dcrat | 13998cf5ce3fc1b1fb20635ef2c1e476c880d72eec7afb7e8ec74808928700da

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a77ff4e4dd651e4c89e2297a2a321987.exe
Size

885KB
MD5

a77ff4e4dd651e4c89e2297a2a321987
SHA1

a9547ffaf19a4e24b18bfd064daa8c0286dcfde9
SHA256

6edd1467581b5e8050205a8da77435b71115ab9b69e76fd46c1dc8abd63664dc
SHA512

2df2d8ef093dc2a53ca2b23544fae535dea9884e296fca639d5168606369742c62d73a834b96696711800023adc0b2204f05e235641ce9edaabbf9985f6732e7
SSDEEP

12288:ElNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:ElNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2916	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2916	schtasks.exe	30

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral13/memory/2692-1-0x0000000001200000-0x00000000012E4000-memory.dmp	dcrat
behavioral13/files/0x0005000000019838-18.dat	dcrat
behavioral13/memory/2248-115-0x0000000000160000-0x0000000000244000-memory.dmp	dcrat
behavioral13/memory/2908-126-0x0000000001380000-0x0000000001464000-memory.dmp	dcrat
behavioral13/memory/2072-226-0x00000000003E0000-0x00000000004C4000-memory.dmp	dcrat
behavioral13/memory/1940-238-0x0000000000F10000-0x0000000000FF4000-memory.dmp	dcrat

Executes dropped EXE 14 IoCs

pid	Process
2248	explorer.exe
2908	explorer.exe
3004	explorer.exe
1996	explorer.exe
1968	explorer.exe
2300	explorer.exe
2596	explorer.exe
1676	explorer.exe
1040	explorer.exe
2820	explorer.exe
2072	explorer.exe
1940	explorer.exe
2172	explorer.exe
2512	explorer.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\csrss.exe	a77ff4e4dd651e4c89e2297a2a321987.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\886983d96e3d3e	a77ff4e4dd651e4c89e2297a2a321987.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCXA96.tmp	a77ff4e4dd651e4c89e2297a2a321987.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\RCXA97.tmp	a77ff4e4dd651e4c89e2297a2a321987.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\RCXA5F.tmp	a77ff4e4dd651e4c89e2297a2a321987.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\RCXA60.tmp	a77ff4e4dd651e4c89e2297a2a321987.exe
File created	C:\Windows\PolicyDefinitions\ja-JP\csrss.exe	a77ff4e4dd651e4c89e2297a2a321987.exe
File opened for modification	C:\Windows\PolicyDefinitions\ja-JP\csrss.exe	a77ff4e4dd651e4c89e2297a2a321987.exe
File created	C:\Windows\PolicyDefinitions\ja-JP\886983d96e3d3e	a77ff4e4dd651e4c89e2297a2a321987.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1704	schtasks.exe
496	schtasks.exe
2736	schtasks.exe
2568	schtasks.exe
3056	schtasks.exe
1152	schtasks.exe
2868	schtasks.exe
2896	schtasks.exe
2624	schtasks.exe
3020	schtasks.exe
3012	schtasks.exe
2876	schtasks.exe
828	schtasks.exe
888	schtasks.exe
2664	schtasks.exe
1996	schtasks.exe
2088	schtasks.exe
1688	schtasks.exe
576	schtasks.exe
1764	schtasks.exe
1376	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2692	a77ff4e4dd651e4c89e2297a2a321987.exe
2692	a77ff4e4dd651e4c89e2297a2a321987.exe
2692	a77ff4e4dd651e4c89e2297a2a321987.exe
2248	explorer.exe
2908	explorer.exe
3004	explorer.exe
1996	explorer.exe
1968	explorer.exe
2300	explorer.exe
2596	explorer.exe
1676	explorer.exe
1040	explorer.exe
2820	explorer.exe
2072	explorer.exe
1940	explorer.exe
2172	explorer.exe
2512	explorer.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	a77ff4e4dd651e4c89e2297a2a321987.exe
Token: SeDebugPrivilege	2248	explorer.exe
Token: SeDebugPrivilege	2908	explorer.exe
Token: SeDebugPrivilege	3004	explorer.exe
Token: SeDebugPrivilege	1996	explorer.exe
Token: SeDebugPrivilege	1968	explorer.exe
Token: SeDebugPrivilege	2300	explorer.exe
Token: SeDebugPrivilege	2596	explorer.exe
Token: SeDebugPrivilege	1676	explorer.exe
Token: SeDebugPrivilege	1040	explorer.exe
Token: SeDebugPrivilege	2820	explorer.exe
Token: SeDebugPrivilege	2072	explorer.exe
Token: SeDebugPrivilege	1940	explorer.exe
Token: SeDebugPrivilege	2172	explorer.exe
Token: SeDebugPrivilege	2512	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 1716	2692	a77ff4e4dd651e4c89e2297a2a321987.exe	52
PID 2692 wrote to memory of 1716	2692	a77ff4e4dd651e4c89e2297a2a321987.exe	52
PID 2692 wrote to memory of 1716	2692	a77ff4e4dd651e4c89e2297a2a321987.exe	52
PID 1716 wrote to memory of 860	1716	cmd.exe	54
PID 1716 wrote to memory of 860	1716	cmd.exe	54
PID 1716 wrote to memory of 860	1716	cmd.exe	54
PID 1716 wrote to memory of 2248	1716	cmd.exe	55
PID 1716 wrote to memory of 2248	1716	cmd.exe	55
PID 1716 wrote to memory of 2248	1716	cmd.exe	55
PID 2248 wrote to memory of 2268	2248	explorer.exe	56
PID 2248 wrote to memory of 2268	2248	explorer.exe	56
PID 2248 wrote to memory of 2268	2248	explorer.exe	56
PID 2248 wrote to memory of 1224	2248	explorer.exe	57
PID 2248 wrote to memory of 1224	2248	explorer.exe	57
PID 2248 wrote to memory of 1224	2248	explorer.exe	57
PID 2268 wrote to memory of 2908	2268	WScript.exe	58
PID 2268 wrote to memory of 2908	2268	WScript.exe	58
PID 2268 wrote to memory of 2908	2268	WScript.exe	58
PID 2908 wrote to memory of 2756	2908	explorer.exe	59
PID 2908 wrote to memory of 2756	2908	explorer.exe	59
PID 2908 wrote to memory of 2756	2908	explorer.exe	59
PID 2908 wrote to memory of 2548	2908	explorer.exe	60
PID 2908 wrote to memory of 2548	2908	explorer.exe	60
PID 2908 wrote to memory of 2548	2908	explorer.exe	60
PID 2756 wrote to memory of 3004	2756	WScript.exe	61
PID 2756 wrote to memory of 3004	2756	WScript.exe	61
PID 2756 wrote to memory of 3004	2756	WScript.exe	61
PID 3004 wrote to memory of 2768	3004	explorer.exe	62
PID 3004 wrote to memory of 2768	3004	explorer.exe	62
PID 3004 wrote to memory of 2768	3004	explorer.exe	62
PID 3004 wrote to memory of 2628	3004	explorer.exe	63
PID 3004 wrote to memory of 2628	3004	explorer.exe	63
PID 3004 wrote to memory of 2628	3004	explorer.exe	63
PID 2768 wrote to memory of 1996	2768	WScript.exe	64
PID 2768 wrote to memory of 1996	2768	WScript.exe	64
PID 2768 wrote to memory of 1996	2768	WScript.exe	64
PID 1996 wrote to memory of 2328	1996	explorer.exe	65
PID 1996 wrote to memory of 2328	1996	explorer.exe	65
PID 1996 wrote to memory of 2328	1996	explorer.exe	65
PID 1996 wrote to memory of 1984	1996	explorer.exe	66
PID 1996 wrote to memory of 1984	1996	explorer.exe	66
PID 1996 wrote to memory of 1984	1996	explorer.exe	66
PID 2328 wrote to memory of 1968	2328	WScript.exe	67
PID 2328 wrote to memory of 1968	2328	WScript.exe	67
PID 2328 wrote to memory of 1968	2328	WScript.exe	67
PID 1968 wrote to memory of 2788	1968	explorer.exe	68
PID 1968 wrote to memory of 2788	1968	explorer.exe	68
PID 1968 wrote to memory of 2788	1968	explorer.exe	68
PID 1968 wrote to memory of 2356	1968	explorer.exe	69
PID 1968 wrote to memory of 2356	1968	explorer.exe	69
PID 1968 wrote to memory of 2356	1968	explorer.exe	69
PID 2788 wrote to memory of 2300	2788	WScript.exe	70
PID 2788 wrote to memory of 2300	2788	WScript.exe	70
PID 2788 wrote to memory of 2300	2788	WScript.exe	70
PID 2300 wrote to memory of 1512	2300	explorer.exe	71
PID 2300 wrote to memory of 1512	2300	explorer.exe	71
PID 2300 wrote to memory of 1512	2300	explorer.exe	71
PID 2300 wrote to memory of 992	2300	explorer.exe	72
PID 2300 wrote to memory of 992	2300	explorer.exe	72
PID 2300 wrote to memory of 992	2300	explorer.exe	72
PID 1512 wrote to memory of 2596	1512	WScript.exe	73
PID 1512 wrote to memory of 2596	1512	WScript.exe	73
PID 1512 wrote to memory of 2596	1512	WScript.exe	73
PID 2596 wrote to memory of 2648	2596	explorer.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a77ff4e4dd651e4c89e2297a2a321987.exe
"C:\Users\Admin\AppData\Local\Temp\a77ff4e4dd651e4c89e2297a2a321987.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xxDhnLNanq.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:860
- - C:\Users\Default\explorer.exe
    "C:\Users\Default\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b1d2e58-040d-4eee-9b01-169ff9869109.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Users\Default\explorer.exe
        
        C:\Users\Default\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a0ca290-b419-4668-b445-d3a9f7ee9e4b.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Users\Default\explorer.exe
        
        C:\Users\Default\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c35dabcc-a78d-4775-a067-d08b7c4c31c0.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Users\Default\explorer.exe
        
        C:\Users\Default\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ae9ae42-3c9d-446f-b691-3212aab5079b.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Users\Default\explorer.exe
        
        C:\Users\Default\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f46c86ea-00d4-47e9-92cb-2ba993b15d76.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Users\Default\explorer.exe
        
        C:\Users\Default\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58969cb9-a964-48f3-8143-6e103fa3e4c9.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Users\Default\explorer.exe
        
        C:\Users\Default\explorer.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05339877-49c0-4a9d-9135-e7d050479f76.vbs"
        16⤵
        
        PID:2648
        
        C:\Users\Default\explorer.exe
        
        C:\Users\Default\explorer.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf093b7c-9596-46a4-882a-84fa147e2184.vbs"
        18⤵
        
        PID:1680
        
        C:\Users\Default\explorer.exe
        
        C:\Users\Default\explorer.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ef4dc5f-bedd-45fe-b09e-2306a733172b.vbs"
        20⤵
        
        PID:2876
        
        C:\Users\Default\explorer.exe
        
        C:\Users\Default\explorer.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a8a0371-8ae2-4ab8-bec7-05820632a5ec.vbs"
        22⤵
        
        PID:1524
        
        C:\Users\Default\explorer.exe
        
        C:\Users\Default\explorer.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ada1752-9c85-4cf6-b066-8b6d38473782.vbs"
        24⤵
        
        PID:328
        
        C:\Users\Default\explorer.exe
        
        C:\Users\Default\explorer.exe
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec55f7ed-4d4b-4c87-a8e8-f96414324a33.vbs"
        26⤵
        
        PID:2748
        
        C:\Users\Default\explorer.exe
        
        C:\Users\Default\explorer.exe
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88ad210d-a2f1-4439-9e33-e1dfe5833317.vbs"
        28⤵
        
        PID:2368
        
        C:\Users\Default\explorer.exe
        
        C:\Users\Default\explorer.exe
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6206d310-bebb-42bb-9ca4-d1c1ec986799.vbs"
        30⤵
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c42645f3-53e5-4e00-a289-bbd0ff20de35.vbs"
        30⤵
        
        PID:1776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34120365-5bef-4918-b343-3a6e2360eb3f.vbs"
        28⤵
        
        PID:1500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e9627a5-88f9-4aa9-bbd9-3293eba2965b.vbs"
        26⤵
        
        PID:2444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\815c31a5-ee40-4782-a38d-ea563efb0dac.vbs"
        24⤵
        
        PID:3016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbe96a00-cbcb-4481-b434-e7eb749466e6.vbs"
        22⤵
        
        PID:280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5e9bd4e-4bee-422b-99dc-455102c0a508.vbs"
        20⤵
        
        PID:2848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a05973a3-ff62-4d9b-8371-6c92f78f19a6.vbs"
        18⤵
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3295eaf5-37a9-4872-aaee-2b28b7a2897c.vbs"
        16⤵
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\175b9c34-3c14-48c3-abe7-13c3204c1ca2.vbs"
        14⤵
        
        PID:992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07104874-d9e3-4ccb-89bc-6508a58add17.vbs"
        12⤵
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\295e0d6a-f2c2-410d-9f86-4eb63a30994c.vbs"
        10⤵
        
        PID:1984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ae8b421-a3d8-42cc-8a64-9d3b453650d9.vbs"
        8⤵
        
        PID:2628
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\164fb59f-59ea-4212-ae90-023163914c6e.vbs"
        6⤵
        
        PID:2548
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e1de4b3-ab20-4a1f-831a-4f3800753f12.vbs"
      4⤵
      PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a77ff4e4dd651e4c89e2297a2a321987a" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\a77ff4e4dd651e4c89e2297a2a321987.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a77ff4e4dd651e4c89e2297a2a321987" /sc ONLOGON /tr "'C:\Users\Default\Desktop\a77ff4e4dd651e4c89e2297a2a321987.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a77ff4e4dd651e4c89e2297a2a321987a" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Desktop\a77ff4e4dd651e4c89e2297a2a321987.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a77ff4e4dd651e4c89e2297a2a321987a" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\a77ff4e4dd651e4c89e2297a2a321987.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a77ff4e4dd651e4c89e2297a2a321987" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\a77ff4e4dd651e4c89e2297a2a321987.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a77ff4e4dd651e4c89e2297a2a321987a" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Favorites\a77ff4e4dd651e4c89e2297a2a321987.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\bin\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\bin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\bin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\bin\csrss.exe

Filesize
885KB

MD5
a77ff4e4dd651e4c89e2297a2a321987

SHA1
a9547ffaf19a4e24b18bfd064daa8c0286dcfde9

SHA256
6edd1467581b5e8050205a8da77435b71115ab9b69e76fd46c1dc8abd63664dc

SHA512
2df2d8ef093dc2a53ca2b23544fae535dea9884e296fca639d5168606369742c62d73a834b96696711800023adc0b2204f05e235641ce9edaabbf9985f6732e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\05339877-49c0-4a9d-9135-e7d050479f76.vbs

Filesize
705B

MD5
f77e8854f0cddea9955e4c6030fc9346

SHA1
195f5712726734616c8cd88bfabfb3ae3652d72d

SHA256
c6d283c299061fb27be6ae4e6c4ea66a121091d9b9248160f6aaf00449519970

SHA512
5cf25e54d80e62beaf53daebfe98b5cadf2c00a3a4bf8e607054d4e4f1e7f13d43b45f1abc70cbd7b4fb8631c564df61c0ca9327d2536d306ad014e20b216ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b1d2e58-040d-4eee-9b01-169ff9869109.vbs

Filesize
705B

MD5
a658b458992eed43646a8ab6da92bcff

SHA1
1d4323df4ccf1286b311de1800ad52e9d2379f68

SHA256
2c6faafd5119fc39da9bd72a8a1e7741d38865e493847715e3dab13a9d0655db

SHA512
fa39c0620e9f52fdd22f987d388ddc2c55c048717e1ef646dc1febd66830c731b9b8c4f72550c6096a916f9a811f7f65fefcf2915fadba4826a779692980e433

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e1de4b3-ab20-4a1f-831a-4f3800753f12.vbs

Filesize
481B

MD5
e3b9e2230c328fb4f800516923e0d846

SHA1
c4f5b936e5198ef949db08cf168446216cfff47d

SHA256
e73f025a961c42ab816779e8de17537b2c105f14dc772f6612ab5a0a5cd3b97b

SHA512
52f00e71041338b68406b7af1dcb6faa0dfaf4f95fbdb3af97d1a35d1085d6fb3edcb3624acec856abda448c4cbb3b563bcbf670aad0dec5d2f8a7a99b0f1681

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a0ca290-b419-4668-b445-d3a9f7ee9e4b.vbs

Filesize
705B

MD5
12b564aff2af43a789f0fa79be650576

SHA1
d8424b18df2f73d9f60c4b815195ff179e95e011

SHA256
d6e4d6e8193a1aeb4e3c1a59ae1a4d570dc1aadb820eb19bae946d4a42898c0a

SHA512
d9f0e5df886c2c52259819013a8b76d6b1bb93dc8e4b80d5a5dd9ba643bac6bbdf2fd6775d6bea6931d690f4ecc33ca717c3f41b1ed5e77d11361aedf8212266

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a8a0371-8ae2-4ab8-bec7-05820632a5ec.vbs

Filesize
705B

MD5
aaad71d166e82cf0240d9d80f5a684cd

SHA1
0696229edbec70a63cb7be43f33853ddfc0dc4c6

SHA256
e387a8e63446677bf8beaec018fa4360f46ca3c1e5ebc11067a26a1dfe0f14b1

SHA512
5e8a4e5b4be74d472f9b0d65a70d0102d2d9994bc0f974e1d9fee7838ffcf980453ae0d6a497b30857d6d3a8e78201f9b504e1f3d64a6987c8f6da4a4457e5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ef4dc5f-bedd-45fe-b09e-2306a733172b.vbs

Filesize
705B

MD5
4889ec0554cb70923390857e512a88a2

SHA1
859e3c8dfc148eaa1a99143ad73c4738f705ca32

SHA256
3b34377c7d51609351f9a521807bfe39a8674160491cb9eabb6380d675fe591a

SHA512
0e25551af04c68f20ba315b31198bd382af76543f5c201829e0d18060e3500ee3ce4f1de2b00415f66150cd7d3c12bedcd7e5a4a93d09a8e8aba6e823adcdbd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ada1752-9c85-4cf6-b066-8b6d38473782.vbs

Filesize
705B

MD5
deef5c9cc5453f71cbe36bd9bc3b9342

SHA1
ecfaf49d4b4baee34bd1062b24120ec77f6a5e1c

SHA256
967df679c57fc844a0cb328ee3b9cf70c9fccd0c752ea25e12d130cb6ef7fd6c

SHA512
25c92f3317d96726f910469588fa8e3e25c897cc4863e6ea659dba0a5a633242fedbd272378fe8c034670bef3feadbcc7af2223212954efb2482e8a962865d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\58969cb9-a964-48f3-8143-6e103fa3e4c9.vbs

Filesize
705B

MD5
f3765f4e2dd27742201dc27ac43c67bd

SHA1
4b9e7a8ff0d4de1442dc52d3695d9f8783683522

SHA256
7f39cb357e5f7a3436625cb8e6951dfc1baa8af836fc9d92f53eab811ae5438b

SHA512
413a1ead45841d5e4eba29282b849250f566c0f44ae6014a0262449839be528d4327ed2c70e062b724cfbde85af080f0e569f2973ec7e6464d5983b532d21664

Download Submit
C:\Users\Admin\AppData\Local\Temp\6206d310-bebb-42bb-9ca4-d1c1ec986799.vbs

Filesize
705B

MD5
b4e8e09f8f28cb557039885578cf9728

SHA1
80364eb35897f1607ba5acea11837c51784ad4a6

SHA256
0aa901ec8e74a2d8bc4c8bda891a772ec3132e00f8c2b86a1fcf528fbc005fac

SHA512
fa91e31464f4e1b8db05bbbff7566cc8061a9bce082efb1dde663d133094d93babc03055de44625d99facec9fb3a72bbb6a749a20caae265591a80adaebaf8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\88ad210d-a2f1-4439-9e33-e1dfe5833317.vbs

Filesize
705B

MD5
d322f8dea15fccd7dcd6bf4be737366d

SHA1
d2ada6528781cbc09949051556e9518099e1e809

SHA256
3665b5d78baf0f8b8a7811f063384b6c5b52a5dd892e53a789ace28ddab88a83

SHA512
ef5b631972b51c5ed851e4ace8d33ef78177c143c2c261794bc8ea4aad50116e6bf634e2253759ef1ffddc381ccec1e9111035cbfb809e566fb80e1b783f873f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ae9ae42-3c9d-446f-b691-3212aab5079b.vbs

Filesize
705B

MD5
3e0fe1df426b3219a0644e3cea185a2c

SHA1
edea8ce24ad1c924227697ff967d25ede6724286

SHA256
f4c390206afbbfa34f10469cbda3fe4986149612df1381b3e5acf461bf8b1ed2

SHA512
05d8df452773e054f1b75f167bf960925f74f9a1b49bce9fd14d5243f552d994e8b67d1888ed5f92f85fcd1a2cfb7a7926d9f1722eae4452e0a3d616a43e7d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\c35dabcc-a78d-4775-a067-d08b7c4c31c0.vbs

Filesize
705B

MD5
1df5a56db215331a4398c6bd482fb5e7

SHA1
70e3be65d992df24161228e426d816270928f9f3

SHA256
a49c2d24d3406fed58bcb0298cde38c72990500cd0019f55dd5da485833fa110

SHA512
ec8857c04888d59ba5f4e94ce895d3f19ff556f02224359eb7df06ed71a17055fbb8a5b3dd515af9a8a994127b9341b7c0b14de3525140a13c7e6a6f3dd5e8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf093b7c-9596-46a4-882a-84fa147e2184.vbs

Filesize
705B

MD5
caa53da1bf407d03955b7a84fedc03ed

SHA1
a81c7dfcfa19a376bd0f83c5bc334c11d60a0cbd

SHA256
917802a902d212b08b7e2ab3185ae573f52531f1aad60b52e4399ef7171b76e9

SHA512
7bf27737b4bb1c6b25353955de1b2e0c38815b9a040b468b42234df1650c5171b098f5655d95e045d4cf6d6daf40fc741185df741e65523e6e38a7b97f8942f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec55f7ed-4d4b-4c87-a8e8-f96414324a33.vbs

Filesize
705B

MD5
4ed331a0838fa0a5b15ea4c04399380a

SHA1
87fdc2d35bfcbfc5ead0be5a24c64b375b9a3665

SHA256
8efe6aaf3fecd5095182719612afdb96442ef2e3a5a11aa0ee7ae561f8aad8e5

SHA512
00ab3210619df7d89e2935b7c75f966d4c92e6096d30965885215bc15a09b28062299a376de55f030a9b52bab15cf4cff60375ed856e65d9ea19cc1a50df8ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f46c86ea-00d4-47e9-92cb-2ba993b15d76.vbs

Filesize
705B

MD5
a203e2847f7de071551a8f1ad83987a2

SHA1
7183add1467333c7c24db8286d829d3e512da942

SHA256
cf34b43103e1d6f1e0112312e07e63a6e973d6102c47735a66bcbc4b2b170600

SHA512
43b7089c6ca934e68b1d98ad3d6dc6b5b5bd8bf715152601bf237a2a56e86e13174056160402912733b323c6e12b321447df3e32a2d9cad24af70ea4b73067e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xxDhnLNanq.bat

Filesize
194B

MD5
dad5e3e10cb3a7752e50a3821a9fb3ac

SHA1
da3ad423eb5c15420eaad1b5315d9b0280b92817

SHA256
ebe5a8b7ef5a7e87f750e3ff4bb1011801aaedc69722aab908174aa561c2149b

SHA512
9e2d0e81b61d9ce4c398e404a6fc1aa4b4a79d754627ade297021b4b15095af7bee22e3b7e38dd4565d2ba9316a0a18e5bed0457254ae3b8476d64b7ca997075

Download Submit
memory/1940-238-0x0000000000F10000-0x0000000000FF4000-memory.dmp

Filesize
912KB

Download
memory/2072-226-0x00000000003E0000-0x00000000004C4000-memory.dmp

Filesize
912KB

Download
memory/2248-115-0x0000000000160000-0x0000000000244000-memory.dmp

Filesize
912KB

Download
memory/2692-5-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download
memory/2692-111-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2692-9-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2692-0-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

Filesize
4KB

Download
memory/2692-6-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/2692-7-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/2692-8-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2692-4-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2692-3-0x0000000000430000-0x000000000044C000-memory.dmp

Filesize
112KB

Download
memory/2692-2-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2692-1-0x0000000001200000-0x00000000012E4000-memory.dmp

Filesize
912KB

Download
memory/2908-126-0x0000000001380000-0x0000000001464000-memory.dmp

Filesize
912KB

Download