dcrat | 56eaeb544a5b324a1b498dc1839a346277ea0ba6840f6d5ceb898b823f14d2d5

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

729c059086bce232a39d74a0b680bfed.exe
Size

885KB
MD5

729c059086bce232a39d74a0b680bfed
SHA1

832281677409fc0e150bdf6132be849824a265ea
SHA256

7a7f0076056b3e2b93a330a8af8df9d43f43a83b50931f2888f0db411c8e2024
SHA512

ca3f47323cc5018608c1c466f4805569df73523a6dcc6367f77bfd6d6a36393937222c0f0dfa89a748dc0406f40fc385761cef432aac1a9cd8d41857b6136c0d
SSDEEP

12288:UlNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:UlNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2924	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2924	schtasks.exe	31

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral5/memory/2536-1-0x00000000003A0000-0x0000000000484000-memory.dmp	dcrat
behavioral5/files/0x0005000000019794-18.dat	dcrat
behavioral5/files/0x000600000001a409-39.dat	dcrat
behavioral5/files/0x000700000001a442-60.dat	dcrat
behavioral5/files/0x000900000001a495-113.dat	dcrat
behavioral5/memory/1816-124-0x0000000000260000-0x0000000000344000-memory.dmp	dcrat
behavioral5/memory/1592-135-0x0000000000B20000-0x0000000000C04000-memory.dmp	dcrat
behavioral5/memory/2772-147-0x0000000000C70000-0x0000000000D54000-memory.dmp	dcrat
behavioral5/memory/2128-159-0x0000000000380000-0x0000000000464000-memory.dmp	dcrat
behavioral5/memory/292-171-0x0000000001020000-0x0000000001104000-memory.dmp	dcrat
behavioral5/memory/1876-183-0x0000000001200000-0x00000000012E4000-memory.dmp	dcrat
behavioral5/memory/1892-228-0x0000000001220000-0x0000000001304000-memory.dmp	dcrat

Executes dropped EXE 11 IoCs

pid	Process
1816	WmiPrvSE.exe
1592	WmiPrvSE.exe
2772	WmiPrvSE.exe
2128	WmiPrvSE.exe
292	WmiPrvSE.exe
1876	WmiPrvSE.exe
2660	WmiPrvSE.exe
2668	WmiPrvSE.exe
296	WmiPrvSE.exe
1892	WmiPrvSE.exe
2068	WmiPrvSE.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\dwm.exe	729c059086bce232a39d74a0b680bfed.exe
File opened for modification	C:\Program Files\Uninstall Information\dwm.exe	729c059086bce232a39d74a0b680bfed.exe
File created	C:\Program Files\Uninstall Information\6cb0b6c459d5d3	729c059086bce232a39d74a0b680bfed.exe
File created	C:\Program Files (x86)\Uninstall Information\6ccacd8608530f	729c059086bce232a39d74a0b680bfed.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\RCXEF64.tmp	729c059086bce232a39d74a0b680bfed.exe
File opened for modification	C:\Program Files\DVD Maker\es-ES\RCXEFE2.tmp	729c059086bce232a39d74a0b680bfed.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXEFE3.tmp	729c059086bce232a39d74a0b680bfed.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXEEF3.tmp	729c059086bce232a39d74a0b680bfed.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXEFE4.tmp	729c059086bce232a39d74a0b680bfed.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXEF61.tmp	729c059086bce232a39d74a0b680bfed.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCXF066.tmp	729c059086bce232a39d74a0b680bfed.exe
File created	C:\Program Files\DVD Maker\es-ES\audiodg.exe	729c059086bce232a39d74a0b680bfed.exe
File created	C:\Program Files\DVD Maker\es-ES\42af1c969fbb7b	729c059086bce232a39d74a0b680bfed.exe
File created	C:\Program Files (x86)\Uninstall Information\Idle.exe	729c059086bce232a39d74a0b680bfed.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\WmiPrvSE.exe	729c059086bce232a39d74a0b680bfed.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\24dbde2999530e	729c059086bce232a39d74a0b680bfed.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCXF067.tmp	729c059086bce232a39d74a0b680bfed.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\729c059086bce232a39d74a0b680bfed.exe	729c059086bce232a39d74a0b680bfed.exe
File created	C:\Windows\es-ES\24e14d540d5898	729c059086bce232a39d74a0b680bfed.exe
File opened for modification	C:\Windows\es-ES\RCXEF62.tmp	729c059086bce232a39d74a0b680bfed.exe
File opened for modification	C:\Windows\es-ES\RCXEF63.tmp	729c059086bce232a39d74a0b680bfed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2008	schtasks.exe
344	schtasks.exe
2584	schtasks.exe
2880	schtasks.exe
3020	schtasks.exe
2900	schtasks.exe
2316	schtasks.exe
2960	schtasks.exe
1740	schtasks.exe
1736	schtasks.exe
2804	schtasks.exe
1264	schtasks.exe
2780	schtasks.exe
2760	schtasks.exe
2828	schtasks.exe
2728	schtasks.exe
2948	schtasks.exe
2328	schtasks.exe
2624	schtasks.exe
2776	schtasks.exe
2644	schtasks.exe
1784	schtasks.exe
1864	schtasks.exe
2980	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2536	729c059086bce232a39d74a0b680bfed.exe
2536	729c059086bce232a39d74a0b680bfed.exe
2536	729c059086bce232a39d74a0b680bfed.exe
1816	WmiPrvSE.exe
1592	WmiPrvSE.exe
2772	WmiPrvSE.exe
2128	WmiPrvSE.exe
292	WmiPrvSE.exe
1876	WmiPrvSE.exe
2660	WmiPrvSE.exe
2668	WmiPrvSE.exe
296	WmiPrvSE.exe
1892	WmiPrvSE.exe
2068	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	729c059086bce232a39d74a0b680bfed.exe
Token: SeDebugPrivilege	1816	WmiPrvSE.exe
Token: SeDebugPrivilege	1592	WmiPrvSE.exe
Token: SeDebugPrivilege	2772	WmiPrvSE.exe
Token: SeDebugPrivilege	2128	WmiPrvSE.exe
Token: SeDebugPrivilege	292	WmiPrvSE.exe
Token: SeDebugPrivilege	1876	WmiPrvSE.exe
Token: SeDebugPrivilege	2660	WmiPrvSE.exe
Token: SeDebugPrivilege	2668	WmiPrvSE.exe
Token: SeDebugPrivilege	296	WmiPrvSE.exe
Token: SeDebugPrivilege	1892	WmiPrvSE.exe
Token: SeDebugPrivilege	2068	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 1676	2536	729c059086bce232a39d74a0b680bfed.exe	56
PID 2536 wrote to memory of 1676	2536	729c059086bce232a39d74a0b680bfed.exe	56
PID 2536 wrote to memory of 1676	2536	729c059086bce232a39d74a0b680bfed.exe	56
PID 1676 wrote to memory of 2984	1676	cmd.exe	58
PID 1676 wrote to memory of 2984	1676	cmd.exe	58
PID 1676 wrote to memory of 2984	1676	cmd.exe	58
PID 1676 wrote to memory of 1816	1676	cmd.exe	59
PID 1676 wrote to memory of 1816	1676	cmd.exe	59
PID 1676 wrote to memory of 1816	1676	cmd.exe	59
PID 1816 wrote to memory of 872	1816	WmiPrvSE.exe	60
PID 1816 wrote to memory of 872	1816	WmiPrvSE.exe	60
PID 1816 wrote to memory of 872	1816	WmiPrvSE.exe	60
PID 1816 wrote to memory of 2148	1816	WmiPrvSE.exe	61
PID 1816 wrote to memory of 2148	1816	WmiPrvSE.exe	61
PID 1816 wrote to memory of 2148	1816	WmiPrvSE.exe	61
PID 872 wrote to memory of 1592	872	WScript.exe	62
PID 872 wrote to memory of 1592	872	WScript.exe	62
PID 872 wrote to memory of 1592	872	WScript.exe	62
PID 1592 wrote to memory of 2952	1592	WmiPrvSE.exe	63
PID 1592 wrote to memory of 2952	1592	WmiPrvSE.exe	63
PID 1592 wrote to memory of 2952	1592	WmiPrvSE.exe	63
PID 1592 wrote to memory of 2612	1592	WmiPrvSE.exe	64
PID 1592 wrote to memory of 2612	1592	WmiPrvSE.exe	64
PID 1592 wrote to memory of 2612	1592	WmiPrvSE.exe	64
PID 2952 wrote to memory of 2772	2952	WScript.exe	65
PID 2952 wrote to memory of 2772	2952	WScript.exe	65
PID 2952 wrote to memory of 2772	2952	WScript.exe	65
PID 2772 wrote to memory of 2448	2772	WmiPrvSE.exe	66
PID 2772 wrote to memory of 2448	2772	WmiPrvSE.exe	66
PID 2772 wrote to memory of 2448	2772	WmiPrvSE.exe	66
PID 2772 wrote to memory of 2996	2772	WmiPrvSE.exe	67
PID 2772 wrote to memory of 2996	2772	WmiPrvSE.exe	67
PID 2772 wrote to memory of 2996	2772	WmiPrvSE.exe	67
PID 2448 wrote to memory of 2128	2448	WScript.exe	68
PID 2448 wrote to memory of 2128	2448	WScript.exe	68
PID 2448 wrote to memory of 2128	2448	WScript.exe	68
PID 2128 wrote to memory of 2332	2128	WmiPrvSE.exe	69
PID 2128 wrote to memory of 2332	2128	WmiPrvSE.exe	69
PID 2128 wrote to memory of 2332	2128	WmiPrvSE.exe	69
PID 2128 wrote to memory of 440	2128	WmiPrvSE.exe	70
PID 2128 wrote to memory of 440	2128	WmiPrvSE.exe	70
PID 2128 wrote to memory of 440	2128	WmiPrvSE.exe	70
PID 2332 wrote to memory of 292	2332	WScript.exe	71
PID 2332 wrote to memory of 292	2332	WScript.exe	71
PID 2332 wrote to memory of 292	2332	WScript.exe	71
PID 292 wrote to memory of 2204	292	WmiPrvSE.exe	72
PID 292 wrote to memory of 2204	292	WmiPrvSE.exe	72
PID 292 wrote to memory of 2204	292	WmiPrvSE.exe	72
PID 292 wrote to memory of 984	292	WmiPrvSE.exe	73
PID 292 wrote to memory of 984	292	WmiPrvSE.exe	73
PID 292 wrote to memory of 984	292	WmiPrvSE.exe	73
PID 2204 wrote to memory of 1876	2204	WScript.exe	75
PID 2204 wrote to memory of 1876	2204	WScript.exe	75
PID 2204 wrote to memory of 1876	2204	WScript.exe	75
PID 1876 wrote to memory of 2736	1876	WmiPrvSE.exe	76
PID 1876 wrote to memory of 2736	1876	WmiPrvSE.exe	76
PID 1876 wrote to memory of 2736	1876	WmiPrvSE.exe	76
PID 1876 wrote to memory of 1684	1876	WmiPrvSE.exe	77
PID 1876 wrote to memory of 1684	1876	WmiPrvSE.exe	77
PID 1876 wrote to memory of 1684	1876	WmiPrvSE.exe	77
PID 2736 wrote to memory of 2660	2736	WScript.exe	78
PID 2736 wrote to memory of 2660	2736	WScript.exe	78
PID 2736 wrote to memory of 2660	2736	WScript.exe	78
PID 2660 wrote to memory of 2456	2660	WmiPrvSE.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\729c059086bce232a39d74a0b680bfed.exe
"C:\Users\Admin\AppData\Local\Temp\729c059086bce232a39d74a0b680bfed.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RZ53OVoIdY.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2984
- - C:\Users\Admin\Start Menu\WmiPrvSE.exe
    "C:\Users\Admin\Start Menu\WmiPrvSE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db436d4a-1aa5-4019-a437-bb8301be600e.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:872
    - - C:\Users\Admin\Start Menu\WmiPrvSE.exe
        
        "C:\Users\Admin\Start Menu\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3aad4789-54ac-45e2-b75d-c3d73de5ff12.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Users\Admin\Start Menu\WmiPrvSE.exe
        
        "C:\Users\Admin\Start Menu\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7177a41a-8686-48b6-95bb-28b2d4d59961.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Users\Admin\Start Menu\WmiPrvSE.exe
        
        "C:\Users\Admin\Start Menu\WmiPrvSE.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\563bd490-9f9e-4dd0-a021-35ac5c91b6bf.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Users\Admin\Start Menu\WmiPrvSE.exe
        
        "C:\Users\Admin\Start Menu\WmiPrvSE.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d6d7a97-1ae9-440b-88d9-3392724d675f.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Users\Admin\Start Menu\WmiPrvSE.exe
        
        "C:\Users\Admin\Start Menu\WmiPrvSE.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c06e59e-373f-4dd7-b104-ddbbb59f15d3.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Users\Admin\Start Menu\WmiPrvSE.exe
        
        "C:\Users\Admin\Start Menu\WmiPrvSE.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\18fd4bef-aaa2-4730-ab9c-d736779b829f.vbs"
        16⤵
        
        PID:2456
        
        C:\Users\Admin\Start Menu\WmiPrvSE.exe
        
        "C:\Users\Admin\Start Menu\WmiPrvSE.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c9b9ad0-d0d4-4c67-bb93-c9c4b1e44ea7.vbs"
        18⤵
        
        PID:1380
        
        C:\Users\Admin\Start Menu\WmiPrvSE.exe
        
        "C:\Users\Admin\Start Menu\WmiPrvSE.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aedd52e9-1d22-405f-a87e-96e74c8aef65.vbs"
        20⤵
        
        PID:2584
        
        C:\Users\Admin\Start Menu\WmiPrvSE.exe
        
        "C:\Users\Admin\Start Menu\WmiPrvSE.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff15d9b8-b127-4dc5-b3ea-f99b1a59ddcf.vbs"
        22⤵
        
        PID:2216
        
        C:\Users\Admin\Start Menu\WmiPrvSE.exe
        
        "C:\Users\Admin\Start Menu\WmiPrvSE.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d1dbdca-f568-42f9-94e4-d480656229af.vbs"
        24⤵
        
        PID:2764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec7adec2-d434-4874-ae50-f489e4f3ed4c.vbs"
        24⤵
        
        PID:1336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4cb8ed72-6ea3-41c0-9fc9-ce5dfc919da5.vbs"
        22⤵
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eca831b2-85f2-4674-b1da-928061af912c.vbs"
        20⤵
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02ebaff0-f324-4a5e-a2b2-2252a0cea10e.vbs"
        18⤵
        
        PID:932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a22a53a-03d7-47e7-b9ab-2ba45377443c.vbs"
        16⤵
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d89a977-ec4f-4d07-b206-411238eb0a00.vbs"
        14⤵
        
        PID:1684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b22af368-5a9b-4276-864a-52d95b648cf9.vbs"
        12⤵
        
        PID:984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66333e8b-77b3-4e6e-9a5e-ed1c530fb469.vbs"
        10⤵
        
        PID:440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3f5e4c6-a2b6-499a-afdc-65df7dadb709.vbs"
        8⤵
        
        PID:2996
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b1c2b42-b477-4d2b-90e6-5441103a69cc.vbs"
        6⤵
        
        PID:2612
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5426d909-9c97-4a19-88b3-05dd1a609715.vbs"
      4⤵
      PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "729c059086bce232a39d74a0b680bfed7" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\729c059086bce232a39d74a0b680bfed.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "729c059086bce232a39d74a0b680bfed" /sc ONLOGON /tr "'C:\Windows\es-ES\729c059086bce232a39d74a0b680bfed.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "729c059086bce232a39d74a0b680bfed7" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\729c059086bce232a39d74a0b680bfed.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\es-ES\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Start Menu\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Start Menu\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DVD Maker\es-ES\audiodg.exe

Filesize
885KB

MD5
ee54ad557fc4dbe08b77b21c48907a3d

SHA1
3bbe00f3017a221abff290972bf2914898b8ee95

SHA256
4ac862a76178c8a4d34c274273bd068a6a9567d2e0002cba7ba0df2c4803e764

SHA512
47ccd83f8dedd47e74beb40f0db2dc3f35d636ea5e30aa177e9985f4be1dd7acb095c1db5903cbfad1b8f936912f662f471e21db025086076e7784c0d8b100d1

Download Submit
C:\Program Files\Uninstall Information\dwm.exe

Filesize
885KB

MD5
eb1659407eab1c32e97b07823a1696d0

SHA1
9ba93c5eef3944a5d4d155db88ea2233efb649ee

SHA256
6387cba5e5ed4fa784aba812f51b30457eff2634b920c4527274eb5ace9c7b66

SHA512
0724c151aff31330f0cab0dd78d2112a5c144e51bf2c3ccbd9031ddc584c72b89db2b726a80690083d427a642df6b4b7d9a3fed7be41bafbdcce792175ebacfb

Download Submit
C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\csrss.exe

Filesize
885KB

MD5
f7c768a6db60ab5c689da1e296b9bfb1

SHA1
ee2a4c65fc0867dca08120886e953f6d3515dd83

SHA256
870c55dd084affbf805c5087329f39a94e285835053e102ce622b63a9430ab3d

SHA512
e9b55f01804b5575d9bbbd593251e5be8ac1f936bfd0927747ed82191d2cfc2bb10e868bc2aa55a53da9b1ea0ddfd5fbcf3afa5030d24952f8746c0bc6e67359

Download Submit
C:\Users\Admin\AppData\Local\Temp\18fd4bef-aaa2-4730-ab9c-d736779b829f.vbs

Filesize
714B

MD5
d402438ab74449cffed3aa7cc06c7349

SHA1
90cdb36228e9373851d88c6f23607ae39df6fcd8

SHA256
fed97c867da903e8b7e16d637f42cd40c376f9666b2503c9c364a6f3fb9d360a

SHA512
9a2e44073771391e3ea0a264ce5181b6300c18ca0b70456f6cfab989f3935104c37948212ba48a2fb9470d422ccac5e34f56884ce80c79530a0b5490c77f745c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c06e59e-373f-4dd7-b104-ddbbb59f15d3.vbs

Filesize
714B

MD5
27f0b5accaebb443eadc86eaf11d1745

SHA1
e337024d5b0aa5d382b781e4901e1f225e051b9f

SHA256
401741830036f24f8ac1c4fa52fbf0cb14d7f176d95d00070298220c663692fc

SHA512
9b9f01869ae4acfe5e94ec7c080a89d97c65ef914006c318ee05f3dfa558a9906a6339621506cdaf97a0fa9a6da07e24e8ca516ddc0e743e14789236dcd2df88

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d1dbdca-f568-42f9-94e4-d480656229af.vbs

Filesize
714B

MD5
40c3cffb9176761520dd41a794c80d85

SHA1
32597a1650a7c419cb989821e86b9d21c2555dc2

SHA256
ef69781d60ae7fa1967018fe01fd6bb6a3377af02c5752d0684cd212d306ea19

SHA512
a1ae47af1826841ad1a1aebd4d3484bb0cf1a3eb14581e3f543958e60a86513ad159c51d00a1e799d7a826130d2f47568e9afe93e93717f229451e0d54c25bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\3aad4789-54ac-45e2-b75d-c3d73de5ff12.vbs

Filesize
714B

MD5
c366039107895209e88a28b2f5f39dc0

SHA1
7ce13ecbecddc29d4e7fc3ca762dc0a6b3c96880

SHA256
6a26b290edbe0868efe3a8ab929e1aa8a9b4fa041d67a54808ffbe002f18cb44

SHA512
2091444ffcefb2269eac0524e15722e0ccf954467d715442bad68bba63652cad0793d4547e9fbbd47b17ae36cc62ccb3a6f1624316476b055105357f2259e3f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\5426d909-9c97-4a19-88b3-05dd1a609715.vbs

Filesize
490B

MD5
74db11d831e74a7556756be669b16a09

SHA1
170e04e11bc75dc48805d8b59775178e8e47e0a2

SHA256
991fdeb58f9cadd0bdbb648e4efc810e78590dfa493ef9acf0a101e4470af0ab

SHA512
669f92c6433d250e1b1b488bbedfda6f3ce634c481ec786277b16178af350445c20492b5f6db45cd16f9936ff5b86d65a2b667beefe28fb0098af85ed60d1479

Download Submit
C:\Users\Admin\AppData\Local\Temp\563bd490-9f9e-4dd0-a021-35ac5c91b6bf.vbs

Filesize
714B

MD5
7c272fa58c79566df75bb6c82223c168

SHA1
fe0f5d5831422931d642e2e9207fafc6dab2e422

SHA256
a86e5d20fe937d8800e2155d0066d347b0549970d2c9ed197640e8c6be7956db

SHA512
c1e298250f3e3da01b4f61b9b1931491f3881d1f2af3c33764cd8bd044a8a7deca51985aea763a772fb5f47674449f0494e485c01adb697f19698152a232d256

Download Submit
C:\Users\Admin\AppData\Local\Temp\7177a41a-8686-48b6-95bb-28b2d4d59961.vbs

Filesize
714B

MD5
1103d1f2b4008d41d84011f4fd58f119

SHA1
f016c28a02940966ba5741d487d8252839c2a4c9

SHA256
101163dbb933e5cb6f0d9a320d645e6bfcf1920c6e4bd24793287f4a3ed13cfa

SHA512
555d709c532310712c2b73bf850dc40ebfd24fd162d0d495fd889dd6485fbaeae9bd4e300414c45914442881b0aff807ad998408d3b5957573533f1a683569ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c9b9ad0-d0d4-4c67-bb93-c9c4b1e44ea7.vbs

Filesize
714B

MD5
baaecdd1d49706c4e820e658d635289d

SHA1
b21c8c0574b02412d490e1b1e8555dd196f7de7b

SHA256
80a2dfcb9e32b9cb3340f0c9aeb566e28cea1baf2ba87baf02c8dca74bf4de4b

SHA512
580decdbe1d16785a6c06c199d43c303d115a2d4fd918613f0370f0554b5a2ed59f0b85aa90f415baf5a2737f268449cd29e3f14dc2f7b07938ee756ebef0a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d6d7a97-1ae9-440b-88d9-3392724d675f.vbs

Filesize
713B

MD5
fb340a162ff145a21da65fb7fe471797

SHA1
3800aa101137035524314b34e633ae6f292d9f61

SHA256
7009f693374de1a572ee484ddc8eaaa930de47bb3448f6dfcd0b397fed1e3785

SHA512
ce89954448700eb090d79a78b53e75d2669c7949dfcb1241d1a9ea74e492aaab26cd2ff6b1b80b8e4d5da0b2f9ad20b2f96bdba51ee94de0cb26186b384227d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RZ53OVoIdY.bat

Filesize
203B

MD5
0fd622a9fb8290746320ea3cbb84fcb7

SHA1
f2a159d3bbb785689ce1c3b30ade662487df1f29

SHA256
6fadde06ddf65bf96cf98a4a829fd99c5225108e6897424bacbedcbc624e1c7b

SHA512
7573223df035504de1e2f8e8055e65452f4dd84a0580b287107e7eb52a993d67d0dde388aed59650e86aa335e08037ecf3fab21282b87164af46e97d5b63cf89

Download Submit
C:\Users\Admin\AppData\Local\Temp\aedd52e9-1d22-405f-a87e-96e74c8aef65.vbs

Filesize
713B

MD5
0c35f904d86df48b4f71bcca9695b5e2

SHA1
7df7ab5a8e07bb1e5e5e6c7870496a17d56b74c0

SHA256
98dd3a4196561affd50797505ce60abade7d8c47584fefa343ce83b11580552c

SHA512
6b2086dba06fb89107f2b829faf38e0f65a85c5c09a8afff8cb0ed8d1c80d3857d4b4875288bb1b0d674e5cf416e9e9113b40e025e304b8397701ad04f3718d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\db436d4a-1aa5-4019-a437-bb8301be600e.vbs

Filesize
714B

MD5
f15c036de61a3061ceb6abf23cfe68d8

SHA1
2eced5813584e48731d3ab50a9c1f14ea8ee1e4f

SHA256
e51a9122631d6286eae6b11ed2b240ff6835fa289c6a6b09ba6ce978d9c3330d

SHA512
c16380a6a5036c979b983c74adb1a6de6a5d98dcc42b6acae53fa6a25da31617224b6240ea6d2ab64587d1aa6110a02639ad14674e9a9ffadf2c0ca3c9b39654

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff15d9b8-b127-4dc5-b3ea-f99b1a59ddcf.vbs

Filesize
714B

MD5
ba7b22e8bdc9f2f5c610429cd720db8d

SHA1
be3c8a11f3423d824767111bb46f7a8331c99653

SHA256
b41e3e2c53bc535fd662c9ce8a92efbe839a316abdff29500f0c5aa433047d8e

SHA512
a70d028c2f6caa8db1a8123d8c855f9d5195edd5d07f1b181d3a17be38824cbdae5d7ef2da5bdca467e3e86d6841bc8ebb6eb568a32a776fb2fe5bd8766de159

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\WmiPrvSE.exe

Filesize
885KB

MD5
729c059086bce232a39d74a0b680bfed

SHA1
832281677409fc0e150bdf6132be849824a265ea

SHA256
7a7f0076056b3e2b93a330a8af8df9d43f43a83b50931f2888f0db411c8e2024

SHA512
ca3f47323cc5018608c1c466f4805569df73523a6dcc6367f77bfd6d6a36393937222c0f0dfa89a748dc0406f40fc385761cef432aac1a9cd8d41857b6136c0d

Download Submit
memory/292-171-0x0000000001020000-0x0000000001104000-memory.dmp

Filesize
912KB

Download
memory/1592-135-0x0000000000B20000-0x0000000000C04000-memory.dmp

Filesize
912KB

Download
memory/1816-124-0x0000000000260000-0x0000000000344000-memory.dmp

Filesize
912KB

Download
memory/1876-183-0x0000000001200000-0x00000000012E4000-memory.dmp

Filesize
912KB

Download
memory/1892-228-0x0000000001220000-0x0000000001304000-memory.dmp

Filesize
912KB

Download
memory/2128-159-0x0000000000380000-0x0000000000464000-memory.dmp

Filesize
912KB

Download
memory/2536-6-0x0000000000660000-0x000000000066A000-memory.dmp

Filesize
40KB

Download
memory/2536-3-0x0000000000610000-0x000000000062C000-memory.dmp

Filesize
112KB

Download
memory/2536-5-0x0000000000640000-0x0000000000656000-memory.dmp

Filesize
88KB

Download
memory/2536-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp

Filesize
4KB

Download
memory/2536-121-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2536-7-0x0000000000670000-0x000000000067E000-memory.dmp

Filesize
56KB

Download
memory/2536-8-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/2536-9-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/2536-4-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/2536-2-0x000007FEF5970000-0x000007FEF635C000-memory.dmp

Filesize
9.9MB

Download
memory/2536-1-0x00000000003A0000-0x0000000000484000-memory.dmp

Filesize
912KB

Download
memory/2772-147-0x0000000000C70000-0x0000000000D54000-memory.dmp

Filesize
912KB

Download