dcrat | 286e0821c9dff60f28f608fbc48788495e4fc25616f718991a9b1979fce08cac

Analysis

max time kernel
10s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b31fb95009cabc0f3df1aa933306bd32.exe
Size

1.6MB
MD5

b31fb95009cabc0f3df1aa933306bd32
SHA1

6500d8051a4fa58e907f78782c8f64036d936f73
SHA256

fb65fd84e33f32f49ae865e640a957886b51e895fecbf7a6539f7a1e780181f8
SHA512

278c02052dbc4e45331cd0c345cefa9a6b82af032f11500885eb088ed35b7250059f38801270249c534cabe49ba94b5ae741108750ed8c6e2810a1dea3e4d8a1
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	3736	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	3736	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5856	3736	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	3736	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	3736	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	3736	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	3736	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	3736	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	3736	schtasks.exe	89

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral32/memory/4124-1-0x0000000000350000-0x00000000004F2000-memory.dmp	dcrat
behavioral32/files/0x000800000002422f-28.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4632	powershell.exe
5056	powershell.exe
5888	powershell.exe
2412	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	b31fb95009cabc0f3df1aa933306bd32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 1 IoCs

pid	Process
4396	lsass.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\edge_BITS_4388_1073911358\RuntimeBroker.exe	b31fb95009cabc0f3df1aa933306bd32.exe
File opened for modification	C:\Program Files\edge_BITS_4388_1073911358\RuntimeBroker.exe	b31fb95009cabc0f3df1aa933306bd32.exe
File created	C:\Program Files\edge_BITS_4388_1073911358\9e8d7a4ca61bd9	b31fb95009cabc0f3df1aa933306bd32.exe
File opened for modification	C:\Program Files\edge_BITS_4388_1073911358\RCX511F.tmp	b31fb95009cabc0f3df1aa933306bd32.exe
File opened for modification	C:\Program Files\edge_BITS_4388_1073911358\RCX5120.tmp	b31fb95009cabc0f3df1aa933306bd32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	b31fb95009cabc0f3df1aa933306bd32.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	lsass.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4916	schtasks.exe
4808	schtasks.exe
1768	schtasks.exe
4756	schtasks.exe
1004	schtasks.exe
804	schtasks.exe
1032	schtasks.exe
5856	schtasks.exe
3044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4124	b31fb95009cabc0f3df1aa933306bd32.exe
5888	powershell.exe
5888	powershell.exe
2412	powershell.exe
2412	powershell.exe
5056	powershell.exe
5056	powershell.exe
4632	powershell.exe
4632	powershell.exe
2412	powershell.exe
5056	powershell.exe
5888	powershell.exe
4632	powershell.exe
4396	lsass.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4124	b31fb95009cabc0f3df1aa933306bd32.exe
Token: SeDebugPrivilege	5888	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	4396	lsass.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 2412	4124	b31fb95009cabc0f3df1aa933306bd32.exe	101
PID 4124 wrote to memory of 2412	4124	b31fb95009cabc0f3df1aa933306bd32.exe	101
PID 4124 wrote to memory of 5888	4124	b31fb95009cabc0f3df1aa933306bd32.exe	102
PID 4124 wrote to memory of 5888	4124	b31fb95009cabc0f3df1aa933306bd32.exe	102
PID 4124 wrote to memory of 5056	4124	b31fb95009cabc0f3df1aa933306bd32.exe	104
PID 4124 wrote to memory of 5056	4124	b31fb95009cabc0f3df1aa933306bd32.exe	104
PID 4124 wrote to memory of 4632	4124	b31fb95009cabc0f3df1aa933306bd32.exe	106
PID 4124 wrote to memory of 4632	4124	b31fb95009cabc0f3df1aa933306bd32.exe	106
PID 4124 wrote to memory of 5440	4124	b31fb95009cabc0f3df1aa933306bd32.exe	109
PID 4124 wrote to memory of 5440	4124	b31fb95009cabc0f3df1aa933306bd32.exe	109
PID 5440 wrote to memory of 2420	5440	cmd.exe	111
PID 5440 wrote to memory of 2420	5440	cmd.exe	111
PID 5440 wrote to memory of 4396	5440	cmd.exe	114
PID 5440 wrote to memory of 4396	5440	cmd.exe	114
PID 4396 wrote to memory of 2696	4396	lsass.exe	116
PID 4396 wrote to memory of 2696	4396	lsass.exe	116
PID 4396 wrote to memory of 948	4396	lsass.exe	117
PID 4396 wrote to memory of 948	4396	lsass.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b31fb95009cabc0f3df1aa933306bd32.exe
"C:\Users\Admin\AppData\Local\Temp\b31fb95009cabc0f3df1aa933306bd32.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b31fb95009cabc0f3df1aa933306bd32.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4388_1073911358\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XPHLZFCewE.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5440
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2420
- - C:\Users\Public\Documents\lsass.exe
    "C:\Users\Public\Documents\lsass.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5e16c70-9533-4699-abba-9104c9d0c26d.vbs"
      4⤵
      PID:2696
    - - C:\Users\Public\Documents\lsass.exe
        
        C:\Users\Public\Documents\lsass.exe
        5⤵
        
        PID:5244
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27e77008-8e11-4c98-b58d-dd263fc6ac94.vbs"
        6⤵
        
        PID:6132
        
        C:\Users\Public\Documents\lsass.exe
        
        C:\Users\Public\Documents\lsass.exe
        7⤵
        
        PID:5772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b66913e2-2a32-408c-9ef1-742698b263f3.vbs"
        8⤵
        
        PID:1708
        
        C:\Users\Public\Documents\lsass.exe
        
        C:\Users\Public\Documents\lsass.exe
        9⤵
        
        PID:6096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7345a2a0-914a-4f04-8b7a-d64380d5b613.vbs"
        10⤵
        
        PID:5456
        
        C:\Users\Public\Documents\lsass.exe
        
        C:\Users\Public\Documents\lsass.exe
        11⤵
        
        PID:3344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e42e8207-49c4-40af-9734-550bd3e23e19.vbs"
        12⤵
        
        PID:3012
        
        C:\Users\Public\Documents\lsass.exe
        
        C:\Users\Public\Documents\lsass.exe
        13⤵
        
        PID:5384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04e02253-6095-47ce-b2fc-824efc51a416.vbs"
        14⤵
        
        PID:4012
        
        C:\Users\Public\Documents\lsass.exe
        
        C:\Users\Public\Documents\lsass.exe
        15⤵
        
        PID:856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98e35516-fc6b-4168-a038-33e2a6fd6da8.vbs"
        16⤵
        
        PID:3336
        
        C:\Users\Public\Documents\lsass.exe
        
        C:\Users\Public\Documents\lsass.exe
        17⤵
        
        PID:4536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2672b054-48f1-40d5-9a2e-3ab5599d9e37.vbs"
        18⤵
        
        PID:4888
        
        C:\Users\Public\Documents\lsass.exe
        
        C:\Users\Public\Documents\lsass.exe
        19⤵
        
        PID:5160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\de84a480-f751-459f-8a51-159787c44022.vbs"
        20⤵
        
        PID:5756
        
        C:\Users\Public\Documents\lsass.exe
        
        C:\Users\Public\Documents\lsass.exe
        21⤵
        
        PID:5800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bd30d9e-d3ad-4e92-9523-bccc065a40b0.vbs"
        22⤵
        
        PID:5184
        
        C:\Users\Public\Documents\lsass.exe
        
        C:\Users\Public\Documents\lsass.exe
        23⤵
        
        PID:3320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebad7796-7600-4267-9606-aa1a6d1fd412.vbs"
        24⤵
        
        PID:3584
        
        C:\Users\Public\Documents\lsass.exe
        
        C:\Users\Public\Documents\lsass.exe
        25⤵
        
        PID:1068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71c3d54f-afc0-4984-98d8-c8f0a76f595c.vbs"
        26⤵
        
        PID:2196
        
        C:\Users\Public\Documents\lsass.exe
        
        C:\Users\Public\Documents\lsass.exe
        27⤵
        
        PID:5996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93b51689-dd9b-4814-b9d8-aec09a7fb144.vbs"
        28⤵
        
        PID:2264
        
        C:\Users\Public\Documents\lsass.exe
        
        C:\Users\Public\Documents\lsass.exe
        29⤵
        
        PID:1832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca4bbc13-160d-4144-8064-d254d1098c7c.vbs"
        30⤵
        
        PID:4972
        
        C:\Users\Public\Documents\lsass.exe
        
        C:\Users\Public\Documents\lsass.exe
        31⤵
        
        PID:3956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c1ef348-fb13-4198-9c3f-67745793fc33.vbs"
        32⤵
        
        PID:772
        
        C:\Users\Public\Documents\lsass.exe
        
        C:\Users\Public\Documents\lsass.exe
        33⤵
        
        PID:4836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df29734c-92e2-43b2-baed-614570a0bba0.vbs"
        34⤵
        
        PID:4804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cffecd3-27f3-4861-b18f-b8924535fd27.vbs"
        34⤵
        
        PID:5568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f380f74-aa7d-48ea-b7c1-a4a7ef4d0820.vbs"
        32⤵
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7bc375aa-2dde-43c7-ab88-84459b6789b3.vbs"
        30⤵
        
        PID:5224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\993b6e2b-dc9e-49c8-99e1-6c08f305f870.vbs"
        28⤵
        
        PID:4244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0630247-32b1-4c5c-97da-43fbb84e602a.vbs"
        26⤵
        
        PID:3740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1572da3-171b-43e3-8d14-a1b5e695b7ba.vbs"
        24⤵
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f424290f-203f-4fbe-9aea-40af61db99c5.vbs"
        22⤵
        
        PID:5376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a225d52-806a-47ce-9627-b3aed0df0175.vbs"
        20⤵
        
        PID:5828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f225883-2f23-4132-a881-15264ec3626e.vbs"
        18⤵
        
        PID:1760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68f89369-ea3c-496c-949b-faf52ee191c6.vbs"
        16⤵
        
        PID:1560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e47e41a5-e54e-4330-acff-dad0dbc55369.vbs"
        14⤵
        
        PID:2464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c40eb7c-ed7c-47b0-99b7-98f1ab8dc784.vbs"
        12⤵
        
        PID:4400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e520b82-da5e-4773-b06f-ab38d4b7d8af.vbs"
        10⤵
        
        PID:5444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67df68cc-be7b-4693-9f67-6625db2fb332.vbs"
        8⤵
        
        PID:376
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e2af2c3-a9e1-42f1-ba38-5999e99a86a6.vbs"
        6⤵
        
        PID:2284
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f4d390d-e5df-4995-bab8-ecb75a746fd0.vbs"
      4⤵
      PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\edge_BITS_4388_1073911358\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4388_1073911358\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4388_1073911358\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Documents\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d5e147edfabd7f129d7206d4ee8c4242

SHA1
a4a26e1793fe331b20a56e97c930f343a92be728

SHA256
9417644a8d49effdbc6a120b8d32093626b2ef9e8fe65d2c3163e3b3741a9629

SHA512
ec2530e8b7f2a9a916a94bf0d3a8c830bc258e2b73b5feacb99fbbeda40bf45d20931dded36fc24039a55e3c35cc150bc88e4837339f4db696508745c18f64c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
454c5c4b128d34aee2eb765f2a9c0aa9

SHA1
4b6e92db79d964f604fd6b261b3b19ede2aea8a5

SHA256
e1e65d1697b9ac59805f677cbc8eec623a899b75b1389354f0948ad3c1513772

SHA512
17b4e146ef4f8862d06ac975204cca9ef9b077420256df92d94409715b18efb4dc63879154c1c234317a169ac63024ed43b5cb52473882dc46c588af089f25d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3332c2f747b79a54dc9f4867423e31c3

SHA1
de8440945ab0c382b6657dd2e6f50bbc2a4b73bd

SHA256
f8ddc8eddb53247304e5463829cbf8d1a420a77781237820efa0c94ab18612cd

SHA512
96fcc7c39335ce60da1f8db2ff9b62324d60080fb1a5a81262a26c311b78117bf85b481113800f88ac6a37b7ba26a7be510f3c098b26828c751974339a1e8835

Download Submit
C:\Users\Admin\AppData\Local\Temp\04e02253-6095-47ce-b2fc-824efc51a416.vbs

Filesize
711B

MD5
43d1f7df87e238658c0c783e6b9b7022

SHA1
24672b3139bd860915e5ebc708fdb5a29734a2d7

SHA256
95da8bd7512a15b777efbeaa1afa2d89248a0f2d2bae428cba07c022621851d7

SHA512
3a9a0a5f5f5f9612b060b5d1d60a1971678e7f1e681e55f0069e950dd88d9cfac086a4cbc2b2670377eedd978ca0166f669a3e0b32c963fe589c6658a7624aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2672b054-48f1-40d5-9a2e-3ab5599d9e37.vbs

Filesize
711B

MD5
3154526ee860aceb12afd1653dfc5fbd

SHA1
4063e6b677da8dd765faf4c75b03d3d2cea40a15

SHA256
16424bebb5bb66a9a370e8b327b4dc792999f861e2b55387c3d8ae4ab6271286

SHA512
608e843bcb212291d440e60a2d384a8d41c52b6192055417c5790e7cae28ce6f396c86546dc63b6d47127cdf1a8ae99323bf1a9588bad892087a572971015058

Download Submit
C:\Users\Admin\AppData\Local\Temp\27e77008-8e11-4c98-b58d-dd263fc6ac94.vbs

Filesize
711B

MD5
c517564ea4e8e152e383989b67e214c0

SHA1
95837d56d88acd347366741462f71161b5eefd7b

SHA256
107acce2301091411530bba4e8caac44b69ec6f8e88e065ffe2b2798793972a8

SHA512
cd4b8309d613c784762126b828cfe92d3d8af734c52e451e1ebedae3929063143a652a6ff2b78622c17b2408a6de83d0766b66d2737d764657717282af0e8f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f4d390d-e5df-4995-bab8-ecb75a746fd0.vbs

Filesize
487B

MD5
8a358bf9d0509b667cebe0aa4d8fd30b

SHA1
6b49f631724b07021941b8fff2760e8594880181

SHA256
ffb32c1c0ad8d62a75a714c081a410a8acad7ed61af9edfdbb61b8869366b0c1

SHA512
52adef135c284d204795f64df300269ccf39fd32624951b461f03feec944ac6d1969434e4a3dc0227c1306c69ebbfbd298100cf31b4de55fc40c90097c3ad24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\71c3d54f-afc0-4984-98d8-c8f0a76f595c.vbs

Filesize
711B

MD5
1395bec38eae38f8896aa9f8fffcde47

SHA1
8b9af692a8eee9210db6f1b0b880416f00768e4c

SHA256
75ea8a93d358329c550f174658574b4ee43b516d8d05786304c3d21c3cad3f46

SHA512
e8a72e62b43aa4f42d73fdbddb8462ef30b5a5bb5524d0d23ffc208da9800c4c2b9f2c73fc7f313a069b1a41e7b650c646c87cd39d6874c1cf00e70bf0d4874e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7345a2a0-914a-4f04-8b7a-d64380d5b613.vbs

Filesize
711B

MD5
348d469ed0fc01d09e613913e9702b8d

SHA1
f4ec3ba7369229b64e22d545f3bed7cd629c61a8

SHA256
8d794e58511216226c65af6ddd0e2f32e394ce57c3f08866a015629b262c2336

SHA512
fe5ee7f0923ff3a0d54e9152447706da183dcef991fa03cc93ccc52598bd27d5281a19dd9e89b451d2eb78a03184b25f993d76458c910155a7868a472105a28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\93b51689-dd9b-4814-b9d8-aec09a7fb144.vbs

Filesize
711B

MD5
2c91544d8afc5c1803bc9c19eec6aec9

SHA1
b980ac0e8ca2d5d65f967c5632399e2046fe2ce1

SHA256
bf819f15f7f90d933cfd1c0fc7c06d8375820b9c885c04f38b8d2dceae918bce

SHA512
b81826d2991cb5cbc06275faf4578e682b095b4f50c0518ebacc34af35fe3407f076ed05a3e62c8430c246f3a8bed9c986215413edccc90518c05e3943c582a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\98e35516-fc6b-4168-a038-33e2a6fd6da8.vbs

Filesize
710B

MD5
93e87db4d14f14cc2390a45bfe821073

SHA1
7407909bec0fad65690a036cdf2818e4721cfc81

SHA256
c120a3fc3f7561b874dbf87c6384a4659de10ac037d2489ecd299e3f311907f6

SHA512
5636ccd26c0b0cfcf10cef5b349484208af4c9fbb8b9d664068d4105446ea6c7560389d0c31ede13d0e3bcee07cd4c295d9953f0ee10c7e3e9fd0e1cefb12104

Download Submit
C:\Users\Admin\AppData\Local\Temp\9bd30d9e-d3ad-4e92-9523-bccc065a40b0.vbs

Filesize
711B

MD5
4449474025921450d9aee910d96948ca

SHA1
60d54cce8a562760a8718ac7da102eeaf6fce04a

SHA256
2adb51cf315a28a35fad02e743707ed6ff7837ac72a8f349b4e32ff40061f606

SHA512
f6189930dc27f21dbb4103f55c3aedd657cc0658245e99da735d9f80a67bddf5c1f4561c4afc81dd1ce3784f4cba62576de9027bc5f1743c9e9a0475d0290ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCX4F0B.tmp

Filesize
1.6MB

MD5
b31fb95009cabc0f3df1aa933306bd32

SHA1
6500d8051a4fa58e907f78782c8f64036d936f73

SHA256
fb65fd84e33f32f49ae865e640a957886b51e895fecbf7a6539f7a1e780181f8

SHA512
278c02052dbc4e45331cd0c345cefa9a6b82af032f11500885eb088ed35b7250059f38801270249c534cabe49ba94b5ae741108750ed8c6e2810a1dea3e4d8a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XPHLZFCewE.bat

Filesize
200B

MD5
2183554cd4c0f82f1dd5080465c3d73b

SHA1
ed58dd9c14342639d10ccb8985dae41a60ba7c5b

SHA256
fabeadab1afd86fabbe4bb0a403d1a455cc8b8fe6e059b36bc57753bb6f0708f

SHA512
4656ce94d896f2c5f8898d90fd7b2378d5c83cd07f05b4e198d5429930f572b8b180edb8252ce782f2c1215c032cfd4dce56d04f9810144684b1b8bccdde9a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v3wcq5kr.24u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b66913e2-2a32-408c-9ef1-742698b263f3.vbs

Filesize
711B

MD5
cd2493bb4e4728aa9908c6f926346087

SHA1
731ca845c543e3e08ba3ea57bc1a0bd320e1d206

SHA256
3c4e362db27783e932c88860fd0d2b307901d0b46d6b554baf7bddbb474ac303

SHA512
03640ac27cc7bf15bedfd9ac1f62c1d5bfc07178efbd23aaebaa3c8616b3546fc4a2acd7b7975b788c8f686849cbb8eddcb868090472156707faf62f1dac2f1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca4bbc13-160d-4144-8064-d254d1098c7c.vbs

Filesize
711B

MD5
d41631b0921dc206a59387c67f0aba9b

SHA1
85bb2b5c2e3fd11506ba0b894b3450132b9e3e7b

SHA256
6f8de18e2293c01dcac98e2e0ee072ab78269f8c0f4bcf9d3b884e4758f68b87

SHA512
60ff30215c501a53bba3095009e40fdc529acebe56452a75612f369c75cb967ddc6e1505f33eb8448cb2eed8526aae67a3b7fd8a0b6a25edb467eb19efdc8641

Download Submit
C:\Users\Admin\AppData\Local\Temp\de84a480-f751-459f-8a51-159787c44022.vbs

Filesize
711B

MD5
ab3dfab250e5b0ef52b563332d9fc5d8

SHA1
587c511b97370641b987cbae9fcf8e72747092c2

SHA256
8d43811d7b24025c301699f184ac48f183ade6764af46b66e262a991b639c7fd

SHA512
f77a9bf621d1729de9e58b89822ced13d2214284a132bfce76ff73c288c36ee89c79c30a1eaec7aaa0c1833cdebc5e8b6ee3b0ca51850a5a8eab7a0fac7eb2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\e42e8207-49c4-40af-9734-550bd3e23e19.vbs

Filesize
711B

MD5
0060167e9a2171d534f7ba8bb47d794f

SHA1
06c57e41fcc8df9bcc320bbeb542132a6a26fc3b

SHA256
8f70cb28f9783fc8b8befde4faf82836e7613db416af9d0b4a7c3cb1ca9ef66a

SHA512
aa27ae8f6fa848383ba119ac2be20f8ce7c8db969a8cdf92d787a164c0d854c66af83ce7861272280aaa09328a3394c8ab049bcf23a47d0d5ac58595961c3935

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5e16c70-9533-4699-abba-9104c9d0c26d.vbs

Filesize
711B

MD5
a273f96d7c1a61c839258e004fb4f3d3

SHA1
a819df7f34fac65a88e7bbbdc8cf6c0d809dc103

SHA256
39146bc981726eeb17982f8ffc5221966b681f8ff3336af5c40fac40b7620ea2

SHA512
9d12e8edce14dc31c0f00c20df3e1640f289940b92ead63c2c534b318d3addca32e255e58829b556ae38137fd3ae80f1011d49141034e0f29e26a6058ee5a3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebad7796-7600-4267-9606-aa1a6d1fd412.vbs

Filesize
711B

MD5
9471bd2dec999563e67775071e1dc746

SHA1
078c60c9a72f525e8948a1c7baab1a001c2eab5a

SHA256
f804a757fa8f6b155ec9e9af4d16700dd13386d6f8c9e2c9d35e56c5d1d3de6f

SHA512
966180800a95e297253bc06c2ae1c952b89b6d09b90779da88234426de71c7ec12be3d86fa7a95dabb17cb6ed2ca03e290596f9f75a53581c80f20d4030220a5

Download Submit
memory/4124-12-0x0000000002800000-0x000000000280A000-memory.dmp

Filesize
40KB

Download
memory/4124-16-0x000000001B190000-0x000000001B19A000-memory.dmp

Filesize
40KB

Download
memory/4124-10-0x0000000002790000-0x000000000279C000-memory.dmp

Filesize
48KB

Download
memory/4124-11-0x00000000027A0000-0x00000000027AC000-memory.dmp

Filesize
48KB

Download
memory/4124-7-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/4124-6-0x0000000002630000-0x0000000002646000-memory.dmp

Filesize
88KB

Download
memory/4124-14-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/4124-15-0x000000001B180000-0x000000001B188000-memory.dmp

Filesize
32KB

Download
memory/4124-4-0x00000000027B0000-0x0000000002800000-memory.dmp

Filesize
320KB

Download
memory/4124-9-0x0000000002780000-0x0000000002788000-memory.dmp

Filesize
32KB

Download
memory/4124-0-0x00007FFAA39D3000-0x00007FFAA39D5000-memory.dmp

Filesize
8KB

Download
memory/4124-17-0x000000001B1A0000-0x000000001B1AC000-memory.dmp

Filesize
48KB

Download
memory/4124-13-0x0000000002810000-0x000000000281E000-memory.dmp

Filesize
56KB

Download
memory/4124-8-0x0000000002770000-0x0000000002780000-memory.dmp

Filesize
64KB

Download
memory/4124-81-0x00007FFAA39D0000-0x00007FFAA4491000-memory.dmp

Filesize
10.8MB

Download
memory/4124-5-0x0000000000DC0000-0x0000000000DD0000-memory.dmp

Filesize
64KB

Download
memory/4124-3-0x0000000002610000-0x000000000262C000-memory.dmp

Filesize
112KB

Download
memory/4124-2-0x00007FFAA39D0000-0x00007FFAA4491000-memory.dmp

Filesize
10.8MB

Download
memory/4124-1-0x0000000000350000-0x00000000004F2000-memory.dmp

Filesize
1.6MB

Download
memory/5888-80-0x0000020A9C1B0000-0x0000020A9C1D2000-memory.dmp

Filesize
136KB

Download