dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86513494c7861a5a0c9f1c0fb478e36d.exe
Size

2.5MB
MD5

86513494c7861a5a0c9f1c0fb478e36d
SHA1

0e7ef50b5b4d51bda8789151b444505e4fdec51f
SHA256

80c020c2f71b279f7fdf6ad878ea772cbbcf248aab8c0b08b4db327d7dc86794
SHA512

e80e51cc26d5952cfbeda8154f785cd31688ac0e643c86f915ababb2cfac31ed7133621065e336ac56cf707865997707e1d1d189c4db36a8f87f6719e810a1ff
SSDEEP

49152:bcuxJ/hk+7ZklWBJPxWMbKdZeQUj5xqJb6TquwYhx19ZyBNDGE:bcsSFlWBJJVbKkl2z/YhryBNDn

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat 3 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
2816	schtasks.exe
2560	schtasks.exe
1516	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2820	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2952	powershell.exe
2932	powershell.exe
2732	powershell.exe
2168	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
1776	csrss.exe
1540	csrss.exe
1296	csrss.exe
2204	csrss.exe
2792	csrss.exe
952	csrss.exe
1960	csrss.exe
2840	csrss.exe
1164	csrss.exe
2328	csrss.exe
2076	csrss.exe
2708	csrss.exe
2700	csrss.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\pcasvc\\csrss.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Microsoft Games\\lsass.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\PerfLogs\\Admin\\csrss.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\pcasvc\csrss.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\System32\pcasvc\886983d96e3d3e	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\pcasvc\RCX6C6D.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\pcasvc\RCX6C6E.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\System32\pcasvc\csrss.exe	86513494c7861a5a0c9f1c0fb478e36d.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\RCX6E73.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Program Files\Microsoft Games\lsass.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Program Files\Microsoft Games\lsass.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Program Files\Microsoft Games\6203df4a6bafc7	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Program Files\Microsoft Games\RCX6E72.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1516	schtasks.exe
2816	schtasks.exe
2560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	86513494c7861a5a0c9f1c0fb478e36d.exe
2236	86513494c7861a5a0c9f1c0fb478e36d.exe
2236	86513494c7861a5a0c9f1c0fb478e36d.exe
2236	86513494c7861a5a0c9f1c0fb478e36d.exe
2236	86513494c7861a5a0c9f1c0fb478e36d.exe
2236	86513494c7861a5a0c9f1c0fb478e36d.exe
2236	86513494c7861a5a0c9f1c0fb478e36d.exe
2236	86513494c7861a5a0c9f1c0fb478e36d.exe
2236	86513494c7861a5a0c9f1c0fb478e36d.exe
2236	86513494c7861a5a0c9f1c0fb478e36d.exe
2236	86513494c7861a5a0c9f1c0fb478e36d.exe
2236	86513494c7861a5a0c9f1c0fb478e36d.exe
2236	86513494c7861a5a0c9f1c0fb478e36d.exe
2732	powershell.exe
2168	powershell.exe
2952	powershell.exe
2932	powershell.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1776	csrss.exe
1540	csrss.exe
1540	csrss.exe
1540	csrss.exe
1540	csrss.exe
1540	csrss.exe
1540	csrss.exe
1540	csrss.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	86513494c7861a5a0c9f1c0fb478e36d.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	1776	csrss.exe
Token: SeDebugPrivilege	1540	csrss.exe
Token: SeDebugPrivilege	1296	csrss.exe
Token: SeDebugPrivilege	2204	csrss.exe
Token: SeDebugPrivilege	2792	csrss.exe
Token: SeDebugPrivilege	952	csrss.exe
Token: SeDebugPrivilege	1960	csrss.exe
Token: SeDebugPrivilege	2840	csrss.exe
Token: SeDebugPrivilege	1164	csrss.exe
Token: SeDebugPrivilege	2328	csrss.exe
Token: SeDebugPrivilege	2076	csrss.exe
Token: SeDebugPrivilege	2708	csrss.exe
Token: SeDebugPrivilege	2700	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2952	2236	86513494c7861a5a0c9f1c0fb478e36d.exe	34
PID 2236 wrote to memory of 2952	2236	86513494c7861a5a0c9f1c0fb478e36d.exe	34
PID 2236 wrote to memory of 2952	2236	86513494c7861a5a0c9f1c0fb478e36d.exe	34
PID 2236 wrote to memory of 2932	2236	86513494c7861a5a0c9f1c0fb478e36d.exe	35
PID 2236 wrote to memory of 2932	2236	86513494c7861a5a0c9f1c0fb478e36d.exe	35
PID 2236 wrote to memory of 2932	2236	86513494c7861a5a0c9f1c0fb478e36d.exe	35
PID 2236 wrote to memory of 2732	2236	86513494c7861a5a0c9f1c0fb478e36d.exe	36
PID 2236 wrote to memory of 2732	2236	86513494c7861a5a0c9f1c0fb478e36d.exe	36
PID 2236 wrote to memory of 2732	2236	86513494c7861a5a0c9f1c0fb478e36d.exe	36
PID 2236 wrote to memory of 2168	2236	86513494c7861a5a0c9f1c0fb478e36d.exe	38
PID 2236 wrote to memory of 2168	2236	86513494c7861a5a0c9f1c0fb478e36d.exe	38
PID 2236 wrote to memory of 2168	2236	86513494c7861a5a0c9f1c0fb478e36d.exe	38
PID 2236 wrote to memory of 1764	2236	86513494c7861a5a0c9f1c0fb478e36d.exe	42
PID 2236 wrote to memory of 1764	2236	86513494c7861a5a0c9f1c0fb478e36d.exe	42
PID 2236 wrote to memory of 1764	2236	86513494c7861a5a0c9f1c0fb478e36d.exe	42
PID 1764 wrote to memory of 2356	1764	cmd.exe	44
PID 1764 wrote to memory of 2356	1764	cmd.exe	44
PID 1764 wrote to memory of 2356	1764	cmd.exe	44
PID 1764 wrote to memory of 1776	1764	cmd.exe	45
PID 1764 wrote to memory of 1776	1764	cmd.exe	45
PID 1764 wrote to memory of 1776	1764	cmd.exe	45
PID 1776 wrote to memory of 840	1776	csrss.exe	46
PID 1776 wrote to memory of 840	1776	csrss.exe	46
PID 1776 wrote to memory of 840	1776	csrss.exe	46
PID 1776 wrote to memory of 916	1776	csrss.exe	47
PID 1776 wrote to memory of 916	1776	csrss.exe	47
PID 1776 wrote to memory of 916	1776	csrss.exe	47
PID 840 wrote to memory of 1540	840	WScript.exe	48
PID 840 wrote to memory of 1540	840	WScript.exe	48
PID 840 wrote to memory of 1540	840	WScript.exe	48
PID 1540 wrote to memory of 2928	1540	csrss.exe	49
PID 1540 wrote to memory of 2928	1540	csrss.exe	49
PID 1540 wrote to memory of 2928	1540	csrss.exe	49
PID 1540 wrote to memory of 1208	1540	csrss.exe	50
PID 1540 wrote to memory of 1208	1540	csrss.exe	50
PID 1540 wrote to memory of 1208	1540	csrss.exe	50
PID 2928 wrote to memory of 1296	2928	WScript.exe	51
PID 2928 wrote to memory of 1296	2928	WScript.exe	51
PID 2928 wrote to memory of 1296	2928	WScript.exe	51
PID 1296 wrote to memory of 2672	1296	csrss.exe	52
PID 1296 wrote to memory of 2672	1296	csrss.exe	52
PID 1296 wrote to memory of 2672	1296	csrss.exe	52
PID 1296 wrote to memory of 2588	1296	csrss.exe	53
PID 1296 wrote to memory of 2588	1296	csrss.exe	53
PID 1296 wrote to memory of 2588	1296	csrss.exe	53
PID 2672 wrote to memory of 2204	2672	WScript.exe	54
PID 2672 wrote to memory of 2204	2672	WScript.exe	54
PID 2672 wrote to memory of 2204	2672	WScript.exe	54
PID 2204 wrote to memory of 2308	2204	csrss.exe	55
PID 2204 wrote to memory of 2308	2204	csrss.exe	55
PID 2204 wrote to memory of 2308	2204	csrss.exe	55
PID 2204 wrote to memory of 2688	2204	csrss.exe	56
PID 2204 wrote to memory of 2688	2204	csrss.exe	56
PID 2204 wrote to memory of 2688	2204	csrss.exe	56
PID 2308 wrote to memory of 2792	2308	WScript.exe	57
PID 2308 wrote to memory of 2792	2308	WScript.exe	57
PID 2308 wrote to memory of 2792	2308	WScript.exe	57
PID 2792 wrote to memory of 2584	2792	csrss.exe	58
PID 2792 wrote to memory of 2584	2792	csrss.exe	58
PID 2792 wrote to memory of 2584	2792	csrss.exe	58
PID 2792 wrote to memory of 2376	2792	csrss.exe	59
PID 2792 wrote to memory of 2376	2792	csrss.exe	59
PID 2792 wrote to memory of 2376	2792	csrss.exe	59
PID 2584 wrote to memory of 952	2584	WScript.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe
"C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\pcasvc\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3v8V9qQNDP.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2356
- - C:\PerfLogs\Admin\csrss.exe
    "C:\PerfLogs\Admin\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b18593fd-361f-4fa4-93a6-99bbed1e5001.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:840
    - - C:\PerfLogs\Admin\csrss.exe
        
        C:\PerfLogs\Admin\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f89a787-3216-4340-85f4-25f35d1f4b8b.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\PerfLogs\Admin\csrss.exe
        
        C:\PerfLogs\Admin\csrss.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4106d5e-da6e-483c-8996-8bdfd3921a70.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\PerfLogs\Admin\csrss.exe
        
        C:\PerfLogs\Admin\csrss.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68dd3221-af3b-4285-ba55-5794bdd05416.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\PerfLogs\Admin\csrss.exe
        
        C:\PerfLogs\Admin\csrss.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\237685ac-e394-4a6e-9f44-0382453e895f.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\PerfLogs\Admin\csrss.exe
        
        C:\PerfLogs\Admin\csrss.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\267ae9cd-17d7-422f-b273-fe1d2c97a72a.vbs"
        14⤵
        
        PID:1528
        
        C:\PerfLogs\Admin\csrss.exe
        
        C:\PerfLogs\Admin\csrss.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed7fcdb7-784d-43e4-801b-ec934a04155b.vbs"
        16⤵
        
        PID:2476
        
        C:\PerfLogs\Admin\csrss.exe
        
        C:\PerfLogs\Admin\csrss.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb31baec-84b4-4613-bc57-00a1fbda6f98.vbs"
        18⤵
        
        PID:2456
        
        C:\PerfLogs\Admin\csrss.exe
        
        C:\PerfLogs\Admin\csrss.exe
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f4aeb19-0bbb-4aa9-a12d-72c4f0314c9f.vbs"
        20⤵
        
        PID:1804
        
        C:\PerfLogs\Admin\csrss.exe
        
        C:\PerfLogs\Admin\csrss.exe
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\63e227ab-63d1-4a1a-8a9a-5b7e1d6e927b.vbs"
        22⤵
        
        PID:1656
        
        C:\PerfLogs\Admin\csrss.exe
        
        C:\PerfLogs\Admin\csrss.exe
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eef3c190-c576-4ff2-9619-d2a90da11095.vbs"
        24⤵
        
        PID:1564
        
        C:\PerfLogs\Admin\csrss.exe
        
        C:\PerfLogs\Admin\csrss.exe
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc2ee759-8229-41f5-819a-fe64e8e9553b.vbs"
        26⤵
        
        PID:2984
        
        C:\PerfLogs\Admin\csrss.exe
        
        C:\PerfLogs\Admin\csrss.exe
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c1809a7-a16a-4273-b727-c76e4ebc0831.vbs"
        28⤵
        
        PID:2812
        
        C:\PerfLogs\Admin\csrss.exe
        
        C:\PerfLogs\Admin\csrss.exe
        29⤵
        
        PID:3044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c9a86a0-fa26-4953-b354-facdad316870.vbs"
        28⤵
        
        PID:1060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66f687aa-51d8-41fd-97fa-f059bddbd49a.vbs"
        26⤵
        
        PID:1328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d86fc052-d08a-4399-97aa-9ba514ea39e8.vbs"
        24⤵
        
        PID:1868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\92044f0a-dbf3-4a55-af64-21dcdee3c055.vbs"
        22⤵
        
        PID:2324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab919df1-d9c7-40f5-a45c-2390ee25f18c.vbs"
        20⤵
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbc44ad7-a9c1-499b-98b7-b951ab50ec73.vbs"
        18⤵
        
        PID:2228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9961093c-830b-4fad-ad87-719dcbc88cce.vbs"
        16⤵
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83896410-de7c-485d-aad5-98fbafa7803d.vbs"
        14⤵
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d5ef55b-14e6-4756-b179-9425de74cc71.vbs"
        12⤵
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c837d41e-2380-4e39-9eb8-095eaa0ae206.vbs"
        10⤵
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbc597d9-fd26-4b41-8f72-7147b7fc3fb2.vbs"
        8⤵
        
        PID:2588
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee2e8f23-1691-44a1-8c7e-3fbcf4f06291.vbs"
        6⤵
        
        PID:1208
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9a5f998-77e9-46a1-964f-b60fdad77eb6.vbs"
      4⤵
      PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\PerfLogs\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\pcasvc\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\csrss.exe

Filesize
2.1MB

MD5
cb1d29b79e594724ef830d6e68ce0ec4

SHA1
5754a78d6e56f42ce63af88f029449a1d96d5c55

SHA256
e8101d449b3c85d321d12a15bc24832fa9db0a5f30e896ff15133a10a78e41a6

SHA512
8b7fd72967f7d4dad67018a54f31477ae13022b2974a158a30b6143a3b9103ac4a89b185f65d2929e8d82820d64a6d244070965663f69cb99a0763c13f246918

Download Submit
C:\PerfLogs\Admin\csrss.exe

Filesize
2.5MB

MD5
51974b8defb797f73d95efc33bd82ee9

SHA1
9d92e517723756ffcec37e3e79a39efa5225323b

SHA256
e1ba6720d8721d2114667a0ff5a15725251e8edff6231d13f5803318fa4823cd

SHA512
c423fdcbaf91694e38cfe7e1e9dc146e1b6f50d0b2f1a77b375bd6cda8a609f0c1de761cf3d8bd86b3d3f353cac8dd0ec763c13b605cff9dc543dc276afbc08c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f89a787-3216-4340-85f4-25f35d1f4b8b.vbs

Filesize
703B

MD5
ad353b3788291d83ab6b382dadf8b49e

SHA1
8370345e03c51855ba855032a19fecd0bfc5b165

SHA256
14c27669acad93b8e820ba58143591e535fbb24221fa40408fa06ff578036999

SHA512
68c4aa45022f50ceaaed20d998b3ce3590f5bf7d1139259900319fe538eae99559e98103cabd7bb66e1baa90729efcf705d652ae483d578a89a3f4c8e85a8f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\237685ac-e394-4a6e-9f44-0382453e895f.vbs

Filesize
703B

MD5
512eaa8352d87277260a6fb7d4a0c397

SHA1
b92f61d4cffc579d152a5d8fd468a66e88be115b

SHA256
9ff7df126987bdb771242bf77e35a239fab841e52ee1c72c81bb536420cac8e3

SHA512
c3c621631884d4eb45c11b9ab7fb1ddc2a0e730f4a634b828050b6e780bd0b452d007e270e78655cd4b0ec7a4afa976b98534b0933ac79c1fd8c171490dae058

Download Submit
C:\Users\Admin\AppData\Local\Temp\267ae9cd-17d7-422f-b273-fe1d2c97a72a.vbs

Filesize
702B

MD5
cf9aa28b4d322ceb1cbeb3bd1e2e3b2b

SHA1
491401c373cae61e3603ae4a5a99cd5273559d01

SHA256
41e43a5bf16ada08ae09a3685f79c68ac96392d5e2805e8df34734fa35bf22a2

SHA512
f64743d3928c07f26b22cc3df59fbb8b3e6428c6e87ac72075343519020b9680ff3596bbff44e4955d340322e71a133bebb180d99b852789eab81c9e57175c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f4aeb19-0bbb-4aa9-a12d-72c4f0314c9f.vbs

Filesize
703B

MD5
56a11f97387c31b4168b2b5efbc6113c

SHA1
1835cdf68be8db769a2735737ccf589a669808e2

SHA256
69657e7972925127d27bc2ad2abb21ed0e1b0f89800c24ff03f41a581f250199

SHA512
8038c4c9203749fa187ea30db81d84576533fc881c8345e8ae03c546b844db58a427c247932c935541709583186e0f6c5fd46d6de15413123a03a3f6e67a1e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3v8V9qQNDP.bat

Filesize
191B

MD5
cf5c0cc3a61b135c9ce7931fdf6ffc0b

SHA1
f9fb5d65345ac0300ff9ab7a04e765c8a06baaef

SHA256
acf10029d0424bc16dc021f4df3112524fbb1b05ca7bfa042a3684d6d965c7f1

SHA512
da868a9aa7a9a1304328f8f651a0db61d7b504b24e6640902d4eb24f2c130578836e4b5168ee492c038757b2bfc19ca394cabed96f007ae3771cf3a36d72fbba

Download Submit
C:\Users\Admin\AppData\Local\Temp\63e227ab-63d1-4a1a-8a9a-5b7e1d6e927b.vbs

Filesize
703B

MD5
cef5bcc43a970f34a8c3c51e756eddf4

SHA1
bb4906dbdbc428f9f8df8671b2ce07b52886e561

SHA256
cf7f9cc8f2867770a5ad793539ead27c5788506fb4a5b4e8e459d0cdaa8acc74

SHA512
3badbf90278fdce5b96eb51ddc44cfbcf6a8ec12dcfa1dd0b89ee377db6b808e1fcc7af7f89c544c83d403c5ef1fdc8c2a1a7ab65b1e5d54b21f7a8653006a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\68dd3221-af3b-4285-ba55-5794bdd05416.vbs

Filesize
703B

MD5
9263b8b19faf58ebcdfaa1c3214e2ef6

SHA1
f51b1ffd957f76dceab643e109e294ee4bd4bbd8

SHA256
399565faf3dab483b4bbe4e53afd901339f947b9b2031d86fc878e8cafa5e057

SHA512
d9a7d85de01d0555f4fc13c40d54c9aab27330feb397b248fa55bcb6d5242950794fed157b42c8c0e0bdb189004bf2379b59a20c66cb7d89d45bab77f365327d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c1809a7-a16a-4273-b727-c76e4ebc0831.vbs

Filesize
703B

MD5
1cdf12619574765abcf7f9fd54ae14f7

SHA1
3d32648d3ef06171cb135bae8eb2ed7bbb405a37

SHA256
55998ff8708ca0cd9f8bb4e829e5a9e336aa305569d56803f61f0beb83446f3e

SHA512
6fecd0a7002a07b73551acc898ba7eadd052323d471124bd913771c83d33c999f215fd540f586c3ca8bd3e62885e8e94958f46db38d3e5b3cf735f887fed76c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX67C9.tmp

Filesize
2.5MB

MD5
86513494c7861a5a0c9f1c0fb478e36d

SHA1
0e7ef50b5b4d51bda8789151b444505e4fdec51f

SHA256
80c020c2f71b279f7fdf6ad878ea772cbbcf248aab8c0b08b4db327d7dc86794

SHA512
e80e51cc26d5952cfbeda8154f785cd31688ac0e643c86f915ababb2cfac31ed7133621065e336ac56cf707865997707e1d1d189c4db36a8f87f6719e810a1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\b18593fd-361f-4fa4-93a6-99bbed1e5001.vbs

Filesize
703B

MD5
9ba1ee85e846a3bdfbab14cf8962a6ef

SHA1
fb0512306c6b5c66fa8d8f799b72673ccb634079

SHA256
2ca313a5d6c07a612026dc3385df6e8a8f0570a20c797d441a95d55459be15db

SHA512
5cc3bf86bd38428ac6c378782c0b5b7ef2da89f8a70da1fd46a1c73d4ecc892b92420a141aa53ef6b2fd4b6df69ff77b950de775ff677224b1f023abf5a049bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9a5f998-77e9-46a1-964f-b60fdad77eb6.vbs

Filesize
479B

MD5
1074474527e9374b19928712590c1159

SHA1
79562cdc56e6f952983e0225579efbdab883bdf6

SHA256
58b96c32252f4c5b56556410393a19dd34a91fe159b514d568119ce2d56e4f6d

SHA512
c453fb451e1e5e8e2a5d38890902e45957fb83a15bae7a34104b1bcb11443d370f33c15bd3366768e2c82985f3e44e31c40d1147613fca79a5e65c55815a5115

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc2ee759-8229-41f5-819a-fe64e8e9553b.vbs

Filesize
703B

MD5
e4fba3d081e448b5517bc7bb15e359c7

SHA1
635dee21f347955a0bf31dff2c05819eb94ce61c

SHA256
ae08465be2e03b7a1f1785dd5fb827ecd5b99e1655f9c37da37799fb5ab36530

SHA512
b1bc2dcb30685bee8a0bc787e695c72db5404bb1a9d3cfbe97066eb4591d7ac33e0f3f3bfeccfec8bfe186a467a0191c303d0ffd84d2eef6c3fa0dbde6757911

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb31baec-84b4-4613-bc57-00a1fbda6f98.vbs

Filesize
703B

MD5
73b0fd3ffeaadfce4fe729cf7c86a905

SHA1
b9bccbc90c27e36fa5d234af64b0f1ee3dc1da47

SHA256
f89ab545692b0446c7428aac82bcb13c9c6e240cf0923afe69c0f622d69cf8cd

SHA512
54d03b23df9a8b3f0d69b99ba97a9ee61ed3fa8de45ec749a2797afd5eb04c37febfb016044cfd4a586df1f824303e05030d88431368b9b517c6d4ff0dcc39f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed7fcdb7-784d-43e4-801b-ec934a04155b.vbs

Filesize
703B

MD5
1e784d160d7ed91ec972629640827f9c

SHA1
602c9a9457d14dbd79ae138fcd5968ed91b73370

SHA256
022663f7231124ee8eaffee8bb831dc64b759c73df324e2449c7382b0bc537b5

SHA512
8404ad4bd8ae9a23cf3fb6769845c142cbbf55a1b58ceb382539faf00c4ad66db656fc53ad945c7924ea49a2721b3be30c57a433a996f05a760a62f579d67038

Download Submit
C:\Users\Admin\AppData\Local\Temp\eef3c190-c576-4ff2-9619-d2a90da11095.vbs

Filesize
703B

MD5
1a081e32a744288f569de1ac1f05d78a

SHA1
96f47324049fdaee066701560aa87dbd64abb905

SHA256
eee1b6631d7e3b2bae6b33fd717528cdaa6a86fba3083751bcd7beb57aee2513

SHA512
03f122a4739cfc15ce45fb2c66d71261599f20d660092196cf4cdf0cca3faf2f4f0c1857dfaef1b7bb5a91a46e5011882a57cd3c1f80ff19c93725f0fa4d2895

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4106d5e-da6e-483c-8996-8bdfd3921a70.vbs

Filesize
703B

MD5
9b5841190a434941f75fd4a98f423811

SHA1
8ce8f0495065b2a5fee1442a847431663d58234a

SHA256
447fedf6c2027373479f4082faff9d7ce6a9e1bc9752e922edc8abae883f2dbf

SHA512
a6a65b4b897fec848729bdb131e9199f514629f4dac995acaacb90ed81fe707b8fea2d8be0dbd24cb5de6600a761d373554d0f66dd1c57ee2eed1fb60144f10b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
793531234808e860808cbafc9a0d813a

SHA1
88a6990bfa5b1549458dbe3503eea746b9692ea0

SHA256
c2fafaf28a220688f1b7e01976376b34f6f829caadfb36f27ec24bcc865270f0

SHA512
b8e0199147b8e10ec68ed5e8d9edd1246ec9931e39c0c6d7565f25f9c572f3243031ab9f5ea78987aff69b8dec86a20fb987d4977a8ce19ec54f08704142aa52

Download Submit
memory/952-152-0x0000000000280000-0x0000000000506000-memory.dmp

Filesize
2.5MB

Download
memory/1164-188-0x00000000002B0000-0x0000000000536000-memory.dmp

Filesize
2.5MB

Download
memory/1776-95-0x0000000000A60000-0x0000000000AB6000-memory.dmp

Filesize
344KB

Download
memory/1776-96-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/1776-94-0x0000000000F10000-0x0000000001196000-memory.dmp

Filesize
2.5MB

Download
memory/2076-213-0x0000000000BC0000-0x0000000000E46000-memory.dmp

Filesize
2.5MB

Download
memory/2204-129-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/2236-9-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2236-8-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2236-16-0x00000000023B0000-0x00000000023BA000-memory.dmp

Filesize
40KB

Download
memory/2236-15-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2236-14-0x0000000002380000-0x000000000238C000-memory.dmp

Filesize
48KB

Download
memory/2236-0-0x000007FEF5DB3000-0x000007FEF5DB4000-memory.dmp

Filesize
4KB

Download
memory/2236-13-0x00000000023A0000-0x00000000023AA000-memory.dmp

Filesize
40KB

Download
memory/2236-12-0x0000000000C50000-0x0000000000C5C000-memory.dmp

Filesize
48KB

Download
memory/2236-11-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/2236-10-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download
memory/2236-1-0x0000000000CF0000-0x0000000000F76000-memory.dmp

Filesize
2.5MB

Download
memory/2236-2-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-3-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2236-83-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-6-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/2236-7-0x0000000000CA0000-0x0000000000CF6000-memory.dmp

Filesize
344KB

Download
memory/2236-4-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2236-5-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/2328-201-0x0000000000760000-0x0000000000772000-memory.dmp

Filesize
72KB

Download
memory/2328-200-0x0000000000310000-0x0000000000596000-memory.dmp

Filesize
2.5MB

Download
memory/2700-237-0x00000000011C0000-0x0000000001446000-memory.dmp

Filesize
2.5MB

Download
memory/2700-238-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2708-225-0x0000000000DD0000-0x0000000001056000-memory.dmp

Filesize
2.5MB

Download
memory/2732-85-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2732-84-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2840-176-0x0000000000A60000-0x0000000000AB6000-memory.dmp

Filesize
344KB

Download
memory/2840-175-0x0000000000B90000-0x0000000000E16000-memory.dmp

Filesize
2.5MB

Download