dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Size

2.5MB
MD5

3dbf7d9fdfd5a0151f1003095ba9655c
SHA1

4f5de06a720298a5e32660fd0f56733ad611060f
SHA256

86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26
SHA512

3405c202bad0e95f18341f8c664f94626bec55db6ef9c15ff9a5b6cb2632e73375fec802d64e5ca3b924829ec1729c06f01fcb9a5013ac22d5b5b437812eb2ef
SSDEEP

49152:qGVFTkAxSKOfsx79ZnGGHMgVj2x+0XrSqWsn+fz+pV6ZKvTYnp:qGVyWNGGN2sqWs+fz+pVZTYp

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat 6 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2820	schtasks.exe
File created	C:\Windows\System32\wkscli\services.exe		86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
		2960	schtasks.exe
		3028	schtasks.exe
		1664	schtasks.exe
File created	C:\Windows\System32\wkscli\c5b4cb5e9653cc		86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe

Dcrat family
dcrat

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2864	schtasks.exe	29

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2852	powershell.exe
2964	powershell.exe
1176	powershell.exe
544	powershell.exe
2092	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
560	services.exe
320	services.exe
2540	services.exe
2764	services.exe
1376	services.exe
2124	services.exe
1332	services.exe
2672	services.exe
2184	services.exe
2112	services.exe
2852	services.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\lsm.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\System32\\wkscli\\services.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Public\\Documents\\My Music\\csrss.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\spoolsv.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\wkscli\services.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Windows\System32\wkscli\c5b4cb5e9653cc	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\wkscli\RCXA48B.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\wkscli\RCXA509.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Windows\System32\wkscli\services.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2820	schtasks.exe
2960	schtasks.exe
3028	schtasks.exe
1664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
544	powershell.exe
2852	powershell.exe
2964	powershell.exe
2092	powershell.exe
1176	powershell.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
560	services.exe
320	services.exe
320	services.exe
320	services.exe
320	services.exe
320	services.exe
320	services.exe
320	services.exe
320	services.exe
320	services.exe
320	services.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	560	services.exe
Token: SeDebugPrivilege	320	services.exe
Token: SeDebugPrivilege	2540	services.exe
Token: SeDebugPrivilege	2764	services.exe
Token: SeDebugPrivilege	1376	services.exe
Token: SeDebugPrivilege	2124	services.exe
Token: SeDebugPrivilege	1332	services.exe
Token: SeDebugPrivilege	2672	services.exe
Token: SeDebugPrivilege	2184	services.exe
Token: SeDebugPrivilege	2112	services.exe
Token: SeDebugPrivilege	2852	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2092	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	34
PID 2604 wrote to memory of 2092	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	34
PID 2604 wrote to memory of 2092	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	34
PID 2604 wrote to memory of 2852	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	35
PID 2604 wrote to memory of 2852	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	35
PID 2604 wrote to memory of 2852	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	35
PID 2604 wrote to memory of 2964	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	36
PID 2604 wrote to memory of 2964	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	36
PID 2604 wrote to memory of 2964	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	36
PID 2604 wrote to memory of 1176	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	39
PID 2604 wrote to memory of 1176	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	39
PID 2604 wrote to memory of 1176	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	39
PID 2604 wrote to memory of 544	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	40
PID 2604 wrote to memory of 544	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	40
PID 2604 wrote to memory of 544	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	40
PID 2604 wrote to memory of 2500	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	44
PID 2604 wrote to memory of 2500	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	44
PID 2604 wrote to memory of 2500	2604	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	44
PID 2500 wrote to memory of 2516	2500	cmd.exe	46
PID 2500 wrote to memory of 2516	2500	cmd.exe	46
PID 2500 wrote to memory of 2516	2500	cmd.exe	46
PID 2500 wrote to memory of 560	2500	cmd.exe	47
PID 2500 wrote to memory of 560	2500	cmd.exe	47
PID 2500 wrote to memory of 560	2500	cmd.exe	47
PID 560 wrote to memory of 1816	560	services.exe	48
PID 560 wrote to memory of 1816	560	services.exe	48
PID 560 wrote to memory of 1816	560	services.exe	48
PID 560 wrote to memory of 2276	560	services.exe	49
PID 560 wrote to memory of 2276	560	services.exe	49
PID 560 wrote to memory of 2276	560	services.exe	49
PID 1816 wrote to memory of 320	1816	WScript.exe	50
PID 1816 wrote to memory of 320	1816	WScript.exe	50
PID 1816 wrote to memory of 320	1816	WScript.exe	50
PID 320 wrote to memory of 2324	320	services.exe	51
PID 320 wrote to memory of 2324	320	services.exe	51
PID 320 wrote to memory of 2324	320	services.exe	51
PID 320 wrote to memory of 2060	320	services.exe	52
PID 320 wrote to memory of 2060	320	services.exe	52
PID 320 wrote to memory of 2060	320	services.exe	52
PID 2324 wrote to memory of 2540	2324	WScript.exe	53
PID 2324 wrote to memory of 2540	2324	WScript.exe	53
PID 2324 wrote to memory of 2540	2324	WScript.exe	53
PID 2540 wrote to memory of 2788	2540	services.exe	54
PID 2540 wrote to memory of 2788	2540	services.exe	54
PID 2540 wrote to memory of 2788	2540	services.exe	54
PID 2540 wrote to memory of 2208	2540	services.exe	55
PID 2540 wrote to memory of 2208	2540	services.exe	55
PID 2540 wrote to memory of 2208	2540	services.exe	55
PID 2788 wrote to memory of 2764	2788	WScript.exe	56
PID 2788 wrote to memory of 2764	2788	WScript.exe	56
PID 2788 wrote to memory of 2764	2788	WScript.exe	56
PID 2764 wrote to memory of 2028	2764	services.exe	57
PID 2764 wrote to memory of 2028	2764	services.exe	57
PID 2764 wrote to memory of 2028	2764	services.exe	57
PID 2764 wrote to memory of 2416	2764	services.exe	58
PID 2764 wrote to memory of 2416	2764	services.exe	58
PID 2764 wrote to memory of 2416	2764	services.exe	58
PID 2028 wrote to memory of 1376	2028	WScript.exe	59
PID 2028 wrote to memory of 1376	2028	WScript.exe	59
PID 2028 wrote to memory of 1376	2028	WScript.exe	59
PID 1376 wrote to memory of 2852	1376	services.exe	60
PID 1376 wrote to memory of 2852	1376	services.exe	60
PID 1376 wrote to memory of 2852	1376	services.exe	60
PID 1376 wrote to memory of 2996	1376	services.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
"C:\Users\Admin\AppData\Local\Temp\86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe"
1⤵
- DcRat
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wkscli\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xifUwYYkTy.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2516
- - C:\Windows\System32\wkscli\services.exe
    "C:\Windows\System32\wkscli\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f411ff1-7b3a-4a95-852b-79b9e59c5aa2.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1816
    - - C:\Windows\System32\wkscli\services.exe
        
        C:\Windows\System32\wkscli\services.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:320
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a989cd9-8d68-405b-8230-b629b9d178a7.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\System32\wkscli\services.exe
        
        C:\Windows\System32\wkscli\services.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e62d11be-b8e0-4182-b9ec-0e658d09263f.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\System32\wkscli\services.exe
        
        C:\Windows\System32\wkscli\services.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8321845-c681-4ece-af13-ee7f69386948.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\System32\wkscli\services.exe
        
        C:\Windows\System32\wkscli\services.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb0a61a8-43d0-4a85-a18f-87b1fa4b539d.vbs"
        12⤵
        
        PID:2852
        
        C:\Windows\System32\wkscli\services.exe
        
        C:\Windows\System32\wkscli\services.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\027cef3d-061d-4182-94c5-ab07683dcf54.vbs"
        14⤵
        
        PID:1692
        
        C:\Windows\System32\wkscli\services.exe
        
        C:\Windows\System32\wkscli\services.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fe4ec32-b8af-438f-971c-c1c706cf4173.vbs"
        16⤵
        
        PID:2392
        
        C:\Windows\System32\wkscli\services.exe
        
        C:\Windows\System32\wkscli\services.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f31243c8-9492-4ef5-b61b-6af13b0eebe3.vbs"
        18⤵
        
        PID:2456
        
        C:\Windows\System32\wkscli\services.exe
        
        C:\Windows\System32\wkscli\services.exe
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4729b652-d3ec-4377-a3d2-3ea08a4d227c.vbs"
        20⤵
        
        PID:2612
        
        C:\Windows\System32\wkscli\services.exe
        
        C:\Windows\System32\wkscli\services.exe
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfdb0530-1ce9-4108-b871-b7ab66f2c137.vbs"
        22⤵
        
        PID:1440
        
        C:\Windows\System32\wkscli\services.exe
        
        C:\Windows\System32\wkscli\services.exe
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34db71d2-f6a2-4477-91c1-115bbc8d8f85.vbs"
        24⤵
        
        PID:1144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e88a4bba-7f83-4bc1-aa6c-46cd2efaa8bc.vbs"
        24⤵
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef201785-f1b8-484c-afac-5202f0212f9a.vbs"
        22⤵
        
        PID:2104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a802b70-e1d1-44d5-bc9b-e5cb8be01133.vbs"
        20⤵
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbc3b765-1e4a-40f5-afd3-577657e9a6ef.vbs"
        18⤵
        
        PID:712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\555997f4-eb8c-4085-9c8a-405070611340.vbs"
        16⤵
        
        PID:2744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a499283a-4591-461f-a56e-7e9ba4ca5c0b.vbs"
        14⤵
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a69c0bd-53cf-4169-a0b8-d21c4a9c3a90.vbs"
        12⤵
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1aa502c3-c7f6-4333-944a-dcf3db670e57.vbs"
        10⤵
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05a4e4ae-6463-4178-8255-c0b129d26512.vbs"
        8⤵
        
        PID:2208
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93747bf7-c09c-4afa-9657-c74647c0b134.vbs"
        6⤵
        
        PID:2060
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e262f78b-7416-43ae-bee1-8e7635a04684.vbs"
      4⤵
      PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\System32\wkscli\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RCXA9BE.tmp

Filesize
2.5MB

MD5
6e8792e63064ff1282e6524e842fc4ca

SHA1
f4af8eb3450cb933d95cf9fdaa0d669591280328

SHA256
01410a58adf30b11d731fb80d8475a86fd79b3dcad3fe49dba96e14726146024

SHA512
e20a18d7b8ecb46e3a7c014dc5ead27e1c5fee136e0599ee98413241a8f070ba04dc83f248b8a6d840846ae0ca04e52bb17515aa6e154e45eb1fcbacfd333471

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe

Filesize
2.5MB

MD5
0e3985c1a8504cdf294a572528460102

SHA1
3d28ee17fc308759a708eabdae15002f2b6cdea1

SHA256
b13c4477d9c48beedbc58ee156b7172875d042427eb50505fb7387b86dd59964

SHA512
5d425a382a5ec0b5256779770d6f3b5eed3a6b77d8a65689cfb1dea1a02b10fd65f74869c65c0e61d569f899a6437b0c2533ebb21a7be0a9abbfcd1a719ca019

Download Submit
C:\Users\Admin\AppData\Local\Temp\027cef3d-061d-4182-94c5-ab07683dcf54.vbs

Filesize
715B

MD5
8a87ff131337a6fd0ca80714ac570cf7

SHA1
2d453e64b21a30ab0a6683eb616390860fcbafa1

SHA256
9877e345d228e0991edb0cbadf597df36d6d4b578f06dba574281e252da4853c

SHA512
01ed97a6ad37dbba65845d324c6532dffd7c6c99224ab35a3bc5c41f510b0746b87f436e3209b635edab195248085465c93d1040c5fe5c7b94925f395d773ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\34db71d2-f6a2-4477-91c1-115bbc8d8f85.vbs

Filesize
715B

MD5
6c4503e55bf676ae112b5ec58e686bd3

SHA1
7527d3432d46c5331c9973a511f296bba81d4904

SHA256
bdbdf897ae47c36b0d250d3f419f93b4e561f6e73fcbdcbf598bc8cdfe088902

SHA512
f6e1d0908357f12be529eaec18dd2bc9904e1863c5565e1c446991e0e6941497f19945d76ee46b26b2fafa7cd415b0db914871ef2bc6d3c9903d11f579d6a7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\4729b652-d3ec-4377-a3d2-3ea08a4d227c.vbs

Filesize
715B

MD5
7c1e465bc13ac5ffd73811ccab453e89

SHA1
9ac88d06a89594ebdb7c2c305fe9c73ecc55fc6e

SHA256
90162747d3c5b52c8c0b222e375eb1f286e03e56405de24bb088ecc9380c2019

SHA512
6220300da82bf94595e8d07ecd201356fd51d36050f0425058aff5499581730273e5da208bc159e03448e4e034e1d71ae0f7e9c6f4d35ccce2fd46b76ab2ceff

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f411ff1-7b3a-4a95-852b-79b9e59c5aa2.vbs

Filesize
714B

MD5
06eb733004427cea5aec3479586a8f4b

SHA1
026a7fba52b2017b4e5a0e2e7a3fde29f4aefde7

SHA256
21f2efaf487e128453870fba656089f233becae4f7099b2c7f75b0efe8b2691a

SHA512
4f3fbdc32c1704db0b2c8a1f27639a82d9ede43e881eefe45836cf99c5c7d49b067febf98a3e20b378845c01447fdde57f06fb5d9d07c984dd0b19b19aef1576

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a989cd9-8d68-405b-8230-b629b9d178a7.vbs

Filesize
714B

MD5
d454058e4786e017045d9e16b33ca10b

SHA1
372254b43998b10290685e8214276c3d06c5c67f

SHA256
15627e9d1000e63e5452cf3909d5723ec27a2ac8c1e3ca08a2360f9887f2b42f

SHA512
1930832d3858d4f5ef165362177f54b1c9f5a287f2cb2b6597d5a34800144f7e32b2b27c8d17de54a09ee32f1b30117cd01fef84974dbe19d49084dde60d30b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fe4ec32-b8af-438f-971c-c1c706cf4173.vbs

Filesize
715B

MD5
ba90a8cb47d98ce3827f4a3e1fd4645e

SHA1
a990af52a35c6803071443ce6ad100fcb532032b

SHA256
54d5112f07116f715997def762cfa9d03307d91435c16cc3868db8695d616eab

SHA512
483f1519c9b2e603375b2a7ca0b1fc0dd5bdadb54ed69b4da521db6cbf1a91167b0709c2b6c783d157474ae72a10f9f7fb93eb00fc3859a356573e9107ee7caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXA1DB.tmp

Filesize
2.5MB

MD5
ae4bacdcf2bbc8b470debd0414ddc899

SHA1
65f113639d32a6f75bf0e8e147a3e7884f94e4c9

SHA256
3bec411feba3a2dcc4df7735f7084df2995acfea71c902682582cfc5c3f608df

SHA512
a2bf442b2729924206282a18b2527196c3ee2bde183604736ed59a88c21d830642240f701150ecfff4052a674008266c96bf0fcbce4fbf41e908cdc5528a4acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfdb0530-1ce9-4108-b871-b7ab66f2c137.vbs

Filesize
715B

MD5
c7a76988a60687bc18ac3b84aa0f4e74

SHA1
0865d356478656ee3861eb6ca69a0f3b244cbfd9

SHA256
54f2ee859ce52780a0f08902505788cf5a95907d0e91f9ce5f7253ba70758a4e

SHA512
24fca4b9b94810cdd90fe937bf417a64ace3e57d29aab7d60ae7ed071f8c7b3ccd096a8d29616d8a2c78a056656cffd37fab6c03134db7a6c6cb815f42eb7590

Download Submit
C:\Users\Admin\AppData\Local\Temp\e262f78b-7416-43ae-bee1-8e7635a04684.vbs

Filesize
491B

MD5
e6543f9c5e88f72a22fe040d1694d5a0

SHA1
2667d824c7af0abbae182580803eeeb3ce773054

SHA256
7b2ff261fa0380bd2211e232ebfc9573e25dab6a37174fe22f6ad14d21c31332

SHA512
489295ac4d6ffdbe3dceca45953e12e8afa834df590945edcea52db66f1933c5ec391accacb1706bf376cfba61b2dfda4425b0162373c2da03e1c1bfaaa4a813

Download Submit
C:\Users\Admin\AppData\Local\Temp\e62d11be-b8e0-4182-b9ec-0e658d09263f.vbs

Filesize
715B

MD5
9d8d13a1b04ddcb1eeede0bd7c58f85a

SHA1
252784cfa54dbd5bb6cf147560fca5682129fb4f

SHA256
a7a27a6ce5f6c371fd6cd5880bc77f9bc9607e7fe5b80c0f1a99e3fe5351650c

SHA512
9401048418497f74ee28fd6f59163c2a1abccccdb0f9d6ab8bf5ab1436fb53a7e14a879728631a00ecf5c8b6a7ecf016077faafb24200aa30812f0ac71d0a0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0a61a8-43d0-4a85-a18f-87b1fa4b539d.vbs

Filesize
715B

MD5
dc7cfa78fce66dd63222cbfa4aa20ae7

SHA1
23322bcabf35c8f76127794cf20113c6f5c8911f

SHA256
c830c954ce5a61e040817e3e92bc21c271b249e334aa31da17b797b56cd5f288

SHA512
02be449a648667cadc092d6aab28801bfd08cd5be764d0d39f894ace0106fc64ea50b957adafd63cfcde62a68165881d088ed1cfbff9568b728569ff530ac4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\f31243c8-9492-4ef5-b61b-6af13b0eebe3.vbs

Filesize
715B

MD5
21bd19727ea57c665585fe4bdbd02ce9

SHA1
3a5d51e6ff6e2779a7d3449c333ac572bac888cb

SHA256
06f4c4cfb6995759a48ae2253125080125457332d8ca735697a00d61d1623e73

SHA512
5a85c7cc98e994cf463a93c5e161f0d0d6d7a1683fe10917fd8a642afb364678e7f3baea39c0f676fc05962b55954a63c47977bd1211f6bea0378b78836bdd45

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8321845-c681-4ece-af13-ee7f69386948.vbs

Filesize
715B

MD5
fcc95dfb4f34f099d050e1eabe5702c3

SHA1
ca33d9d6cfe6cfcce323cfefa542c5f7a73b5a2c

SHA256
ff459c100e2e3144b4b56553d09038999b6a9d62cf820e551dc8b4e0122b37ca

SHA512
1ef0c0e36da00b39ed09834c43b4927a4013d336222a6cd64946ae5c7a3b91765a419c406c2fd119b9ba41079bf55488d1012756381fe922fa7a96af6108c692

Download Submit
C:\Users\Admin\AppData\Local\Temp\xifUwYYkTy.bat

Filesize
203B

MD5
d8ef724e02dc0f4b3c5d2e7176e18575

SHA1
d56fdd7237a9805ae5186e3f09b42457678d2d27

SHA256
f8d9c7b8c328aba03635809b778127d40a9a9714111571df11479c8f4f3ed682

SHA512
e657e14693365e9baa04fc4d216fac323b4838b0d3a325f620e8c2ba141b22c2fc5261a8d3bf5f032462b0628f3c5e381583ccb4a30bd512d1f687f23fa2018f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DWRZHFLRS8BB7HM3AQEX.temp

Filesize
7KB

MD5
8735e386211635bd664c86f8b090445d

SHA1
a7b475276f6266065ed60dfb77c9971cfcd908e3

SHA256
bd82ae6a8688b3090e7c1108b39b9c53225e79db7181ee7e49d96792d0dc1a40

SHA512
54deb55866c9c5f0d25166ab7752c45ce69f5d5471d1b3e4302e1250053d39d33388ea8f4313156d5210c3bc57d073b8843ce57c97b36a320c86905e99b0607a

Download Submit
C:\Windows\System32\wkscli\services.exe

Filesize
2.5MB

MD5
c0e844533f3364a244eab397b037c750

SHA1
009ab82972ec0d1d5e6839c0fda20da3009c756e

SHA256
7e7bd9aa617fdf01ef17a1b384352e36fd2d4258eb608cbe40d80ea4c75030a7

SHA512
1a60c3e6ca24a696a93ce364f9fde42b58cc916da826c46f3fdb3286fc65bf744519ae9c154abed8d7e315be6e1418555f191f12bcaf98785dabc757ed76dc2e

Download Submit
memory/320-123-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/320-122-0x0000000000130000-0x00000000003B6000-memory.dmp

Filesize
2.5MB

Download
memory/544-107-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/560-110-0x00000000011F0000-0x0000000001476000-memory.dmp

Filesize
2.5MB

Download
memory/560-111-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

Filesize
72KB

Download
memory/1332-185-0x0000000000BA0000-0x0000000000BF6000-memory.dmp

Filesize
344KB

Download
memory/1332-184-0x00000000013C0000-0x0000000001646000-memory.dmp

Filesize
2.5MB

Download
memory/1376-160-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2112-222-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download
memory/2112-221-0x00000000003B0000-0x0000000000636000-memory.dmp

Filesize
2.5MB

Download
memory/2124-172-0x0000000000C40000-0x0000000000C96000-memory.dmp

Filesize
344KB

Download
memory/2184-209-0x0000000000420000-0x0000000000432000-memory.dmp

Filesize
72KB

Download
memory/2184-208-0x00000000004B0000-0x0000000000506000-memory.dmp

Filesize
344KB

Download
memory/2540-135-0x0000000001390000-0x0000000001616000-memory.dmp

Filesize
2.5MB

Download
memory/2540-136-0x0000000000B50000-0x0000000000BA6000-memory.dmp

Filesize
344KB

Download
memory/2604-5-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/2604-15-0x0000000002130000-0x0000000002138000-memory.dmp

Filesize
32KB

Download
memory/2604-11-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/2604-9-0x00000000007C0000-0x00000000007D2000-memory.dmp

Filesize
72KB

Download
memory/2604-1-0x00000000000B0000-0x0000000000336000-memory.dmp

Filesize
2.5MB

Download
memory/2604-8-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/2604-12-0x0000000002110000-0x000000000211C000-memory.dmp

Filesize
48KB

Download
memory/2604-7-0x00000000009F0000-0x0000000000A46000-memory.dmp

Filesize
344KB

Download
memory/2604-13-0x0000000002140000-0x000000000214A000-memory.dmp

Filesize
40KB

Download
memory/2604-6-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/2604-14-0x0000000002120000-0x000000000212C000-memory.dmp

Filesize
48KB

Download
memory/2604-10-0x00000000007D0000-0x00000000007DA000-memory.dmp

Filesize
40KB

Download
memory/2604-69-0x000007FEF5A93000-0x000007FEF5A94000-memory.dmp

Filesize
4KB

Download
memory/2604-4-0x0000000000790000-0x00000000007AC000-memory.dmp

Filesize
112KB

Download
memory/2604-0-0x000007FEF5A93000-0x000007FEF5A94000-memory.dmp

Filesize
4KB

Download
memory/2604-2-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-3-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2604-99-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Filesize
9.9MB

Download
memory/2604-16-0x00000000021D0000-0x00000000021DA000-memory.dmp

Filesize
40KB

Download
memory/2764-148-0x0000000000420000-0x0000000000432000-memory.dmp

Filesize
72KB

Download
memory/2852-100-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download
memory/2852-234-0x00000000003E0000-0x0000000000666000-memory.dmp

Filesize
2.5MB

Download