dcrat | 7f1beb32d0565e8ebe9db45b1bc9a29b8fe6f2cfb7f17605bd2f6ec40f761b89

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
Size

1.6MB
MD5

27b689b77f3516a11f09ecb8897ad4c2
SHA1

654cb72e6167f879a83930da230b28099359721f
SHA256

5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772
SHA512

8d55b966e8e634053b62cb545366d661a37dbf467e836b8028ad63055cccd3c9032c9ba04a84e79994926425250e39f808757cfec454ddf2670cff3569b3cbbe
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2224	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2224	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2224	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2224	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2224	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2224	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2224	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2224	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2224	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2224	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2224	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2224	schtasks.exe	30

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2928-1-0x00000000012C0000-0x0000000001462000-memory.dmp	dcrat
behavioral1/files/0x0005000000019623-25.dat	dcrat
behavioral1/files/0x000500000001950e-110.dat	dcrat
behavioral1/memory/544-111-0x0000000000070000-0x0000000000212000-memory.dmp	dcrat
behavioral1/memory/2220-123-0x0000000000B40000-0x0000000000CE2000-memory.dmp	dcrat
behavioral1/memory/2144-146-0x00000000003B0000-0x0000000000552000-memory.dmp	dcrat
behavioral1/memory/1544-158-0x0000000000820000-0x00000000009C2000-memory.dmp	dcrat
behavioral1/memory/2944-170-0x0000000000C20000-0x0000000000DC2000-memory.dmp	dcrat
behavioral1/memory/2676-182-0x0000000000C70000-0x0000000000E12000-memory.dmp	dcrat
behavioral1/memory/2540-194-0x00000000013C0000-0x0000000001562000-memory.dmp	dcrat
behavioral1/memory/2076-206-0x0000000000020000-0x00000000001C2000-memory.dmp	dcrat
behavioral1/memory/2264-218-0x0000000000970000-0x0000000000B12000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3008	powershell.exe
1576	powershell.exe
1292	powershell.exe
1784	powershell.exe
2992	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
544	taskhost.exe
2220	taskhost.exe
2200	taskhost.exe
2144	taskhost.exe
1544	taskhost.exe
2944	taskhost.exe
2676	taskhost.exe
2540	taskhost.exe
2076	taskhost.exe
2264	taskhost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\de-DE\7a0fd90576e088	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\RCX849D.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\RCX849E.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX86A1.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX86A2.tmp	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\6ccacd8608530f	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File created	C:\Program Files\DVD Maker\de-DE\explorer.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\explorer.exe	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2772	schtasks.exe
2524	schtasks.exe
1904	schtasks.exe
2608	schtasks.exe
2112	schtasks.exe
2652	schtasks.exe
2756	schtasks.exe
632	schtasks.exe
3032	schtasks.exe
2248	schtasks.exe
2660	schtasks.exe
2860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
3008	powershell.exe
1292	powershell.exe
2992	powershell.exe
1576	powershell.exe
1784	powershell.exe
544	taskhost.exe
2220	taskhost.exe
2200	taskhost.exe
2144	taskhost.exe
1544	taskhost.exe
2944	taskhost.exe
2676	taskhost.exe
2540	taskhost.exe
2076	taskhost.exe
2264	taskhost.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	544	taskhost.exe
Token: SeDebugPrivilege	2220	taskhost.exe
Token: SeDebugPrivilege	2200	taskhost.exe
Token: SeDebugPrivilege	2144	taskhost.exe
Token: SeDebugPrivilege	1544	taskhost.exe
Token: SeDebugPrivilege	2944	taskhost.exe
Token: SeDebugPrivilege	2676	taskhost.exe
Token: SeDebugPrivilege	2540	taskhost.exe
Token: SeDebugPrivilege	2076	taskhost.exe
Token: SeDebugPrivilege	2264	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 2992	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	43
PID 2928 wrote to memory of 2992	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	43
PID 2928 wrote to memory of 2992	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	43
PID 2928 wrote to memory of 3008	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	44
PID 2928 wrote to memory of 3008	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	44
PID 2928 wrote to memory of 3008	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	44
PID 2928 wrote to memory of 1784	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	46
PID 2928 wrote to memory of 1784	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	46
PID 2928 wrote to memory of 1784	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	46
PID 2928 wrote to memory of 1292	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	48
PID 2928 wrote to memory of 1292	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	48
PID 2928 wrote to memory of 1292	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	48
PID 2928 wrote to memory of 1576	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	49
PID 2928 wrote to memory of 1576	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	49
PID 2928 wrote to memory of 1576	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	49
PID 2928 wrote to memory of 544	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	53
PID 2928 wrote to memory of 544	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	53
PID 2928 wrote to memory of 544	2928	5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe	53
PID 544 wrote to memory of 2400	544	taskhost.exe	54
PID 544 wrote to memory of 2400	544	taskhost.exe	54
PID 544 wrote to memory of 2400	544	taskhost.exe	54
PID 544 wrote to memory of 1720	544	taskhost.exe	55
PID 544 wrote to memory of 1720	544	taskhost.exe	55
PID 544 wrote to memory of 1720	544	taskhost.exe	55
PID 2400 wrote to memory of 2220	2400	WScript.exe	56
PID 2400 wrote to memory of 2220	2400	WScript.exe	56
PID 2400 wrote to memory of 2220	2400	WScript.exe	56
PID 2220 wrote to memory of 1048	2220	taskhost.exe	57
PID 2220 wrote to memory of 1048	2220	taskhost.exe	57
PID 2220 wrote to memory of 1048	2220	taskhost.exe	57
PID 2220 wrote to memory of 2920	2220	taskhost.exe	58
PID 2220 wrote to memory of 2920	2220	taskhost.exe	58
PID 2220 wrote to memory of 2920	2220	taskhost.exe	58
PID 1048 wrote to memory of 2200	1048	WScript.exe	60
PID 1048 wrote to memory of 2200	1048	WScript.exe	60
PID 1048 wrote to memory of 2200	1048	WScript.exe	60
PID 2200 wrote to memory of 2940	2200	taskhost.exe	61
PID 2200 wrote to memory of 2940	2200	taskhost.exe	61
PID 2200 wrote to memory of 2940	2200	taskhost.exe	61
PID 2200 wrote to memory of 1880	2200	taskhost.exe	62
PID 2200 wrote to memory of 1880	2200	taskhost.exe	62
PID 2200 wrote to memory of 1880	2200	taskhost.exe	62
PID 2940 wrote to memory of 2144	2940	WScript.exe	63
PID 2940 wrote to memory of 2144	2940	WScript.exe	63
PID 2940 wrote to memory of 2144	2940	WScript.exe	63
PID 2144 wrote to memory of 852	2144	taskhost.exe	64
PID 2144 wrote to memory of 852	2144	taskhost.exe	64
PID 2144 wrote to memory of 852	2144	taskhost.exe	64
PID 2144 wrote to memory of 3004	2144	taskhost.exe	65
PID 2144 wrote to memory of 3004	2144	taskhost.exe	65
PID 2144 wrote to memory of 3004	2144	taskhost.exe	65
PID 852 wrote to memory of 1544	852	WScript.exe	66
PID 852 wrote to memory of 1544	852	WScript.exe	66
PID 852 wrote to memory of 1544	852	WScript.exe	66
PID 1544 wrote to memory of 712	1544	taskhost.exe	67
PID 1544 wrote to memory of 712	1544	taskhost.exe	67
PID 1544 wrote to memory of 712	1544	taskhost.exe	67
PID 1544 wrote to memory of 996	1544	taskhost.exe	68
PID 1544 wrote to memory of 996	1544	taskhost.exe	68
PID 1544 wrote to memory of 996	1544	taskhost.exe	68
PID 712 wrote to memory of 2944	712	WScript.exe	69
PID 712 wrote to memory of 2944	712	WScript.exe	69
PID 712 wrote to memory of 2944	712	WScript.exe	69
PID 2944 wrote to memory of 2852	2944	taskhost.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe
"C:\Users\Admin\AppData\Local\Temp\5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\de-DE\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\MSOCache\All Users\taskhost.exe
  "C:\MSOCache\All Users\taskhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6aedc185-f17c-470f-8cb0-e65c14db4600.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\MSOCache\All Users\taskhost.exe
      "C:\MSOCache\All Users\taskhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f146b42-252c-4ae5-9998-d3c4daae9ae8.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1048
      - C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0606a5af-1eaf-40f0-9980-0d2b95597233.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7175e82-c356-4194-b6c4-dd7c1ce6d777.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e9ee827-936e-4561-b232-5a5bfbf274a8.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe75ad83-b941-48a9-b576-931a4e3315b3.vbs"
        13⤵
        
        PID:2852
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62f51c62-4395-42d4-b483-dd8691395396.vbs"
        15⤵
        
        PID:2696
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59e28a06-3804-4ea2-a58a-f411bc630ba1.vbs"
        17⤵
        
        PID:2776
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77632600-43e1-4bc6-be33-edd9501d084b.vbs"
        19⤵
        
        PID:2284
        
        C:\MSOCache\All Users\taskhost.exe
        
        "C:\MSOCache\All Users\taskhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3014f1e9-a33c-4d15-ade6-2d3748aad238.vbs"
        21⤵
        
        PID:2464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96bd527b-8866-4a64-876f-4a790dfdab46.vbs"
        21⤵
        
        PID:952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ec35b69-c49d-4a0a-8536-236ff9504dc2.vbs"
        19⤵
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b3237a3-5aae-4078-9ba8-48331d28d746.vbs"
        17⤵
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b59fcf1-b760-4e74-877d-55791e7b8f36.vbs"
        15⤵
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5c72aa2-f3ab-4352-82a0-13bfd7b1d266.vbs"
        13⤵
        
        PID:1276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f708daf7-4203-4c71-800b-78f0cc6e7897.vbs"
        11⤵
        
        PID:996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e23b947-6f8c-4618-8815-7467683270f3.vbs"
        9⤵
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4a1c65b-6d04-4357-adcf-7013d3113ce7.vbs"
        7⤵
        
        PID:1880
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85027bab-bd64-4dcd-96ab-2b3a06ad2ed1.vbs"
        5⤵
        
        PID:2920
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02ec8325-d663-4bf3-b138-5be9a04e2efc.vbs"
    3⤵
    PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\taskhost.exe

Filesize
1.6MB

MD5
27b689b77f3516a11f09ecb8897ad4c2

SHA1
654cb72e6167f879a83930da230b28099359721f

SHA256
5a6af1e38c007c3572a78c7fe575e08674cfcea126ef351ce83f213af9aa8772

SHA512
8d55b966e8e634053b62cb545366d661a37dbf467e836b8028ad63055cccd3c9032c9ba04a84e79994926425250e39f808757cfec454ddf2670cff3569b3cbbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\02ec8325-d663-4bf3-b138-5be9a04e2efc.vbs

Filesize
486B

MD5
b856bb2f9a3cbc0251213044ebc446ed

SHA1
2e1d716cdb06db3e552e0a83cd5b3e207a25436c

SHA256
9082620c90eeaf4a8ddc23a127031b34d1368519b383336851ef402d4c5a07e8

SHA512
a56951c41a2c4237d1cd1c9b98fd10306d8a992400bba92eb968e5b17837467802a70eccfb6aeed687ab5475db7dc2126423583357375e2464f67b8f1fba7ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\0606a5af-1eaf-40f0-9980-0d2b95597233.vbs

Filesize
710B

MD5
023855446358defdd16df06105ee8313

SHA1
91e07e6a3ded988417c7c01c668df1e71c2f08df

SHA256
dcfc6f24e437aa14bedee9edc2210cd215a004e25531d46e838a10e9dffb9563

SHA512
af67909c26e455ba0e0ee9e04333cf1a2aaaad70f14e3a8cece32c77af6b0aacd13409a895812631093a19a4e90e716daa8bafb9a41e2aed20202757ddd4a011

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e9ee827-936e-4561-b232-5a5bfbf274a8.vbs

Filesize
710B

MD5
437ab709a3990ff6167f7b5dbac49d51

SHA1
9b92bdea84a0440c325b313707d91708a88378f1

SHA256
e4b482302cb35467d38d6a316b49d3b8eb62b0617ef977855b907a76e65dc27e

SHA512
c0c60b9855fe225dd8a5ea5e1c4f3ae09a9a9c7d6c29cc3334810cc387e20572c9c7e545a9d1f769c6b4011aae754c55a123c638bcacce7e77bdd49f07cc1b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\3014f1e9-a33c-4d15-ade6-2d3748aad238.vbs

Filesize
710B

MD5
61cff87a3d63331f7d4f37bc5a8929f7

SHA1
5e573fb7ff52fd53d030b8d2b009f2324414499b

SHA256
3f7ba957a93a0608bd1e66301f5e9f230b4eab18dc87e4cb28a343bee19846a9

SHA512
7e2f31893d0299312beebeaeb5b3c644d4a98b88d7e703fe00e9ca10cb243e7e78bccc9f7834feb3583640f871e7dc616b3f6ec68af8d00edd5439c6a5bf7e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\59e28a06-3804-4ea2-a58a-f411bc630ba1.vbs

Filesize
710B

MD5
449a946fe48f023384046bd1bad543b0

SHA1
62e387f662441b2d45a48c7cfd1cf07e31fbf273

SHA256
652017aa32ab991754d6bb85858ad0f0f8540b9ed96553ca5a0a771b3504abdc

SHA512
6746c50b1854cf86f7fab5db8c5dee1397a75dfea733679b601f11ee5c0d69952178ec30b6b75d2c23df46fd326775005356b5c7dfed019a77084daa8fa2fb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\62f51c62-4395-42d4-b483-dd8691395396.vbs

Filesize
710B

MD5
99d718afc79f4acc43f53e664f91cf07

SHA1
fe1b05c544dcfa197420b8d54f77eca61e125428

SHA256
e2be8e0fee9d2ef2f9b9a5aa22fae7a481aa771bca79c313f4505e7ba1fedd60

SHA512
a2c23d7dc399982db840e6d84601b6e5c395031498293b92394a3a056d6cb36fd52f5ff58e66a7858acd5e4abd587534f1102d10b37b7246107b68a7e079a003

Download Submit
C:\Users\Admin\AppData\Local\Temp\6aedc185-f17c-470f-8cb0-e65c14db4600.vbs

Filesize
709B

MD5
40223047305ba4040886e36a2537db13

SHA1
7f3335852f1425fb8b0456f1c539a6ecd274a748

SHA256
8980672497963986dfaba06c1fb8cabd52e812d48aeccb41f5852924c1970c9e

SHA512
c1970db313d456c3f772e7e62a58725fc1c3eed127da9c3276fdd6e3a0b63005fb9966bcbafcfb5df0e323528517d41146eb9d9fc6abf05eec3861670ad0cb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f146b42-252c-4ae5-9998-d3c4daae9ae8.vbs

Filesize
710B

MD5
c3679e1b2dbf0a7526342cda5553141a

SHA1
a6a58077716b4fd595535e596648f6466336ee9a

SHA256
4230624d2ccccb59c092afd4f971780757e953226450ccb7d51d02cca039e09f

SHA512
afd08bd9f1ec79001cbfa9efbc72000f370220d9df0ba4aa8cfbb912a4658f14d4cf14591fb8ef80ecde1849c0c4ac9f98130fef6b27cf8934519a9d08a376ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\77632600-43e1-4bc6-be33-edd9501d084b.vbs

Filesize
710B

MD5
a902c272bf113321f67ba485b54e4402

SHA1
326b41db353a3541fac6e6d0d159b58dc3fa4b06

SHA256
e54417b7be39ec632e6ce40c11f47787f51a3134595cf896bf0834e9561e9fd1

SHA512
13420e08b63ee913b98dc1a09d8c4ba60586da92e8957d001d49e670e0d35c368a2e00718b191248a642bdac6a7a499d0a15c28248cbc34ca0d40b897f5df420

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX824A.tmp

Filesize
1.6MB

MD5
e7ff6018e21eed82eb573efe2efcb202

SHA1
da968c65cbb2143d12a3b7a6752a62cb402c8b50

SHA256
52a56abd445fcbaffc454cfae6f05d34909f118809204ac0c3ba92151ed7a29e

SHA512
dbd86f9ff5e4a69f9aaf17b7ed3d40f40c0612cb505a356823e622d9f3410546811437348eca34f0485c35d9c83892ad74cfc7f602ef5095c1ecddc8a5a3f3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7175e82-c356-4194-b6c4-dd7c1ce6d777.vbs

Filesize
710B

MD5
510361ae5ca4b221b6da587915213209

SHA1
2704645c5756c49f175698db7c135b71c53e07f2

SHA256
b1f33666db3030317446e808403850337490b2b22c67ffa72225998dfc8df517

SHA512
18b0784086aec8bce7176cb1e58249dcef2cae4819721605e8af9e1411f86f9f6af4efc0b28c1cfd067e8a938ce401c4b96358b60ddb9e0624b2c5973ebb47b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe75ad83-b941-48a9-b576-931a4e3315b3.vbs

Filesize
710B

MD5
109cea1d13d4cd424686e772faebbffb

SHA1
23fa618152d9a513313ea529145bd57c588f69e9

SHA256
8f468e03422e884236130b5811bca49ed309b622d8bc8a6bbfd13385b7b7ea7b

SHA512
4f38cb0dfba83ef24e696420865ea7c5e1ca964e1062afec939642a4759d9bf1cdcb5555534a158d62738ae9380cd6d8d8a016c98a4bd27c7dde4569a0f61cdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
156161f0c976c37411614c939e215fd1

SHA1
38f8c77e103331a157d30c02ec59066365f6864b

SHA256
f28c8df74330518ccd7cc8b3506758c05f84ce46d2e284a83b155c22ef494955

SHA512
39d4670043b81f239308e2223631068a5e3df36f5e32043720bdd39ef45c7721bfb17f70b3074463237c488478ebd90664b69190bb52955a68e9543bb6b40e88

Download Submit
memory/544-111-0x0000000000070000-0x0000000000212000-memory.dmp

Filesize
1.6MB

Download
memory/1292-95-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/1544-158-0x0000000000820000-0x00000000009C2000-memory.dmp

Filesize
1.6MB

Download
memory/2076-206-0x0000000000020000-0x00000000001C2000-memory.dmp

Filesize
1.6MB

Download
memory/2144-146-0x00000000003B0000-0x0000000000552000-memory.dmp

Filesize
1.6MB

Download
memory/2220-123-0x0000000000B40000-0x0000000000CE2000-memory.dmp

Filesize
1.6MB

Download
memory/2264-218-0x0000000000970000-0x0000000000B12000-memory.dmp

Filesize
1.6MB

Download
memory/2540-194-0x00000000013C0000-0x0000000001562000-memory.dmp

Filesize
1.6MB

Download
memory/2676-182-0x0000000000C70000-0x0000000000E12000-memory.dmp

Filesize
1.6MB

Download
memory/2928-14-0x0000000001230000-0x0000000001238000-memory.dmp

Filesize
32KB

Download
memory/2928-0-0x000007FEF5E63000-0x000007FEF5E64000-memory.dmp

Filesize
4KB

Download
memory/2928-1-0x00000000012C0000-0x0000000001462000-memory.dmp

Filesize
1.6MB

Download
memory/2928-8-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download
memory/2928-9-0x0000000000DC0000-0x0000000000DCC000-memory.dmp

Filesize
48KB

Download
memory/2928-15-0x0000000001240000-0x000000000124A000-memory.dmp

Filesize
40KB

Download
memory/2928-16-0x0000000001250000-0x000000000125C000-memory.dmp

Filesize
48KB

Download
memory/2928-11-0x0000000001200000-0x000000000120A000-memory.dmp

Filesize
40KB

Download
memory/2928-13-0x0000000001220000-0x0000000001228000-memory.dmp

Filesize
32KB

Download
memory/2928-112-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2928-2-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

Filesize
9.9MB

Download
memory/2928-12-0x0000000001210000-0x000000000121E000-memory.dmp

Filesize
56KB

Download
memory/2928-10-0x0000000000DF0000-0x0000000000DFC000-memory.dmp

Filesize
48KB

Download
memory/2928-7-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/2928-5-0x0000000000D90000-0x0000000000DA6000-memory.dmp

Filesize
88KB

Download
memory/2928-6-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2928-4-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2928-3-0x0000000000250000-0x000000000026C000-memory.dmp

Filesize
112KB

Download
memory/2944-170-0x0000000000C20000-0x0000000000DC2000-memory.dmp

Filesize
1.6MB

Download
memory/3008-100-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download