s
max time network
157s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21f66f607b86f4db433d605d92d00531.exe
Size

1.6MB
MD5

21f66f607b86f4db433d605d92d00531
SHA1

f40284412b592f66288656c9883f1c740bfd6fab
SHA256

7ed1f0270ecdcff9af42e3f4e54689cb96ddbe26d370e848942d08dc3e5fa9ea
SHA512

9543327ed0c632e39ad6204c1371ee9cfa152079c5fd01f3dc8aaf9b4bc992315cc05b4fc509b6e718116ff75785c525256e7570706b1b2ffb41a250ae89ab73
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2748	schtasks.exe	30

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/memory/2400-1-0x00000000013D0000-0x0000000001572000-memory.dmp	dcrat
behavioral3/files/0x00050000000199bf-25.dat	dcrat
behavioral3/files/0x0008000000019838-101.dat	dcrat
behavioral3/memory/2256-149-0x0000000000C90000-0x0000000000E32000-memory.dmp	dcrat
behavioral3/memory/2608-160-0x0000000000EF0000-0x0000000001092000-memory.dmp	dcrat
behavioral3/memory/2860-194-0x00000000003B0000-0x0000000000552000-memory.dmp	dcrat
behavioral3/memory/704-206-0x0000000001170000-0x0000000001312000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1832	powershell.exe
2976	powershell.exe
2964	powershell.exe
2968	powershell.exe
448	powershell.exe
2484	powershell.exe
108	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
2256	21f66f607b86f4db433d605d92d00531.exe
2608	21f66f607b86f4db433d605d92d00531.exe
108	21f66f607b86f4db433d605d92d00531.exe
2908	21f66f607b86f4db433d605d92d00531.exe
2860	21f66f607b86f4db433d605d92d00531.exe
704	21f66f607b86f4db433d605d92d00531.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe	21f66f607b86f4db433d605d92d00531.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\31397f4a30514c	21f66f607b86f4db433d605d92d00531.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\RCXB8FF.tmp	21f66f607b86f4db433d605d92d00531.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\RCXB96D.tmp	21f66f607b86f4db433d605d92d00531.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe	21f66f607b86f4db433d605d92d00531.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Globalization\Sorting\dwm.exe	21f66f607b86f4db433d605d92d00531.exe
File created	C:\Windows\ModemLogs\c5b4cb5e9653cc	21f66f607b86f4db433d605d92d00531.exe
File created	C:\Windows\DigitalLocker\en-US\1610b97d3ab4a7	21f66f607b86f4db433d605d92d00531.exe
File opened for modification	C:\Windows\Globalization\Sorting\dwm.exe	21f66f607b86f4db433d605d92d00531.exe
File created	C:\Windows\DigitalLocker\en-US\OSPPSVC.exe	21f66f607b86f4db433d605d92d00531.exe
File opened for modification	C:\Windows\ModemLogs\services.exe	21f66f607b86f4db433d605d92d00531.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCXB6FA.tmp	21f66f607b86f4db433d605d92d00531.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\OSPPSVC.exe	21f66f607b86f4db433d605d92d00531.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCXB6FB.tmp	21f66f607b86f4db433d605d92d00531.exe
File created	C:\Windows\Globalization\Sorting\6cb0b6c459d5d3	21f66f607b86f4db433d605d92d00531.exe
File created	C:\Windows\ModemLogs\services.exe	21f66f607b86f4db433d605d92d00531.exe
File opened for modification	C:\Windows\Globalization\Sorting\RCXAE7B.tmp	21f66f607b86f4db433d605d92d00531.exe
File opened for modification	C:\Windows\ModemLogs\RCXB488.tmp	21f66f607b86f4db433d605d92d00531.exe
File opened for modification	C:\Windows\ModemLogs\RCXB489.tmp	21f66f607b86f4db433d605d92d00531.exe
File opened for modification	C:\Windows\Globalization\Sorting\RCXAE7A.tmp	21f66f607b86f4db433d605d92d00531.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2804	schtasks.exe
1692	schtasks.exe
2372	schtasks.exe
2332	schtasks.exe
3028	schtasks.exe
2860	schtasks.exe
2772	schtasks.exe
2640	schtasks.exe
1320	schtasks.exe
332	schtasks.exe
2788	schtasks.exe
2896	schtasks.exe
2724	schtasks.exe
852	schtasks.exe
2676	schtasks.exe
1996	schtasks.exe
3036	schtasks.exe
2808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2400	21f66f607b86f4db433d605d92d00531.exe
108	powershell.exe
2968	powershell.exe
2976	powershell.exe
448	powershell.exe
2484	powershell.exe
1832	powershell.exe
2964	powershell.exe
2256	21f66f607b86f4db433d605d92d00531.exe
2608	21f66f607b86f4db433d605d92d00531.exe
108	21f66f607b86f4db433d605d92d00531.exe
2908	21f66f607b86f4db433d605d92d00531.exe
2860	21f66f607b86f4db433d605d92d00531.exe
704	21f66f607b86f4db433d605d92d00531.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	21f66f607b86f4db433d605d92d00531.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2256	21f66f607b86f4db433d605d92d00531.exe
Token: SeDebugPrivilege	2608	21f66f607b86f4db433d605d92d00531.exe
Token: SeDebugPrivilege	108	21f66f607b86f4db433d605d92d00531.exe
Token: SeDebugPrivilege	2908	21f66f607b86f4db433d605d92d00531.exe
Token: SeDebugPrivilege	2860	21f66f607b86f4db433d605d92d00531.exe
Token: SeDebugPrivilege	704	21f66f607b86f4db433d605d92d00531.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 108	2400	21f66f607b86f4db433d605d92d00531.exe	49
PID 2400 wrote to memory of 108	2400	21f66f607b86f4db433d605d92d00531.exe	49
PID 2400 wrote to memory of 108	2400	21f66f607b86f4db433d605d92d00531.exe	49
PID 2400 wrote to memory of 2484	2400	21f66f607b86f4db433d605d92d00531.exe	50
PID 2400 wrote to memory of 2484	2400	21f66f607b86f4db433d605d92d00531.exe	50
PID 2400 wrote to memory of 2484	2400	21f66f607b86f4db433d605d92d00531.exe	50
PID 2400 wrote to memory of 448	2400	21f66f607b86f4db433d605d92d00531.exe	51
PID 2400 wrote to memory of 448	2400	21f66f607b86f4db433d605d92d00531.exe	51
PID 2400 wrote to memory of 448	2400	21f66f607b86f4db433d605d92d00531.exe	51
PID 2400 wrote to memory of 2968	2400	21f66f607b86f4db433d605d92d00531.exe	52
PID 2400 wrote to memory of 2968	2400	21f66f607b86f4db433d605d92d00531.exe	52
PID 2400 wrote to memory of 2968	2400	21f66f607b86f4db433d605d92d00531.exe	52
PID 2400 wrote to memory of 2964	2400	21f66f607b86f4db433d605d92d00531.exe	55
PID 2400 wrote to memory of 2964	2400	21f66f607b86f4db433d605d92d00531.exe	55
PID 2400 wrote to memory of 2964	2400	21f66f607b86f4db433d605d92d00531.exe	55
PID 2400 wrote to memory of 2976	2400	21f66f607b86f4db433d605d92d00531.exe	56
PID 2400 wrote to memory of 2976	2400	21f66f607b86f4db433d605d92d00531.exe	56
PID 2400 wrote to memory of 2976	2400	21f66f607b86f4db433d605d92d00531.exe	56
PID 2400 wrote to memory of 1832	2400	21f66f607b86f4db433d605d92d00531.exe	58
PID 2400 wrote to memory of 1832	2400	21f66f607b86f4db433d605d92d00531.exe	58
PID 2400 wrote to memory of 1832	2400	21f66f607b86f4db433d605d92d00531.exe	58
PID 2400 wrote to memory of 1384	2400	21f66f607b86f4db433d605d92d00531.exe	63
PID 2400 wrote to memory of 1384	2400	21f66f607b86f4db433d605d92d00531.exe	63
PID 2400 wrote to memory of 1384	2400	21f66f607b86f4db433d605d92d00531.exe	63
PID 1384 wrote to memory of 2552	1384	cmd.exe	65
PID 1384 wrote to memory of 2552	1384	cmd.exe	65
PID 1384 wrote to memory of 2552	1384	cmd.exe	65
PID 1384 wrote to memory of 2256	1384	cmd.exe	67
PID 1384 wrote to memory of 2256	1384	cmd.exe	67
PID 1384 wrote to memory of 2256	1384	cmd.exe	67
PID 2256 wrote to memory of 688	2256	21f66f607b86f4db433d605d92d00531.exe	68
PID 2256 wrote to memory of 688	2256	21f66f607b86f4db433d605d92d00531.exe	68
PID 2256 wrote to memory of 688	2256	21f66f607b86f4db433d605d92d00531.exe	68
PID 2256 wrote to memory of 2448	2256	21f66f607b86f4db433d605d92d00531.exe	69
PID 2256 wrote to memory of 2448	2256	21f66f607b86f4db433d605d92d00531.exe	69
PID 2256 wrote to memory of 2448	2256	21f66f607b86f4db433d605d92d00531.exe	69
PID 688 wrote to memory of 2608	688	WScript.exe	70
PID 688 wrote to memory of 2608	688	WScript.exe	70
PID 688 wrote to memory of 2608	688	WScript.exe	70
PID 2608 wrote to memory of 1528	2608	21f66f607b86f4db433d605d92d00531.exe	71
PID 2608 wrote to memory of 1528	2608	21f66f607b86f4db433d605d92d00531.exe	71
PID 2608 wrote to memory of 1528	2608	21f66f607b86f4db433d605d92d00531.exe	71
PID 2608 wrote to memory of 2796	2608	21f66f607b86f4db433d605d92d00531.exe	72
PID 2608 wrote to memory of 2796	2608	21f66f607b86f4db433d605d92d00531.exe	72
PID 2608 wrote to memory of 2796	2608	21f66f607b86f4db433d605d92d00531.exe	72
PID 1528 wrote to memory of 108	1528	WScript.exe	73
PID 1528 wrote to memory of 108	1528	WScript.exe	73
PID 1528 wrote to memory of 108	1528	WScript.exe	73
PID 108 wrote to memory of 2104	108	21f66f607b86f4db433d605d92d00531.exe	74
PID 108 wrote to memory of 2104	108	21f66f607b86f4db433d605d92d00531.exe	74
PID 108 wrote to memory of 2104	108	21f66f607b86f4db433d605d92d00531.exe	74
PID 108 wrote to memory of 1520	108	21f66f607b86f4db433d605d92d00531.exe	75
PID 108 wrote to memory of 1520	108	21f66f607b86f4db433d605d92d00531.exe	75
PID 108 wrote to memory of 1520	108	21f66f607b86f4db433d605d92d00531.exe	75
PID 2104 wrote to memory of 2908	2104	WScript.exe	76
PID 2104 wrote to memory of 2908	2104	WScript.exe	76
PID 2104 wrote to memory of 2908	2104	WScript.exe	76
PID 2908 wrote to memory of 484	2908	21f66f607b86f4db433d605d92d00531.exe	77
PID 2908 wrote to memory of 484	2908	21f66f607b86f4db433d605d92d00531.exe	77
PID 2908 wrote to memory of 484	2908	21f66f607b86f4db433d605d92d00531.exe	77
PID 2908 wrote to memory of 2024	2908	21f66f607b86f4db433d605d92d00531.exe	78
PID 2908 wrote to memory of 2024	2908	21f66f607b86f4db433d605d92d00531.exe	78
PID 2908 wrote to memory of 2024	2908	21f66f607b86f4db433d605d92d00531.exe	78
PID 484 wrote to memory of 2860	484	WScript.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\21f66f607b86f4db433d605d92d00531.exe
"C:\Users\Admin\AppData\Local\Temp\21f66f607b86f4db433d605d92d00531.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\21f66f607b86f4db433d605d92d00531.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\Sorting\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZbpY2P6skg.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2552
- - C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe
    "C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8023926a-7ccb-4dac-b196-8be8db9ff0c6.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:688
    - - C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de266010-a228-4ed2-a16d-ac36ec65feed.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2746189-c51f-4ca0-9c62-15267e5450fd.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a4fdec9-3c66-4cde-a834-19cbb96479b8.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26fe9103-8a31-40bf-99b0-af14ea177b0c.vbs"
        12⤵
        
        PID:1284
        
        C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f19156ad-a6d7-4e4f-bd2b-eafcf708ae8f.vbs"
        14⤵
        
        PID:2408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c486daf8-bd1e-4802-bb36-c75f526edf52.vbs"
        14⤵
        
        PID:1324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14317c0d-22e7-4dcc-8d30-24b902c2fd74.vbs"
        12⤵
        
        PID:792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea3ddca2-e48b-427b-af05-52a3c34f4d18.vbs"
        10⤵
        
        PID:2024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\201e894e-2e46-47aa-a0ef-f38eb27414ca.vbs"
        8⤵
        
        PID:1520
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9213c944-bcc3-40d0-b6cd-05179c91e20e.vbs"
        6⤵
        
        PID:2796
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b2767d4-4026-4591-a218-231fcc395630.vbs"
      4⤵
      PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\Sorting\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\Sorting\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\PrintHood\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ModemLogs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "21f66f607b86f4db433d605d92d005312" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "21f66f607b86f4db433d605d92d00531" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "21f66f607b86f4db433d605d92d005312" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows NT\Accessories\21f66f607b86f4db433d605d92d00531.exe

Filesize
1.6MB

MD5
77c6d24473c51ef18587d97bb8101924

SHA1
c5f132f30a18018f6fb259fcdd72d4d659970e04

SHA256
0f1fa52068845db944590ecadab7ae9d5979533556cea9da110dfc01fa90323e

SHA512
978e032f614e0c792d58e0f2075d87ffc3b95540cbbfe78eed856f5d788504571ca79a8dbfae7842be9b4e1fd74849f37695eb9da11cdf6ea008f9f6056cb841

Download Submit
C:\Users\Admin\AppData\Local\Temp\26fe9103-8a31-40bf-99b0-af14ea177b0c.vbs

Filesize
758B

MD5
63b731c9fbbf6c256097e31c3cad6986

SHA1
2754859e87d3a38997b2d360149c483d32376ea2

SHA256
57e209ff49759c2b2b46e377d879220aa751914dde4f1c557f9750107ff4d905

SHA512
55d1afe240585a10df308139ee53bc7809382b12b0ad9d9ee172fc9976cdeb18e000eed391a63d77b2f24f35871f25f8421f0da5d304bf6e3dc1faeae2b836cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b2767d4-4026-4591-a218-231fcc395630.vbs

Filesize
534B

MD5
111e2ac0ffc5b083d7f43c438a91ccdd

SHA1
e01865a9cb48cd04b95222f14b5c42078a6f9ccc

SHA256
c2c3a012336ab49ae56fa64fe69f30e6072667bc3aa464844d162bc68c65bee8

SHA512
d75b04ef3cf7eb36776ecc0acd7cc0fde8e6c608af2eb74ee1134f0080fc0a786e2e938e089c3407ff60d79648001a3f1a61c77226e1cf49c62e7f1835fd16d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a4fdec9-3c66-4cde-a834-19cbb96479b8.vbs

Filesize
758B

MD5
1e181781e3a8a926c7e997476fb5e561

SHA1
5de62510aee9efc045809b6b60e3b2ecb8a79acd

SHA256
b94ab019f3f637f0cbd0452d5cbdb1c959a3ad3de77a6b8f585bff59b2ced4c4

SHA512
48a78a4d1421dedb1b1ace9fd09fed328c57d487f6e57095e65e9b17a4dbc9ec29eb68633ce937ecfa3b0bcb2bb8d7fe18919012aa6c4c8467bdb1780d72265e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8023926a-7ccb-4dac-b196-8be8db9ff0c6.vbs

Filesize
758B

MD5
f913bff66a91c957bed7a59dd82237d3

SHA1
b521e1178aba913075d1de694a2c35afc1365ea0

SHA256
14eabfde5c08642a430f98896e444f3d23c5c5f6ad05f3a7619fb290fc27cc44

SHA512
e101e564f746a325472b608c1a35885f0fc895bf5fcb0f37a3296d94ca0de25e2fb676dbdc5c9bd6f94131780a816ac389401a9d0235f3da6a7ecd42aedbde6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZbpY2P6skg.bat

Filesize
247B

MD5
95af9b877fde18cb8a9d80f211d06f1c

SHA1
2f155c7fd958fc837cb25f8fa8f917fddb259454

SHA256
b83f2f71605272c26e05c886d108eeee2addb1ff83ad566464adb4d821b81fcc

SHA512
444575cd5cc3510e43c71ffe5e4c2f9c2f852cfc95b4cc72d6d13242660964c64c4f1a0ef2869ff0e6306f260487cf2c7fcdfb6f993b2cf1591816d4929c39e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2746189-c51f-4ca0-9c62-15267e5450fd.vbs

Filesize
757B

MD5
727789769b944e1176a2f925294486dc

SHA1
20a43c8cc45824fcf7816a54878e1ce833d55f28

SHA256
a283ac371fbcc2e59f9c404f730a8449adc00d3b04a2733f633bc172dc011b41

SHA512
49dfdb855445f70397c071e85677bcdd50e0d1ed1d469ca7a21b8019301793b36c56d4f39e432cf28101de527add5d951e3c8f6aa878b180b86ca0dada871041

Download Submit
C:\Users\Admin\AppData\Local\Temp\de266010-a228-4ed2-a16d-ac36ec65feed.vbs

Filesize
758B

MD5
50c633d82cb21556cbcf57292855328f

SHA1
98ef1a299b256ec99eb87eb569c26a9cfb45db98

SHA256
27ac858a1b3d10af1acb47f223105a3c13af6470313a28645125a627563745d2

SHA512
2acf90b97d84c0b6d610ca92c182f5fcb801fe442e8a8a12058a0d84b1f263690987b8aabffa693d69db9d1364a15231b8b2b832c12fea0bd738b52e73f62bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\f19156ad-a6d7-4e4f-bd2b-eafcf708ae8f.vbs

Filesize
757B

MD5
ac780d7c010fd106d739013e6396b1be

SHA1
a15dfe0cf4be701165002b8f13e3ec7fae3da8ff

SHA256
081b8e39911d550dddc106672cc651a2f0637b59eea426d754a6fd1660fda388

SHA512
a55e6be1585c630d10dae66b972227162dc56290b3c660b8d6c8c2a90b5df03578838d0169b14a844c4831904539f359ab6b8ccd0c46f7ee057b8ad3f30c032e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I75WB1IZO1JEQ0PTDYJR.temp

Filesize
7KB

MD5
3b98d360898051ed7e0fe5e22096974b

SHA1
0ea745a9e773adecf9e6fef1b2cf4c179958a972

SHA256
5bd21fd15f71a7f4cbcfaba5d5f3196f9f970de01c264d2fbe81af75b67d588f

SHA512
3222e2c68ed6feeefeca841a931b50377c8cab42b38c3759020bd4d20f1eb6512eeaf565eae2d715f9cb0d1728820facc81409e5c4c81c5c092d0ddfaf7097a6

Download Submit
C:\Windows\DigitalLocker\en-US\OSPPSVC.exe

Filesize
1.6MB

MD5
21f66f607b86f4db433d605d92d00531

SHA1
f40284412b592f66288656c9883f1c740bfd6fab

SHA256
7ed1f0270ecdcff9af42e3f4e54689cb96ddbe26d370e848942d08dc3e5fa9ea

SHA512
9543327ed0c632e39ad6204c1371ee9cfa152079c5fd01f3dc8aaf9b4bc992315cc05b4fc509b6e718116ff75785c525256e7570706b1b2ffb41a250ae89ab73

Download Submit
memory/108-131-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/704-206-0x0000000001170000-0x0000000001312000-memory.dmp

Filesize
1.6MB

Download
memory/2256-149-0x0000000000C90000-0x0000000000E32000-memory.dmp

Filesize
1.6MB

Download
memory/2400-11-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2400-14-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/2400-5-0x0000000000510000-0x0000000000526000-memory.dmp

Filesize
88KB

Download
memory/2400-3-0x00000000004E0000-0x00000000004FC000-memory.dmp

Filesize
112KB

Download
memory/2400-9-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2400-7-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

Filesize
64KB

Download
memory/2400-16-0x0000000000C40000-0x0000000000C4C000-memory.dmp

Filesize
48KB

Download
memory/2400-15-0x0000000000C30000-0x0000000000C3A000-memory.dmp

Filesize
40KB

Download
memory/2400-8-0x0000000000A50000-0x0000000000A58000-memory.dmp

Filesize
32KB

Download
memory/2400-10-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/2400-109-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2400-12-0x0000000000B80000-0x0000000000B8E000-memory.dmp

Filesize
56KB

Download
memory/2400-4-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download
memory/2400-0-0x000007FEF5923000-0x000007FEF5924000-memory.dmp

Filesize
4KB

Download
memory/2400-1-0x00000000013D0000-0x0000000001572000-memory.dmp

Filesize
1.6MB

Download
memory/2400-13-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/2400-6-0x0000000000A40000-0x0000000000A48000-memory.dmp

Filesize
32KB

Download
memory/2400-2-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2608-160-0x0000000000EF0000-0x0000000001092000-memory.dmp

Filesize
1.6MB

Download
memory/2860-194-0x00000000003B0000-0x0000000000552000-memory.dmp

Filesize
1.6MB

Download
memory/2968-131-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2976-130-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download