dcrat | 5307ce2390d7c4bfba56c3f519dfcf29d7a5e1752150847c43b6d94d5a9e0ffb

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92efd55895cd60b5057f3fb06ad84c78.exe
Size

1.6MB
MD5

92efd55895cd60b5057f3fb06ad84c78
SHA1

b3217c713b801276d98065e1eca81868545ebd02
SHA256

fd4af6cd1bb01129d61f2bb85c6f0e5dcb3c9cac02229988589ff93666be273c
SHA512

5cf3918370d98a5492496f82e69bef529fb426879e3293808ead5bb2f97e0bdcd30d288b25438a8b2009f58fd8eee522d0f1bb46ce359518a09a50a47794ae5c
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2148	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2148	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2148	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2148	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2148	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2148	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2148	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2148	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2148	schtasks.exe	31

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral29/memory/2948-1-0x0000000000ED0000-0x0000000001072000-memory.dmp	dcrat
behavioral29/files/0x000600000001a2d2-27.dat	dcrat
behavioral29/files/0x000700000001a2d2-34.dat	dcrat
behavioral29/memory/2192-92-0x00000000008E0000-0x0000000000A82000-memory.dmp	dcrat
behavioral29/memory/1088-103-0x0000000000380000-0x0000000000522000-memory.dmp	dcrat
behavioral29/memory/2884-115-0x0000000001040000-0x00000000011E2000-memory.dmp	dcrat
behavioral29/memory/2596-138-0x00000000011F0000-0x0000000001392000-memory.dmp	dcrat
behavioral29/memory/1860-150-0x0000000001310000-0x00000000014B2000-memory.dmp	dcrat
behavioral29/memory/2976-217-0x0000000001350000-0x00000000014F2000-memory.dmp	dcrat
behavioral29/memory/2244-229-0x00000000002E0000-0x0000000000482000-memory.dmp	dcrat
behavioral29/memory/3068-241-0x0000000000DA0000-0x0000000000F42000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2960	powershell.exe
2700	powershell.exe
2712	powershell.exe
2848	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
2192	spoolsv.exe
1088	spoolsv.exe
2884	spoolsv.exe
3012	spoolsv.exe
2596	spoolsv.exe
1860	spoolsv.exe
2236	spoolsv.exe
2676	spoolsv.exe
1164	spoolsv.exe
2576	spoolsv.exe
2056	spoolsv.exe
2976	spoolsv.exe
2244	spoolsv.exe
3068	spoolsv.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe	92efd55895cd60b5057f3fb06ad84c78.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6ccacd8608530f	92efd55895cd60b5057f3fb06ad84c78.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXEE86.tmp	92efd55895cd60b5057f3fb06ad84c78.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXEEF4.tmp	92efd55895cd60b5057f3fb06ad84c78.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe	92efd55895cd60b5057f3fb06ad84c78.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\en-US\spoolsv.exe	92efd55895cd60b5057f3fb06ad84c78.exe
File created	C:\Windows\DigitalLocker\en-US\f3b6ecef712a24	92efd55895cd60b5057f3fb06ad84c78.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCXF0F8.tmp	92efd55895cd60b5057f3fb06ad84c78.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\RCXF0F9.tmp	92efd55895cd60b5057f3fb06ad84c78.exe
File opened for modification	C:\Windows\DigitalLocker\en-US\spoolsv.exe	92efd55895cd60b5057f3fb06ad84c78.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2632	schtasks.exe
2776	schtasks.exe
2784	schtasks.exe
2756	schtasks.exe
2912	schtasks.exe
2636	schtasks.exe
2616	schtasks.exe
2916	schtasks.exe
2728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2948	92efd55895cd60b5057f3fb06ad84c78.exe
2700	powershell.exe
2848	powershell.exe
2960	powershell.exe
2712	powershell.exe
2192	spoolsv.exe
1088	spoolsv.exe
2884	spoolsv.exe
3012	spoolsv.exe
2596	spoolsv.exe
1860	spoolsv.exe
2236	spoolsv.exe
2676	spoolsv.exe
1164	spoolsv.exe
2576	spoolsv.exe
2056	spoolsv.exe
2976	spoolsv.exe
2244	spoolsv.exe
3068	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	92efd55895cd60b5057f3fb06ad84c78.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2192	spoolsv.exe
Token: SeDebugPrivilege	1088	spoolsv.exe
Token: SeDebugPrivilege	2884	spoolsv.exe
Token: SeDebugPrivilege	3012	spoolsv.exe
Token: SeDebugPrivilege	2596	spoolsv.exe
Token: SeDebugPrivilege	1860	spoolsv.exe
Token: SeDebugPrivilege	2236	spoolsv.exe
Token: SeDebugPrivilege	2676	spoolsv.exe
Token: SeDebugPrivilege	1164	spoolsv.exe
Token: SeDebugPrivilege	2576	spoolsv.exe
Token: SeDebugPrivilege	2056	spoolsv.exe
Token: SeDebugPrivilege	2976	spoolsv.exe
Token: SeDebugPrivilege	2244	spoolsv.exe
Token: SeDebugPrivilege	3068	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2848	2948	92efd55895cd60b5057f3fb06ad84c78.exe	41
PID 2948 wrote to memory of 2848	2948	92efd55895cd60b5057f3fb06ad84c78.exe	41
PID 2948 wrote to memory of 2848	2948	92efd55895cd60b5057f3fb06ad84c78.exe	41
PID 2948 wrote to memory of 2712	2948	92efd55895cd60b5057f3fb06ad84c78.exe	42
PID 2948 wrote to memory of 2712	2948	92efd55895cd60b5057f3fb06ad84c78.exe	42
PID 2948 wrote to memory of 2712	2948	92efd55895cd60b5057f3fb06ad84c78.exe	42
PID 2948 wrote to memory of 2700	2948	92efd55895cd60b5057f3fb06ad84c78.exe	43
PID 2948 wrote to memory of 2700	2948	92efd55895cd60b5057f3fb06ad84c78.exe	43
PID 2948 wrote to memory of 2700	2948	92efd55895cd60b5057f3fb06ad84c78.exe	43
PID 2948 wrote to memory of 2960	2948	92efd55895cd60b5057f3fb06ad84c78.exe	47
PID 2948 wrote to memory of 2960	2948	92efd55895cd60b5057f3fb06ad84c78.exe	47
PID 2948 wrote to memory of 2960	2948	92efd55895cd60b5057f3fb06ad84c78.exe	47
PID 2948 wrote to memory of 2192	2948	92efd55895cd60b5057f3fb06ad84c78.exe	49
PID 2948 wrote to memory of 2192	2948	92efd55895cd60b5057f3fb06ad84c78.exe	49
PID 2948 wrote to memory of 2192	2948	92efd55895cd60b5057f3fb06ad84c78.exe	49
PID 2192 wrote to memory of 1636	2192	spoolsv.exe	50
PID 2192 wrote to memory of 1636	2192	spoolsv.exe	50
PID 2192 wrote to memory of 1636	2192	spoolsv.exe	50
PID 2192 wrote to memory of 1436	2192	spoolsv.exe	51
PID 2192 wrote to memory of 1436	2192	spoolsv.exe	51
PID 2192 wrote to memory of 1436	2192	spoolsv.exe	51
PID 1636 wrote to memory of 1088	1636	WScript.exe	52
PID 1636 wrote to memory of 1088	1636	WScript.exe	52
PID 1636 wrote to memory of 1088	1636	WScript.exe	52
PID 1088 wrote to memory of 1352	1088	spoolsv.exe	53
PID 1088 wrote to memory of 1352	1088	spoolsv.exe	53
PID 1088 wrote to memory of 1352	1088	spoolsv.exe	53
PID 1088 wrote to memory of 2524	1088	spoolsv.exe	54
PID 1088 wrote to memory of 2524	1088	spoolsv.exe	54
PID 1088 wrote to memory of 2524	1088	spoolsv.exe	54
PID 1352 wrote to memory of 2884	1352	WScript.exe	55
PID 1352 wrote to memory of 2884	1352	WScript.exe	55
PID 1352 wrote to memory of 2884	1352	WScript.exe	55
PID 2884 wrote to memory of 2636	2884	spoolsv.exe	56
PID 2884 wrote to memory of 2636	2884	spoolsv.exe	56
PID 2884 wrote to memory of 2636	2884	spoolsv.exe	56
PID 2884 wrote to memory of 2728	2884	spoolsv.exe	57
PID 2884 wrote to memory of 2728	2884	spoolsv.exe	57
PID 2884 wrote to memory of 2728	2884	spoolsv.exe	57
PID 2636 wrote to memory of 3012	2636	WScript.exe	58
PID 2636 wrote to memory of 3012	2636	WScript.exe	58
PID 2636 wrote to memory of 3012	2636	WScript.exe	58
PID 3012 wrote to memory of 1076	3012	spoolsv.exe	59
PID 3012 wrote to memory of 1076	3012	spoolsv.exe	59
PID 3012 wrote to memory of 1076	3012	spoolsv.exe	59
PID 3012 wrote to memory of 2416	3012	spoolsv.exe	60
PID 3012 wrote to memory of 2416	3012	spoolsv.exe	60
PID 3012 wrote to memory of 2416	3012	spoolsv.exe	60
PID 1076 wrote to memory of 2596	1076	WScript.exe	61
PID 1076 wrote to memory of 2596	1076	WScript.exe	61
PID 1076 wrote to memory of 2596	1076	WScript.exe	61
PID 2596 wrote to memory of 2036	2596	spoolsv.exe	62
PID 2596 wrote to memory of 2036	2596	spoolsv.exe	62
PID 2596 wrote to memory of 2036	2596	spoolsv.exe	62
PID 2596 wrote to memory of 580	2596	spoolsv.exe	63
PID 2596 wrote to memory of 580	2596	spoolsv.exe	63
PID 2596 wrote to memory of 580	2596	spoolsv.exe	63
PID 2036 wrote to memory of 1860	2036	WScript.exe	64
PID 2036 wrote to memory of 1860	2036	WScript.exe	64
PID 2036 wrote to memory of 1860	2036	WScript.exe	64
PID 1860 wrote to memory of 1724	1860	spoolsv.exe	65
PID 1860 wrote to memory of 1724	1860	spoolsv.exe	65
PID 1860 wrote to memory of 1724	1860	spoolsv.exe	65
PID 1860 wrote to memory of 1580	1860	spoolsv.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\92efd55895cd60b5057f3fb06ad84c78.exe
"C:\Users\Admin\AppData\Local\Temp\92efd55895cd60b5057f3fb06ad84c78.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\92efd55895cd60b5057f3fb06ad84c78.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\DigitalLocker\en-US\spoolsv.exe
  "C:\Windows\DigitalLocker\en-US\spoolsv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a9451ad-fa5c-468e-86f8-9de425b9b25e.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\DigitalLocker\en-US\spoolsv.exe
      C:\Windows\DigitalLocker\en-US\spoolsv.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1088
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7c07eda-2bb8-407d-a926-baf3e6d4e51d.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1352
      - C:\Windows\DigitalLocker\en-US\spoolsv.exe
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\681bef40-14bb-4a4f-8ea9-2522333680fb.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ce276ff-312f-42f4-922b-225b894f7644.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\496c697d-10eb-4ea5-9d65-1b246e4a727a.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc88daed-b193-4df3-9c1a-5a3dc8ee00d7.vbs"
        13⤵
        
        PID:1724
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59a9c4d7-fefe-4ae8-8b22-ceb76b48b2d0.vbs"
        15⤵
        
        PID:1984
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0bedc03-27c9-4bc0-a3cb-8fafda0d6587.vbs"
        17⤵
        
        PID:2424
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68320122-4a82-4906-be29-1976d57a42aa.vbs"
        19⤵
        
        PID:1588
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1445487-d91f-4ccb-92a5-f399ccc1d2ed.vbs"
        21⤵
        
        PID:2064
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a85235db-25bd-4644-823c-acd43bfba967.vbs"
        23⤵
        
        PID:2688
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef15471a-5f59-4cae-9035-ef5b5672a148.vbs"
        25⤵
        
        PID:1552
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbc1c70b-8e48-42de-a966-9e7639110ec1.vbs"
        27⤵
        
        PID:1384
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        
        C:\Windows\DigitalLocker\en-US\spoolsv.exe
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae5cfbbf-1766-4f6b-838c-8865c73cbc44.vbs"
        29⤵
        
        PID:2932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d16e59ba-f9ba-456e-91f7-da2422552fbc.vbs"
        29⤵
        
        PID:2508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40872c14-57b8-4f27-b1bd-4ad5180914ae.vbs"
        27⤵
        
        PID:848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3442c84-e56c-4f7b-aa68-716e164ec018.vbs"
        25⤵
        
        PID:2572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8de7653c-7ebf-4ca7-bfa9-634030f86d78.vbs"
        23⤵
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\371ce5c3-c640-40b1-953e-8e0aeb48f581.vbs"
        21⤵
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4f8db41-cbaa-4845-b559-33bc0aa21bfb.vbs"
        19⤵
        
        PID:1472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff2460c4-085c-4705-b03f-00d2f4c6d15f.vbs"
        17⤵
        
        PID:2496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db58f0cf-f01e-4818-880e-51516c165c7d.vbs"
        15⤵
        
        PID:2788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5028cda0-1b99-4f27-979d-9d8c6a475812.vbs"
        13⤵
        
        PID:1580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54fbcbbd-7dad-40ec-a90f-44459aef6c04.vbs"
        11⤵
        
        PID:580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e0643b1-a2ff-4783-9f81-325f1d524371.vbs"
        9⤵
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2769249-45aa-4e00-8e4b-8b8ea73afa02.vbs"
        7⤵
        
        PID:2728
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04c111e4-dc23-407f-a3e4-4a5760f05d08.vbs"
        5⤵
        
        PID:2524
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f48b99d-58a3-4dd7-9873-38db7a3fce0f.vbs"
    3⤵
    PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\DigitalLocker\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Idle.exe

Filesize
1.6MB

MD5
9ba8a6ed2ea95ddddc937cffe3655f46

SHA1
99610791edd3072056cb5fa2578bea5c0d87bd6d

SHA256
eba7195d0e578e3b78318b55ac3427ab9a97a46daaca71afdf6d45e696c66c47

SHA512
50d7e2bb0648204f676e2feb5d84a28a91fc902463a3adf1aee42ebe76c1a5669a6b77f16808b80914cf62c8e14432084c1a08f426b2380aeec753dae850b8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f48b99d-58a3-4dd7-9873-38db7a3fce0f.vbs

Filesize
494B

MD5
9f17a06a21adebbbf4c95e74b62794af

SHA1
0f52182e306c9b8c804834d465b8775bf5c6e3c4

SHA256
30514af7e72505449c362914c9a8b48ef3e4ebecddf302a0d6e35c8a04847725

SHA512
aa11af82cee2f6fb4fe0dfd105eeef394209d933ae242ae006f6e885667147ddb09f0fe03caeb32ad826ccfa0d5abd130ce4eb1a81895c14ed7a5df33df60933

Download Submit
C:\Users\Admin\AppData\Local\Temp\496c697d-10eb-4ea5-9d65-1b246e4a727a.vbs

Filesize
718B

MD5
731633e00ff112ebec04ddea662d09ca

SHA1
d277000a26d7e946bcb00efc0da21e490d9bbe11

SHA256
9f079a8b4224ae5d2eb15148311e779fb3199edbd901145ce2a0ef15979e68bf

SHA512
15a69a1f248ad14d7939ca4d555770f06fc45f3354c563a82ff1488ffd9e8172c0bc588aabd1ceaf40b070a87eebfc0ac58145b524d34fb3b8d12e88cbb8ff03

Download Submit
C:\Users\Admin\AppData\Local\Temp\59a9c4d7-fefe-4ae8-8b22-ceb76b48b2d0.vbs

Filesize
718B

MD5
6d58281518b596ab9ce1649e014632e6

SHA1
f5911a75e674ddd520fc9cc86a6064dd83da3048

SHA256
b40d6d767f08686de7de9502298df2a46df6af58d81f20f5f2a88de5acc8225b

SHA512
0eb27c4eed8c93333a9ebf1b5758ba641f468d5d6904b92d75f0dca3a53095e4606f33cfa5e914589c9f5a9bc252c72d9882720bdee91d98c6e09656d8a1fd43

Download Submit
C:\Users\Admin\AppData\Local\Temp\681bef40-14bb-4a4f-8ea9-2522333680fb.vbs

Filesize
718B

MD5
19a1c00ae60efe7a71dbb29671307fbb

SHA1
7d8aeb70fd9ab2372cb39403193d290cd8d9622e

SHA256
5d06d82e146e790d81dea7f3f634cabfcd24f7edd7936d76154aa9b0fdb5f0f6

SHA512
2897c0a988c5224c43e3ffe1fb10e37b9c29ecec5644a2b49c30c2973b71ad06f89986c7eb2f2d15400400f80df2641de8e6fecf0e4f1ee2db39aef3382084b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\68320122-4a82-4906-be29-1976d57a42aa.vbs

Filesize
718B

MD5
cd3e9a59a4699c57723d5558c50d81e8

SHA1
93a06de7ffdd745c964d8357bbfa80d4015c035e

SHA256
484825cb9923a3a60b148c2309816092459e6f3ac4e16eb84c47b316c453560c

SHA512
61575683221aa5a95ba38d9fd248dd9b26dd9d3d023cbd022daa6f88be00e51f99074ffcc6aeeb596683defaf579bf149de444ca19de275425f2980b9628341d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ce276ff-312f-42f4-922b-225b894f7644.vbs

Filesize
718B

MD5
fa902370a6793272cfd0d3281b63add0

SHA1
402e446384cd0ef41e9615cafa4a978c17cd80ed

SHA256
72c1a81c50926b4035ac370c7595a6eb8c84b41a8d531e99b381d7109c0a4435

SHA512
7f6f411f8127edcbd52800b91bbd8c4194b3dc9d5966dbb4af0057f1ef2b8f787b79e080c9c4bc87cb545376c332865c7c236a554ae531653ecd48fc638584ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\9a9451ad-fa5c-468e-86f8-9de425b9b25e.vbs

Filesize
718B

MD5
6cf2abf55ad7813a6f960e25989cac33

SHA1
9642e492b3394fca76a338865aab2000808bdb91

SHA256
4d9a40b3fe083e3de83d10809e1cca8256d03631797a15e36a45b92fa1f56089

SHA512
7afa6341b2ed4f10653e203ff020c7981204d63d05a2e8a390bb0fd90cebffe1dade504e653dd0f402a575bfad2f1aaf5f80c81bd700465262577520940a68b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXEC82.tmp

Filesize
1.6MB

MD5
92efd55895cd60b5057f3fb06ad84c78

SHA1
b3217c713b801276d98065e1eca81868545ebd02

SHA256
fd4af6cd1bb01129d61f2bb85c6f0e5dcb3c9cac02229988589ff93666be273c

SHA512
5cf3918370d98a5492496f82e69bef529fb426879e3293808ead5bb2f97e0bdcd30d288b25438a8b2009f58fd8eee522d0f1bb46ce359518a09a50a47794ae5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0bedc03-27c9-4bc0-a3cb-8fafda0d6587.vbs

Filesize
718B

MD5
c3eca6147679f43ae9562bc908576e34

SHA1
cb386ecf93ca77f3c82d01e59a885672983a8398

SHA256
749935cb5f53a529725bee7e108b017a59c8cb9dfdcf28182eaf369e946d5891

SHA512
6102f5a71a8e9d0335bba4e43f12ffae57245eebc148c9f9b52d62134626383bbc88881a547a1d4f865e713480179bafa87eaeba93e1e25fe3d608498b793f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\a85235db-25bd-4644-823c-acd43bfba967.vbs

Filesize
718B

MD5
f93895697a5c66c04f77f2b91ea6c936

SHA1
0c69b6a96e759626d22aba5785dde8eeca7172eb

SHA256
9ddaa4c0912aa75b53b100a80116e17296e3c39cdbc4a09ce7628c0950aee5ef

SHA512
7483cc3b99c6a3489d4cca5239878b99fc66023e9dab9164a04c69f9cb17cc6484d3dfed5beb8d77465600527af151766031ca0d1c2eedb312a3b217635eab41

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae5cfbbf-1766-4f6b-838c-8865c73cbc44.vbs

Filesize
718B

MD5
6002346773766cb057c88bfa98f74c36

SHA1
72f79ce08b6c1faa1a26a28ad655f6b7e08a3ac9

SHA256
9d5550751576ae6d2fa22a5ec7f04121aa92f73cc47a138629589b813355c37c

SHA512
7a354bb2747d13bc4d68ed51b7b8141a6119c186e9f7288531eac8569bbc7661749fc2e2df62de42c4e87708856f6340a04bb5d6775c00dcdf8e0bc4c9c8acfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc88daed-b193-4df3-9c1a-5a3dc8ee00d7.vbs

Filesize
718B

MD5
2d92036412c81ee0efa0f87c3b1585cf

SHA1
f6f4a23de2143a6c05a61a1a004397b442ec4ce4

SHA256
4b8cd4f0c17dfe957328dc20b1984633f5329bec5048a11cc381c4b15a9fec75

SHA512
e1ab9a0eceda9a88f9ceb848fe0df073e6f85c2f51803f26159e8a4f01a5a107c5f4c1f9d7b2e9a0f88880e4dc6438e0845108b15ff24836f84c42de640f8498

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7c07eda-2bb8-407d-a926-baf3e6d4e51d.vbs

Filesize
718B

MD5
8f07ed5ad652ab5bdd75e80c49b998be

SHA1
90a948ae1ffa7efb44e551e1af55bbac80314acc

SHA256
a530c56e554986f9c250ef25a2cd76642576e449a9edd807796b27c087cb21f1

SHA512
019bec45735e7483ca1af4b90c0f4797f671d0053b8187c4dca639e0254708a20ab88804d50ca9fe980e2a4e7c1ab9e335d9920976682e04cf92b60c0be26512

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef15471a-5f59-4cae-9035-ef5b5672a148.vbs

Filesize
718B

MD5
945a888233d0a0e8644e3f9cffbf76f3

SHA1
8d701cc2f9ef597ae6bed6ee65e7c0675431fe8e

SHA256
9ec8dcb040f038c70c98e7e7e6b8a7f444965122586c7da5bc013ad5b1dcdd85

SHA512
5dd9f6327cfe52d0cad62613ed84b2f90e80eb01e21740ae68d13e3a49235aa63b4973fe83ab1b51ea8fdc8ac425d5d80f8ae156951ce461211733ae970a647d

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1445487-d91f-4ccb-92a5-f399ccc1d2ed.vbs

Filesize
718B

MD5
068351a38be0ded2705b55820ce0ccd4

SHA1
d44bd201899c6163205798843ead81e1880c2d2e

SHA256
513e5712b4c8c021017fc8443110d79b3768e7d578d709671ee03e511a4886df

SHA512
ca218b76d0512f62b5d1d3f9d3530e293ac8741a7c7c8559c55c5c93e7e3a70f02b69948bc27d14a77ac1ccc983acdc2f8e4631ac1e6c9b197e51cd2c8fa2431

Download Submit
C:\Users\Admin\AppData\Local\Temp\fbc1c70b-8e48-42de-a966-9e7639110ec1.vbs

Filesize
718B

MD5
dc07c7b285140c7236d24fa10dc57540

SHA1
c2542e71a7b0dedb257c2b6d68c85ef6d60e04d3

SHA256
1d39a0b81b976b25da7c9d5abc3cdb9e3c09e973b44ee5c47046ec95e73551e5

SHA512
f846e4be69d1a120e6b04ecb6157a6f90729542e0cd9ce7ceb6ee3e9ef35c8b79ae7608ebf6ee6dcdd89780516aedbc3243815480fff9902395779ebe8c51a74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
672646a8dacf9de75c83b0452d0533c5

SHA1
7e528f6b8b7438fa6005618028516c4c669e3e5b

SHA256
2cafe46ec038406b7779c0d8f1b35f7528111e28288d374dfb32cb6bff9684c0

SHA512
8e33d8e8234a179036c80a056cdfee242bd0b4f336045f75b5d8f315e5cbc69bfa5280c5fdc9c6f0022b8a6ef9c09f68ae35720dbb6468903d1817e65eea9fad

Download Submit
memory/1088-103-0x0000000000380000-0x0000000000522000-memory.dmp

Filesize
1.6MB

Download
memory/1860-150-0x0000000001310000-0x00000000014B2000-memory.dmp

Filesize
1.6MB

Download
memory/2192-92-0x00000000008E0000-0x0000000000A82000-memory.dmp

Filesize
1.6MB

Download
memory/2244-229-0x00000000002E0000-0x0000000000482000-memory.dmp

Filesize
1.6MB

Download
memory/2596-138-0x00000000011F0000-0x0000000001392000-memory.dmp

Filesize
1.6MB

Download
memory/2848-84-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/2884-115-0x0000000001040000-0x00000000011E2000-memory.dmp

Filesize
1.6MB

Download
memory/2948-13-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

Filesize
32KB

Download
memory/2948-3-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/2948-8-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/2948-5-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/2948-9-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2948-11-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/2948-1-0x0000000000ED0000-0x0000000001072000-memory.dmp

Filesize
1.6MB

Download
memory/2948-12-0x0000000000BA0000-0x0000000000BAE000-memory.dmp

Filesize
56KB

Download
memory/2948-91-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/2948-14-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/2948-15-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download
memory/2948-16-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/2948-10-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/2948-7-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/2948-4-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/2948-2-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

Filesize
9.9MB

Download
memory/2948-6-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/2948-0-0x000007FEF5DF3000-0x000007FEF5DF4000-memory.dmp

Filesize
4KB

Download
memory/2960-79-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/2976-217-0x0000000001350000-0x00000000014F2000-memory.dmp

Filesize
1.6MB

Download
memory/3068-241-0x0000000000DA0000-0x0000000000F42000-memory.dmp

Filesize
1.6MB

Download