dcrat | d7108405eebedbd1d610c13bd7dae066a7ca5497f7e1c8c977a92b8401083709

Analysis

max time kernel
147s
max time network
167s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a9ffe006a29261c5f168fdf0fe26434.exe
Size

1.6MB
MD5

2a9ffe006a29261c5f168fdf0fe26434
SHA1

f445b266e10c6aa8862836249b7191e6844daea7
SHA256

44e8546f8e588d48b8cff32d70abcef37d3e3612cc84097832eda999bf621b95
SHA512

03cf6be019011547574ef760b8a2cc16396c43f4b392a93fd52004bbb2df712751d085f081c4c55926756fe6b2186a801d6d2557080c675281966881fba8cc63
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2896	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2896	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2896	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2896	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2896	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2896	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2896	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2896	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2896	schtasks.exe	31

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral5/memory/2232-1-0x0000000001020000-0x00000000011C2000-memory.dmp	dcrat
behavioral5/files/0x000500000001a481-27.dat	dcrat
behavioral5/files/0x000500000001a483-36.dat	dcrat
behavioral5/memory/672-93-0x0000000000A20000-0x0000000000BC2000-memory.dmp	dcrat
behavioral5/memory/700-104-0x0000000000A70000-0x0000000000C12000-memory.dmp	dcrat
behavioral5/memory/2960-116-0x0000000000160000-0x0000000000302000-memory.dmp	dcrat
behavioral5/memory/1936-128-0x0000000000D40000-0x0000000000EE2000-memory.dmp	dcrat
behavioral5/memory/1784-140-0x00000000003A0000-0x0000000000542000-memory.dmp	dcrat
behavioral5/memory/976-152-0x0000000000FE0000-0x0000000001182000-memory.dmp	dcrat
behavioral5/memory/2924-186-0x0000000000310000-0x00000000004B2000-memory.dmp	dcrat
behavioral5/memory/2584-198-0x0000000001280000-0x0000000001422000-memory.dmp	dcrat
behavioral5/memory/584-209-0x0000000000290000-0x0000000000432000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1420	powershell.exe
1684	powershell.exe
2520	powershell.exe
1784	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
672	lsm.exe
700	lsm.exe
2960	lsm.exe
1936	lsm.exe
1784	lsm.exe
976	lsm.exe
2192	lsm.exe
1680	lsm.exe
2924	lsm.exe
2584	lsm.exe
584	lsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2652	schtasks.exe
2640	schtasks.exe
2648	schtasks.exe
1600	schtasks.exe
536	schtasks.exe
2960	schtasks.exe
2332	schtasks.exe
2780	schtasks.exe
2408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2232	2a9ffe006a29261c5f168fdf0fe26434.exe
1684	powershell.exe
1420	powershell.exe
1784	powershell.exe
2520	powershell.exe
672	lsm.exe
700	lsm.exe
2960	lsm.exe
1936	lsm.exe
1784	lsm.exe
976	lsm.exe
2192	lsm.exe
1680	lsm.exe
2924	lsm.exe
2584	lsm.exe
584	lsm.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	2a9ffe006a29261c5f168fdf0fe26434.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	672	lsm.exe
Token: SeDebugPrivilege	700	lsm.exe
Token: SeDebugPrivilege	2960	lsm.exe
Token: SeDebugPrivilege	1936	lsm.exe
Token: SeDebugPrivilege	1784	lsm.exe
Token: SeDebugPrivilege	976	lsm.exe
Token: SeDebugPrivilege	2192	lsm.exe
Token: SeDebugPrivilege	1680	lsm.exe
Token: SeDebugPrivilege	2924	lsm.exe
Token: SeDebugPrivilege	2584	lsm.exe
Token: SeDebugPrivilege	584	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 1420	2232	2a9ffe006a29261c5f168fdf0fe26434.exe	41
PID 2232 wrote to memory of 1420	2232	2a9ffe006a29261c5f168fdf0fe26434.exe	41
PID 2232 wrote to memory of 1420	2232	2a9ffe006a29261c5f168fdf0fe26434.exe	41
PID 2232 wrote to memory of 1684	2232	2a9ffe006a29261c5f168fdf0fe26434.exe	42
PID 2232 wrote to memory of 1684	2232	2a9ffe006a29261c5f168fdf0fe26434.exe	42
PID 2232 wrote to memory of 1684	2232	2a9ffe006a29261c5f168fdf0fe26434.exe	42
PID 2232 wrote to memory of 1784	2232	2a9ffe006a29261c5f168fdf0fe26434.exe	43
PID 2232 wrote to memory of 1784	2232	2a9ffe006a29261c5f168fdf0fe26434.exe	43
PID 2232 wrote to memory of 1784	2232	2a9ffe006a29261c5f168fdf0fe26434.exe	43
PID 2232 wrote to memory of 2520	2232	2a9ffe006a29261c5f168fdf0fe26434.exe	44
PID 2232 wrote to memory of 2520	2232	2a9ffe006a29261c5f168fdf0fe26434.exe	44
PID 2232 wrote to memory of 2520	2232	2a9ffe006a29261c5f168fdf0fe26434.exe	44
PID 2232 wrote to memory of 1976	2232	2a9ffe006a29261c5f168fdf0fe26434.exe	49
PID 2232 wrote to memory of 1976	2232	2a9ffe006a29261c5f168fdf0fe26434.exe	49
PID 2232 wrote to memory of 1976	2232	2a9ffe006a29261c5f168fdf0fe26434.exe	49
PID 1976 wrote to memory of 788	1976	cmd.exe	51
PID 1976 wrote to memory of 788	1976	cmd.exe	51
PID 1976 wrote to memory of 788	1976	cmd.exe	51
PID 1976 wrote to memory of 672	1976	cmd.exe	52
PID 1976 wrote to memory of 672	1976	cmd.exe	52
PID 1976 wrote to memory of 672	1976	cmd.exe	52
PID 672 wrote to memory of 1384	672	lsm.exe	53
PID 672 wrote to memory of 1384	672	lsm.exe	53
PID 672 wrote to memory of 1384	672	lsm.exe	53
PID 672 wrote to memory of 2512	672	lsm.exe	54
PID 672 wrote to memory of 2512	672	lsm.exe	54
PID 672 wrote to memory of 2512	672	lsm.exe	54
PID 1384 wrote to memory of 700	1384	WScript.exe	55
PID 1384 wrote to memory of 700	1384	WScript.exe	55
PID 1384 wrote to memory of 700	1384	WScript.exe	55
PID 700 wrote to memory of 2084	700	lsm.exe	56
PID 700 wrote to memory of 2084	700	lsm.exe	56
PID 700 wrote to memory of 2084	700	lsm.exe	56
PID 700 wrote to memory of 3032	700	lsm.exe	57
PID 700 wrote to memory of 3032	700	lsm.exe	57
PID 700 wrote to memory of 3032	700	lsm.exe	57
PID 2084 wrote to memory of 2960	2084	WScript.exe	58
PID 2084 wrote to memory of 2960	2084	WScript.exe	58
PID 2084 wrote to memory of 2960	2084	WScript.exe	58
PID 2960 wrote to memory of 2648	2960	lsm.exe	59
PID 2960 wrote to memory of 2648	2960	lsm.exe	59
PID 2960 wrote to memory of 2648	2960	lsm.exe	59
PID 2960 wrote to memory of 2028	2960	lsm.exe	60
PID 2960 wrote to memory of 2028	2960	lsm.exe	60
PID 2960 wrote to memory of 2028	2960	lsm.exe	60
PID 2648 wrote to memory of 1936	2648	WScript.exe	61
PID 2648 wrote to memory of 1936	2648	WScript.exe	61
PID 2648 wrote to memory of 1936	2648	WScript.exe	61
PID 1936 wrote to memory of 2532	1936	lsm.exe	62
PID 1936 wrote to memory of 2532	1936	lsm.exe	62
PID 1936 wrote to memory of 2532	1936	lsm.exe	62
PID 1936 wrote to memory of 2604	1936	lsm.exe	63
PID 1936 wrote to memory of 2604	1936	lsm.exe	63
PID 1936 wrote to memory of 2604	1936	lsm.exe	63
PID 2532 wrote to memory of 1784	2532	WScript.exe	64
PID 2532 wrote to memory of 1784	2532	WScript.exe	64
PID 2532 wrote to memory of 1784	2532	WScript.exe	64
PID 1784 wrote to memory of 2848	1784	lsm.exe	65
PID 1784 wrote to memory of 2848	1784	lsm.exe	65
PID 1784 wrote to memory of 2848	1784	lsm.exe	65
PID 1784 wrote to memory of 2476	1784	lsm.exe	66
PID 1784 wrote to memory of 2476	1784	lsm.exe	66
PID 1784 wrote to memory of 2476	1784	lsm.exe	66
PID 2848 wrote to memory of 976	2848	WScript.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2a9ffe006a29261c5f168fdf0fe26434.exe
"C:\Users\Admin\AppData\Local\Temp\2a9ffe006a29261c5f168fdf0fe26434.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\2a9ffe006a29261c5f168fdf0fe26434.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1pqWF3ZRZL.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:788
- - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
    "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:672
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6b3a506-c219-4b6d-92f9-654e0b169b0a.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:700
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a15fc236-950d-4adc-ae0b-6cc26bd2189f.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b139e2a-0d46-4258-84e9-f24bdb72064d.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdc3d828-8d18-4cce-a6a1-44d46130f785.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\744fdbd3-dd12-4285-b966-da8f85d08d7e.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40432cd0-bb3e-492e-8935-ebeef3b95409.vbs"
        14⤵
        
        PID:2152
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e34e79d5-b071-4642-8dd4-c3852715bcf1.vbs"
        16⤵
        
        PID:1636
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f98b4df3-398b-48df-8188-fc6770d47ee5.vbs"
        18⤵
        
        PID:1940
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ace9f653-d7a2-4245-ac8b-b55ef7e91714.vbs"
        20⤵
        
        PID:1676
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e065fb3-9fb9-4d8e-ba1e-bad9b862fba6.vbs"
        22⤵
        
        PID:1660
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4728c33b-b2d1-4e9f-ace6-cb46cab60293.vbs"
        24⤵
        
        PID:1384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb6e5242-e7aa-4111-a166-45cd092510a4.vbs"
        24⤵
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\959ac580-c60f-4ad3-86c2-51d98cbeb7cd.vbs"
        22⤵
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f81ed03c-3a4a-4fc6-a84c-c5e87d67463d.vbs"
        20⤵
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ae409e0-58df-4dec-a152-991a6646f50b.vbs"
        18⤵
        
        PID:1164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9776d5f6-6800-4fea-a71d-1bc2baed6e8b.vbs"
        16⤵
        
        PID:2956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebbd40f1-3310-4c28-87d6-af6b49383647.vbs"
        14⤵
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0486e1e5-f7d2-4ec0-a5e2-fe8c785451d9.vbs"
        12⤵
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19b6a18f-a6e0-4191-b076-a5e141531c9a.vbs"
        10⤵
        
        PID:2604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eae728e3-0ea9-462f-9c56-766bf734e407.vbs"
        8⤵
        
        PID:2028
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eebe70ab-1048-46e6-b56a-4438013fb67a.vbs"
        6⤵
        
        PID:3032
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1b149cc-d617-4c32-98a4-834fe627fe9a.vbs"
      4⤵
      PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0e065fb3-9fb9-4d8e-ba1e-bad9b862fba6.vbs

Filesize
732B

MD5
34de94d44429885048d48bdea1bc179c

SHA1
d664b1f5ba7b1162590ce1cd34a82a51e4d816cd

SHA256
992e4e3dd5a8d555dd4f57478ddc3fae16f8c2521d8b44958506fd64d10efc4f

SHA512
bd6e4dc71d959b98dd35804ba7feaed7a155767e5caf7af975a00195aea0c6c3d32f15fb17be53c40f31acacbd61150e322e5de4d47a2b9333a6a7fb286f9097

Download Submit
C:\Users\Admin\AppData\Local\Temp\1pqWF3ZRZL.bat

Filesize
221B

MD5
f0897b28316bd74fab2a1b14dd69acdb

SHA1
48e930e76ec7be4f13a83ba659aa6b17a1650627

SHA256
c28b47264b05e9565890649a6916de2e6b62ab56c4810c3cb55af59305d3d0a7

SHA512
2dd869d89557574c0857bb1190d790411344b7621192d46e2695e8bec1d26fa38036de89dd26bde6914aed5bcf755247ab8f43523bc68448fd1422836d8a34ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\40432cd0-bb3e-492e-8935-ebeef3b95409.vbs

Filesize
731B

MD5
1e56b951ce3788b3fbe69defdea0a0c9

SHA1
50403b787744ef6ce6930a5e7584462cded24f7a

SHA256
fd973baefe234e8fe563b300714706118b355503d20cee354220b84cb3c07e0a

SHA512
ffc9167786522cc5a5c320332f6e73762c6b9f80029e810ccbdc289d1c5e0049a5c3802c6f753fc8167d3609b0e89cc876648fe11365d1d622c08b1e62730a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4728c33b-b2d1-4e9f-ace6-cb46cab60293.vbs

Filesize
731B

MD5
f2ee22e9ce30afed8272a10935897618

SHA1
7f54b3b964ee0e23c985f53d4ce786cd948173c9

SHA256
0c946edf8c7a92bbd99a103626a114021c1446018ace47b29700c4d15fac71f4

SHA512
7d7fd18f8f48a70e83b470053e408472a96cc02124ad906ab0a9b2e0e4e4e1d10e95653bb72aeb1f0d0732cce04ff9d85a91bb476bfbea97a8895e7d289b9e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b139e2a-0d46-4258-84e9-f24bdb72064d.vbs

Filesize
732B

MD5
def842bbf845922f97cce26f349b66ce

SHA1
2ff7b5a4bb13ccac6d61df9d3a086c9ac9b9cbc2

SHA256
d18b81dfc7ec264a3fb1fee705c7b3fe73c1869b78f27d02bfd92c3e57e7b7ea

SHA512
d79a9fd0c10d16fddf9b43a7cf0bb1b9b804fe9bd3e0a2e459c0fac41c4f52c54ac0ed2986ec89f53ffc9acef446f6b493ee680387705ffdd2bffdcfb1acc472

Download Submit
C:\Users\Admin\AppData\Local\Temp\744fdbd3-dd12-4285-b966-da8f85d08d7e.vbs

Filesize
732B

MD5
84fe04e500923b96f2665e157b5d63df

SHA1
b34dc21dd2869cc44d044d23d2311d3d78facaa2

SHA256
2df341ff9f22d06d297bc84efb5c100a67231b13e89a5b4aa4d402efd165b32c

SHA512
897623aa0e3b5efd89beafdb4a62eaf9ed9fffc11c125db3d58d47e697e1a0490ac079e3c0639f0c5ba504afe95c8e7cf0b0bcfc496fb501a2b9366e666bd731

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXFC98.tmp

Filesize
1.6MB

MD5
2a9ffe006a29261c5f168fdf0fe26434

SHA1
f445b266e10c6aa8862836249b7191e6844daea7

SHA256
44e8546f8e588d48b8cff32d70abcef37d3e3612cc84097832eda999bf621b95

SHA512
03cf6be019011547574ef760b8a2cc16396c43f4b392a93fd52004bbb2df712751d085f081c4c55926756fe6b2186a801d6d2557080c675281966881fba8cc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\a15fc236-950d-4adc-ae0b-6cc26bd2189f.vbs

Filesize
731B

MD5
d25865f8cd16d7a10d3dae4c563e112f

SHA1
fd3c3cbcb8681609a5a65c8031810fc0eaed4bbf

SHA256
eb1b674e6225bcd1a21eb529dec5a5783d779aafc090170b54e05706196f3d4d

SHA512
73bdc997f8d86ddd0f7199074b8400033abc33dc4980ea193c18978af0442d87abe10bd1088de3e4ed24f1ba9093a29cb7a64125558bcd1f505789b1caa00eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1b149cc-d617-4c32-98a4-834fe627fe9a.vbs

Filesize
508B

MD5
39da9eeac2893c95f71ace35b56b3697

SHA1
9b0d1e96982994567d5b5b9e273ebb5f1c3a414b

SHA256
c2cad80cc3fa23aebf12305b3f92a42660eff7fb4033e1fa91a4af03bbb49f0b

SHA512
adbd7e69d5cb1d29d079e3720a78a1c65cf6ea67c32a4bec7115fd0bb1685f70156117afd726d69f180638229bb710246068f855b72b8e25917767ec3d249d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ace9f653-d7a2-4245-ac8b-b55ef7e91714.vbs

Filesize
732B

MD5
78591105d89a94978560e0a1a1257e68

SHA1
3f04abf3107e7059b6332e931c2a9700dc1809e0

SHA256
2145e632561a4f19a1bbbb9dfa952b587cd01b12ce1bda92a936ba1a3a751a01

SHA512
75a2ae6ba75e02a25ad11740561acab2ea0d736013ec617a1f4759faa1812f0c11de7a244ccf144b91df2f985cff3cc4425162c05a058ee4a194c0bff5428c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdc3d828-8d18-4cce-a6a1-44d46130f785.vbs

Filesize
732B

MD5
e7fdf844e0af9fbc66e08f44409cc531

SHA1
d8e0ccdc0b4583c342de8d4c1dd2a6376ec52109

SHA256
7de58b4144aacca4a5d1e2350a542d8bfc0af916c2eadf4fbd6291ad74653e46

SHA512
46b917eb63d959d640215f6058bcb91fd681f63029e92e8b020e784313ed4647fa86fe93f5135d090e7b01bae5b11adb1f931d313a21c6aa2cbaa7db48efc1ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\e34e79d5-b071-4642-8dd4-c3852715bcf1.vbs

Filesize
732B

MD5
c574c0dd011a7fdcc7b06a5983bfec5c

SHA1
86d27bb1c07963bfa18190815649d02d9bcdb8c1

SHA256
0164165058f66d4e18948b3c117b9bc33729295259b0d88585397bff9c66bb09

SHA512
9860195e8816c6f316de7a6266370a7424e9a6ac96d630a2b81d99ca1806dd90c3d55a70e2fe8083ef1d41dba421650a8e1deb6bde56c98228303b4103445b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6b3a506-c219-4b6d-92f9-654e0b169b0a.vbs

Filesize
731B

MD5
02fe3766de4fb1ba478e66bede9e8642

SHA1
efdcd4fe3084f1d4bb5823d3cd54df52d9cb10e6

SHA256
3f45783cb9f8c94aa79916d499e93ca9384b78f13c22ccbcc596a8efd8438413

SHA512
58b48646de3d911353310893a9554b1966dd1b4e3eaaeadd38cc11a21962c9280a2d5839fe6dfa460b3a4cdd3278ab9457a201de2a6514b2e7c6b24fe75e286b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f98b4df3-398b-48df-8188-fc6770d47ee5.vbs

Filesize
732B

MD5
75e15afe9c7c2b0f205156b51efe266b

SHA1
536e5816f72a5e8b976ffa9d4cdb57c4b44e6f23

SHA256
2c87f1f33a6471602726746261fc19118b51b5f2218d6db85ad6b0f0771232d6

SHA512
0477207bf4ad97cf689d1fdc5bc72b8fd172f53881bb33e962cdc0e35c11350a08ed9116c5cdf8aa01aefd157a99a7b88cdecba67d6583bbae5f93a29e39e30a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7620ddb1c6ef7e64c8d240a044131138

SHA1
6a098826027260c86e631805a3d52f2cdde5fd6e

SHA256
30414709951c9d7f014f73fd2874d788c761c75ccecda0aec4a08f3747d5d951

SHA512
e0318f719ad0515d32090526a2412d73a33eec7768d3943d3ce6aed1f689de847fb6e8ca2a2d52eb48f2c1e91a1d3eac4eaa8b6f1a0bc80f5fc476b51d9a397d

Download Submit
C:\Users\Public\Favorites\csrss.exe

Filesize
1.6MB

MD5
0aa1b561646a55b8f38dea71633175e5

SHA1
31ffc49d3b46a99ff29b0c1452a3510b8a2839c1

SHA256
9d4338317f35f6208868e863acfa3a3b02760ed7cf22c923e596d43d4b64c764

SHA512
116a773dc59646676dc76dfc08270371107e9d3e13b18e6b0b4a1a6f2fc99900f2d7241312c5945a3617263ed28028f4ce0296c135932548a77d109ef5e863a2

Download Submit
memory/584-209-0x0000000000290000-0x0000000000432000-memory.dmp

Filesize
1.6MB

Download
memory/672-93-0x0000000000A20000-0x0000000000BC2000-memory.dmp

Filesize
1.6MB

Download
memory/700-104-0x0000000000A70000-0x0000000000C12000-memory.dmp

Filesize
1.6MB

Download
memory/976-152-0x0000000000FE0000-0x0000000001182000-memory.dmp

Filesize
1.6MB

Download
memory/1684-82-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/1784-140-0x00000000003A0000-0x0000000000542000-memory.dmp

Filesize
1.6MB

Download
memory/1784-83-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/1936-128-0x0000000000D40000-0x0000000000EE2000-memory.dmp

Filesize
1.6MB

Download
memory/2232-10-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2232-8-0x00000000003B0000-0x00000000003B8000-memory.dmp

Filesize
32KB

Download
memory/2232-13-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/2232-14-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/2232-12-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/2232-1-0x0000000001020000-0x00000000011C2000-memory.dmp

Filesize
1.6MB

Download
memory/2232-11-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/2232-16-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/2232-85-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2232-0-0x000007FEF5523000-0x000007FEF5524000-memory.dmp

Filesize
4KB

Download
memory/2232-9-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2232-15-0x0000000000C10000-0x0000000000C1A000-memory.dmp

Filesize
40KB

Download
memory/2232-7-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2232-5-0x0000000000270000-0x0000000000286000-memory.dmp

Filesize
88KB

Download
memory/2232-6-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2232-2-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2232-4-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2232-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2584-198-0x0000000001280000-0x0000000001422000-memory.dmp

Filesize
1.6MB

Download
memory/2924-186-0x0000000000310000-0x00000000004B2000-memory.dmp

Filesize
1.6MB

Download
memory/2960-116-0x0000000000160000-0x0000000000302000-memory.dmp

Filesize
1.6MB

Download