dcrat | a1ddae9574bbeadd40b789fc8c7719b47c0d4bd8ed93abbd1d07f7e866ac40a6

Analysis

max time kernel
151s
max time network
162s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
Size

1.6MB
MD5

1537a2448a3278776c0ad106d583bf42
SHA1

3374a83147189b932096d99e2f34c5c185611242
SHA256

9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a
SHA512

51dab8150cfc0f8c830a3d583e53e6a89a9f05c95daf84dee27cabcd43e03ee2953391d25b366a4a902e6cae6e8b1d05a4eae832d4d51f9e47869ca984e9d10a
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	1048	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	1048	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	1048	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1048	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	1048	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	1048	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1048	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1048	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	1048	schtasks.exe	30

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral29/memory/2576-1-0x00000000003B0000-0x0000000000552000-memory.dmp	dcrat
behavioral29/files/0x000600000001a47d-27.dat	dcrat
behavioral29/files/0x000900000001a480-60.dat	dcrat
behavioral29/memory/1804-93-0x0000000001260000-0x0000000001402000-memory.dmp	dcrat
behavioral29/memory/696-126-0x0000000000100000-0x00000000002A2000-memory.dmp	dcrat
behavioral29/memory/1768-138-0x0000000001360000-0x0000000001502000-memory.dmp	dcrat
behavioral29/memory/456-194-0x0000000000390000-0x0000000000532000-memory.dmp	dcrat
behavioral29/memory/644-206-0x0000000000EB0000-0x0000000001052000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1952	powershell.exe
1956	powershell.exe
2960	powershell.exe
2832	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1804	lsass.exe
1328	lsass.exe
2056	lsass.exe
696	lsass.exe
1768	lsass.exe
1704	lsass.exe
1576	lsass.exe
1016	lsass.exe
2328	lsass.exe
456	lsass.exe
644	lsass.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\icsxml\dwm.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Skins\sppsvc.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\sppsvc.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Program Files\Windows Media Player\Visualizations\lsass.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\RCXCCB3.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\RCXD12A.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Program Files\Windows Media Player\Skins\0a1fd5f707cd16	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File created	C:\Program Files\Windows Media Player\Visualizations\6203df4a6bafc7	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\RCXCCF3.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\RCXD1A8.tmp	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\lsass.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Speech\Common\ja-JP\audiodg.exe	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2908	schtasks.exe
2992	schtasks.exe
2508	schtasks.exe
2748	schtasks.exe
2812	schtasks.exe
2892	schtasks.exe
2552	schtasks.exe
1632	schtasks.exe
2792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2576	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
1956	powershell.exe
2960	powershell.exe
1952	powershell.exe
2832	powershell.exe
1804	lsass.exe
1328	lsass.exe
2056	lsass.exe
696	lsass.exe
1768	lsass.exe
1704	lsass.exe
1576	lsass.exe
1016	lsass.exe
2328	lsass.exe
456	lsass.exe
644	lsass.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	1804	lsass.exe
Token: SeDebugPrivilege	1328	lsass.exe
Token: SeDebugPrivilege	2056	lsass.exe
Token: SeDebugPrivilege	696	lsass.exe
Token: SeDebugPrivilege	1768	lsass.exe
Token: SeDebugPrivilege	1704	lsass.exe
Token: SeDebugPrivilege	1576	lsass.exe
Token: SeDebugPrivilege	1016	lsass.exe
Token: SeDebugPrivilege	2328	lsass.exe
Token: SeDebugPrivilege	456	lsass.exe
Token: SeDebugPrivilege	644	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 1952	2576	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	40
PID 2576 wrote to memory of 1952	2576	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	40
PID 2576 wrote to memory of 1952	2576	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	40
PID 2576 wrote to memory of 1956	2576	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	41
PID 2576 wrote to memory of 1956	2576	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	41
PID 2576 wrote to memory of 1956	2576	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	41
PID 2576 wrote to memory of 2832	2576	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	42
PID 2576 wrote to memory of 2832	2576	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	42
PID 2576 wrote to memory of 2832	2576	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	42
PID 2576 wrote to memory of 2960	2576	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	43
PID 2576 wrote to memory of 2960	2576	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	43
PID 2576 wrote to memory of 2960	2576	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	43
PID 2576 wrote to memory of 2412	2576	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	48
PID 2576 wrote to memory of 2412	2576	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	48
PID 2576 wrote to memory of 2412	2576	9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe	48
PID 2412 wrote to memory of 2232	2412	cmd.exe	50
PID 2412 wrote to memory of 2232	2412	cmd.exe	50
PID 2412 wrote to memory of 2232	2412	cmd.exe	50
PID 2412 wrote to memory of 1804	2412	cmd.exe	51
PID 2412 wrote to memory of 1804	2412	cmd.exe	51
PID 2412 wrote to memory of 1804	2412	cmd.exe	51
PID 1804 wrote to memory of 2060	1804	lsass.exe	52
PID 1804 wrote to memory of 2060	1804	lsass.exe	52
PID 1804 wrote to memory of 2060	1804	lsass.exe	52
PID 1804 wrote to memory of 2516	1804	lsass.exe	53
PID 1804 wrote to memory of 2516	1804	lsass.exe	53
PID 1804 wrote to memory of 2516	1804	lsass.exe	53
PID 2060 wrote to memory of 1328	2060	WScript.exe	54
PID 2060 wrote to memory of 1328	2060	WScript.exe	54
PID 2060 wrote to memory of 1328	2060	WScript.exe	54
PID 1328 wrote to memory of 1616	1328	lsass.exe	55
PID 1328 wrote to memory of 1616	1328	lsass.exe	55
PID 1328 wrote to memory of 1616	1328	lsass.exe	55
PID 1328 wrote to memory of 2988	1328	lsass.exe	56
PID 1328 wrote to memory of 2988	1328	lsass.exe	56
PID 1328 wrote to memory of 2988	1328	lsass.exe	56
PID 1616 wrote to memory of 2056	1616	WScript.exe	57
PID 1616 wrote to memory of 2056	1616	WScript.exe	57
PID 1616 wrote to memory of 2056	1616	WScript.exe	57
PID 2056 wrote to memory of 1528	2056	lsass.exe	58
PID 2056 wrote to memory of 1528	2056	lsass.exe	58
PID 2056 wrote to memory of 1528	2056	lsass.exe	58
PID 2056 wrote to memory of 572	2056	lsass.exe	59
PID 2056 wrote to memory of 572	2056	lsass.exe	59
PID 2056 wrote to memory of 572	2056	lsass.exe	59
PID 1528 wrote to memory of 696	1528	WScript.exe	60
PID 1528 wrote to memory of 696	1528	WScript.exe	60
PID 1528 wrote to memory of 696	1528	WScript.exe	60
PID 696 wrote to memory of 2220	696	lsass.exe	61
PID 696 wrote to memory of 2220	696	lsass.exe	61
PID 696 wrote to memory of 2220	696	lsass.exe	61
PID 696 wrote to memory of 588	696	lsass.exe	62
PID 696 wrote to memory of 588	696	lsass.exe	62
PID 696 wrote to memory of 588	696	lsass.exe	62
PID 2220 wrote to memory of 1768	2220	WScript.exe	63
PID 2220 wrote to memory of 1768	2220	WScript.exe	63
PID 2220 wrote to memory of 1768	2220	WScript.exe	63
PID 1768 wrote to memory of 1104	1768	lsass.exe	64
PID 1768 wrote to memory of 1104	1768	lsass.exe	64
PID 1768 wrote to memory of 1104	1768	lsass.exe	64
PID 1768 wrote to memory of 592	1768	lsass.exe	65
PID 1768 wrote to memory of 592	1768	lsass.exe	65
PID 1768 wrote to memory of 592	1768	lsass.exe	65
PID 1104 wrote to memory of 1704	1104	WScript.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe
"C:\Users\Admin\AppData\Local\Temp\9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Skins\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Visualizations\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yw30LwiZf2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2232
- - C:\Program Files\Windows Media Player\Visualizations\lsass.exe
    "C:\Program Files\Windows Media Player\Visualizations\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83cc5d39-cfda-4521-affa-d24602dca1ab.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Program Files\Windows Media Player\Visualizations\lsass.exe
        
        "C:\Program Files\Windows Media Player\Visualizations\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1328
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e886dde6-8a49-4156-a19c-ae2ce90d1bda.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Program Files\Windows Media Player\Visualizations\lsass.exe
        
        "C:\Program Files\Windows Media Player\Visualizations\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fd6c2d3-0b05-4ff4-9160-8a619212264a.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Program Files\Windows Media Player\Visualizations\lsass.exe
        
        "C:\Program Files\Windows Media Player\Visualizations\lsass.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47e7201b-f5cf-4a5e-84f9-044ecd95627a.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Program Files\Windows Media Player\Visualizations\lsass.exe
        
        "C:\Program Files\Windows Media Player\Visualizations\lsass.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\faef666f-ebdb-4481-a7b5-ca13fa286fa8.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Program Files\Windows Media Player\Visualizations\lsass.exe
        
        "C:\Program Files\Windows Media Player\Visualizations\lsass.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b90437de-12a2-4301-9fee-61c50f39d590.vbs"
        14⤵
        
        PID:2612
        
        C:\Program Files\Windows Media Player\Visualizations\lsass.exe
        
        "C:\Program Files\Windows Media Player\Visualizations\lsass.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8e45273-c1bc-430a-9f12-c4252eae3a66.vbs"
        16⤵
        
        PID:2280
        
        C:\Program Files\Windows Media Player\Visualizations\lsass.exe
        
        "C:\Program Files\Windows Media Player\Visualizations\lsass.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8c479d7-91a1-4387-b904-3e3cc2f4d87a.vbs"
        18⤵
        
        PID:2400
        
        C:\Program Files\Windows Media Player\Visualizations\lsass.exe
        
        "C:\Program Files\Windows Media Player\Visualizations\lsass.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c5b2160-1a3b-4a99-9033-57b2ab9ed1d5.vbs"
        20⤵
        
        PID:2164
        
        C:\Program Files\Windows Media Player\Visualizations\lsass.exe
        
        "C:\Program Files\Windows Media Player\Visualizations\lsass.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\474c5d62-eab5-4c94-a6cf-91545cc78936.vbs"
        22⤵
        
        PID:1592
        
        C:\Program Files\Windows Media Player\Visualizations\lsass.exe
        
        "C:\Program Files\Windows Media Player\Visualizations\lsass.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4146682-9513-4f87-9f30-b3e40ea19303.vbs"
        24⤵
        
        PID:932
        
        C:\Program Files\Windows Media Player\Visualizations\lsass.exe
        
        "C:\Program Files\Windows Media Player\Visualizations\lsass.exe"
        25⤵
        
        PID:3032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\772b2fd1-aba5-46f9-8723-8b6355b21aff.vbs"
        24⤵
        
        PID:2884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9580aaf7-f29a-419e-ab7d-ed631bea3fbf.vbs"
        22⤵
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a12ba16-1afd-412c-8e76-43a73ead68ba.vbs"
        20⤵
        
        PID:944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2668da3-7556-47d3-873c-25f03b0c5047.vbs"
        18⤵
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d85cc2f-0531-4e9f-ab56-a6a3b48174e9.vbs"
        16⤵
        
        PID:1148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32c1cfa1-d67e-4f30-a94b-6f671dfc0b8a.vbs"
        14⤵
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\368134e9-a656-400f-8870-bf9c09a8dafd.vbs"
        12⤵
        
        PID:592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8ef50936-7982-4783-bef0-f7231ba583e9.vbs"
        10⤵
        
        PID:588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33f1c2a2-cc51-4233-ae8a-9894eaa374ff.vbs"
        8⤵
        
        PID:572
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e48ce611-20b1-4c3c-b742-7eacb926a4a6.vbs"
        6⤵
        
        PID:2988
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d615a551-9230-4731-ac98-e93068703fb7.vbs"
      4⤵
      PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Skins\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Skins\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Visualizations\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Visualizations\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\Visualizations\lsass.exe

Filesize
1.6MB

MD5
b317bff3f2604a3b8406f1b3f2e2c30f

SHA1
8bc0c528d83a812ce20b740ce241b2d34850c2ac

SHA256
595f1910090dcc9f9b1ec03fcb21226456089c5873eb3243cd251c08bb809626

SHA512
fd3a6111f87f61b5b0ae7e09000f417b5128ad2460e77a2084fc2224ce3cdb3c18a9d5184d283f0e4e80c74e0251173b76192c92bc23414fb159204f446affd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\474c5d62-eab5-4c94-a6cf-91545cc78936.vbs

Filesize
737B

MD5
649ddd97e45f30785a179a3e0aa43c4f

SHA1
e9fcbd00d9eb25905f7ea27437bb6ddeee98cdec

SHA256
e4a1af8a5ff9c7a9f196bc36c5b9ce991c520991ab15d11fc597cae26963370d

SHA512
6963aecbe44af137b50e8b982f4cd33797dda0c64c30e18676289430c0eb287510dfbcd76ce2d30f41e3fcbe61516da0eaa559974351a3bb7139b188d347f9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\47e7201b-f5cf-4a5e-84f9-044ecd95627a.vbs

Filesize
737B

MD5
054b2aefe966ea20776d3cc11c4ac97a

SHA1
54c5661e10e35ef262d2b43c032054f65dffd2a9

SHA256
ad7170a93e07b4f403094ba8d4f02ce745119ccf245622e4934a1f249763107f

SHA512
67534ebda81ddebb00da03c6e934367da2d37e59bb30945c887ce448d8bc32b86ed7634a25fc99236f74afb203d46110ef8000d0c8f0e832be0082de47422fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c5b2160-1a3b-4a99-9033-57b2ab9ed1d5.vbs

Filesize
738B

MD5
6c6db9efa26e8f57529a7b6877a23f01

SHA1
27bac846361beb38f331fd7fec468fe728c148fe

SHA256
218de3ed15356847c8d42db42ca316146012d5e6e5bd88938ff86958bc366ba8

SHA512
9b59c8cbc404a9f8f7bb595a6e2063f47f6452eaaaedc7ac27b5d80057e455f42b82087393a45ce4f47cdaf61acec787a7657593f0342b7a366c5de728eb48ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fd6c2d3-0b05-4ff4-9160-8a619212264a.vbs

Filesize
738B

MD5
4da85275c67fd19aa7518c843c972e3c

SHA1
e944ccce86e09d185975ddd1fd600bcd9ed28efe

SHA256
b0653fddc2a9fa4451ff749ab267a242a8a38008b76a631a83c7b3c8f57f368b

SHA512
0b804544d9fee677bb4af39d87f53d41bb397ca9029eb73f0615059cfde52fae9594cd4f5c44e473e365676ac8f223f259e57eb1a94ffabd94b0b9e2618df32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\83cc5d39-cfda-4521-affa-d24602dca1ab.vbs

Filesize
738B

MD5
7ca668f3894db2c095a07dd32fc0e68f

SHA1
9ebac52577c5e5d6f76681c1d545474582098deb

SHA256
0d837c8292203e9d2c90415bfa9f0e4b95f2657a8f6bc2bb01e32cdfc956aa20

SHA512
0bd0224fceb04b39ba0e8061edb07ede9ad90ce1077e7502c486551e59fe9062ac80ec3922129f263975ffa2ddde68f8a48f2d18689b7f3be4a76e54756d8a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXCAA0.tmp

Filesize
1.6MB

MD5
1537a2448a3278776c0ad106d583bf42

SHA1
3374a83147189b932096d99e2f34c5c185611242

SHA256
9a292ed0f527c2d277d74caf545de066170c26a23fb147dd88cf6a84f580a37a

SHA512
51dab8150cfc0f8c830a3d583e53e6a89a9f05c95daf84dee27cabcd43e03ee2953391d25b366a4a902e6cae6e8b1d05a4eae832d4d51f9e47869ca984e9d10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4146682-9513-4f87-9f30-b3e40ea19303.vbs

Filesize
737B

MD5
c4a44dfdb92c073ecf76e7b236a395ff

SHA1
b051254db6cc85c24275666d6a2bd80c58571838

SHA256
5320bff281b6dc1e80bf10c470dcfe2b7edfbcc0555a9fa22d1a90d83269784a

SHA512
46936b53b0bf52aa025f6039a874e931cc47c8c91ad0fe181dc1c0009bbc889b00bdd8ce2234fdedf7a2d1e53de64957c752929d7b5bdba83e6a9fa32a0899d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8e45273-c1bc-430a-9f12-c4252eae3a66.vbs

Filesize
738B

MD5
cfa192666bd311dc6459bfe0ba91699d

SHA1
c72e0935831f62d7429de6e0858ecab4e0b880d5

SHA256
2fb10ae402a5b2bf7a4961ecb4c4876b7b6843a977c33fe6986de99b8d570f15

SHA512
a7f8d5a84671ec5eab5fad582f890ec5c662514711c388050345df0ccf92ef7702d74c7208abb498cc4a115f50d3e8a98c5de59d30e24d587a2490930419daaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\b90437de-12a2-4301-9fee-61c50f39d590.vbs

Filesize
738B

MD5
0fcb90fb3629169a4149a08ab9228469

SHA1
4c19fe7c0a3e1efdb9f7c44c8e5e37d6ea6abcef

SHA256
6b8b2dd3cbb3a17658c2c56d9c18f53b723cc6832fadd9fb0ed27905baf1666e

SHA512
915424dac4433e0f30f2e7988f0abbcd4a20dd6a3b9bd9cd4a70a77b241abda31fb02a1fc701547d010ed16e3d23ab52bcc6dedf1879519dd31e2924d1c90f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\d615a551-9230-4731-ac98-e93068703fb7.vbs

Filesize
514B

MD5
a38ce8bee80beed872744556515f954c

SHA1
031841ffc76299ef0bf2d2e48659156dceb89917

SHA256
6f219659420452b07f22f121019a865dd8dab89e9a06d212525ead989b075ffe

SHA512
21f4a3c84621f01e634b72f98d4135e4ec697b6abf9beb29c17796308a1feeea81ed7c0bf4ea27dc226ba1c6bbd5f8feb4ba7fb3f87133691d99c736cf5f525f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8c479d7-91a1-4387-b904-3e3cc2f4d87a.vbs

Filesize
738B

MD5
65fe274bcb7e7ee872655fb0247ac470

SHA1
4953b88a3b90f795ebdc02c77bd8c8cb68074177

SHA256
9c52aed3feeaebe5ef1d4ca94d9798d43772e5a0f7f7d790d6e656fcc24adffb

SHA512
b2ab46bea2d116a82e809c9bc1ee76457fa19c14c200cfd3a49ffb03209fc35354a379af98d8eed2fccc10688eb6a53c73e43a2e69dc3e113c6e5942df6edb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e886dde6-8a49-4156-a19c-ae2ce90d1bda.vbs

Filesize
738B

MD5
c95a4e5bdcaa5553fadc3b153b02560e

SHA1
259a3f0388995a5f348e58b864083adcedc2fb11

SHA256
1ff6c0865528d6ae94734890458c550d1dd2c41f350f8d4e64d56e7d07d2e2d9

SHA512
afe4012f15129cedbab8c28fb2e6e98d38a1871d5ee2bf2a40b7757513de529648fc20bdaa25c62947b17fbe6a6e528ef9697238204b46baba4190ba67305cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\faef666f-ebdb-4481-a7b5-ca13fa286fa8.vbs

Filesize
738B

MD5
f4fc6f88317c5390d7b3dbfc4bac84b1

SHA1
af97e3a1377c217ece1c0ed9087c10dc1290d79e

SHA256
0ee7557d5008ac9cec1c5f3e0042d673b185e78023a6798ea68fdca6b1b5befb

SHA512
92406e90c7a0bb34af10fe5d45737c5fa1a08336bb8bb6cbc59872f83b82feb3e41fffd2c39af28f8cb08de2ac47d9c74769b5288eed7ec0256b096185c71d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\yw30LwiZf2.bat

Filesize
227B

MD5
da369adc5875fb7b7fb9f2df39fc8b24

SHA1
2cdf645f6dc238823e7cd7c1df80ec8e30ec0df6

SHA256
1f940ed427d7fa5e93aa9b2701c0c4f4e23f1e2269081fabb0cdd90ec06f3152

SHA512
9d0d1536ab66b93c3e3be6b15ff21911605ec03a6f4dc2742efe4b3282de01cc38dbcc10aff884db70a61b586ccd0b3a2c425116e32479a6d99fb4590a5a1f63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
068ba0a82262b98ae140ed24a4b5b05e

SHA1
3b96498ccf34bacd0d0f88137d9a4276014825b0

SHA256
a950f674889c8046d7e4c136e544288a2a00b8816788f0dcea904e88dccbf4d3

SHA512
350d5b96fa0b8aeffebd8daef74ddc6db2995dafcb7c0c7b654c5abfa29323e45aa4b76a3ff7bc91fb68ee32631dae60dd7b5b04b7aa006203d6c84ea144cf78

Download Submit
memory/456-194-0x0000000000390000-0x0000000000532000-memory.dmp

Filesize
1.6MB

Download
memory/644-206-0x0000000000EB0000-0x0000000001052000-memory.dmp

Filesize
1.6MB

Download
memory/696-126-0x0000000000100000-0x00000000002A2000-memory.dmp

Filesize
1.6MB

Download
memory/1768-138-0x0000000001360000-0x0000000001502000-memory.dmp

Filesize
1.6MB

Download
memory/1804-93-0x0000000001260000-0x0000000001402000-memory.dmp

Filesize
1.6MB

Download
memory/2576-10-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/2576-11-0x00000000006A0000-0x00000000006AA000-memory.dmp

Filesize
40KB

Download
memory/2576-89-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-1-0x00000000003B0000-0x0000000000552000-memory.dmp

Filesize
1.6MB

Download
memory/2576-16-0x0000000002440000-0x000000000244C000-memory.dmp

Filesize
48KB

Download
memory/2576-15-0x0000000002430000-0x000000000243A000-memory.dmp

Filesize
40KB

Download
memory/2576-14-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/2576-13-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2576-12-0x00000000022A0000-0x00000000022AE000-memory.dmp

Filesize
56KB

Download
memory/2576-2-0x000007FEF6130000-0x000007FEF6B1C000-memory.dmp

Filesize
9.9MB

Download
memory/2576-0-0x000007FEF6133000-0x000007FEF6134000-memory.dmp

Filesize
4KB

Download
memory/2576-9-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2576-8-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/2576-7-0x0000000000680000-0x0000000000690000-memory.dmp

Filesize
64KB

Download
memory/2576-6-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/2576-5-0x0000000000390000-0x00000000003A6000-memory.dmp

Filesize
88KB

Download
memory/2576-4-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2576-3-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/2832-87-0x000000001B410000-0x000000001B6F2000-memory.dmp

Filesize
2.9MB

Download
memory/2960-88-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download