dcrat | 000996e02592d6f5216a77464baff2591739b5cb35a8ad930a5424c9099c7e11

Analysis

max time kernel
147s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
Size

1.6MB
MD5

1ce9d2fa35466d6d37d1d56f63408884
SHA1

a389a7bcde0ed2e53bfe20379fd42ec9db7bf8fc
SHA256

0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1
SHA512

f3a939183f5bcac1d5cdf92b3061227e407d8e5d0119f40130ce0e31cdcb63e741ba8978fd0ca9c43e4a6e1e68d5dac54eea2dcc9921fd6e787a799b0c441cb2
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	776	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	776	schtasks.exe	31

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral3/memory/2328-1-0x0000000001320000-0x00000000014C2000-memory.dmp	dcrat
behavioral3/files/0x0006000000019c74-29.dat	dcrat
behavioral3/files/0x000d000000016d46-73.dat	dcrat
behavioral3/memory/3060-111-0x0000000000E30000-0x0000000000FD2000-memory.dmp	dcrat
behavioral3/memory/1364-122-0x0000000001170000-0x0000000001312000-memory.dmp	dcrat
behavioral3/memory/1788-145-0x0000000000320000-0x00000000004C2000-memory.dmp	dcrat
behavioral3/memory/1832-157-0x0000000001010000-0x00000000011B2000-memory.dmp	dcrat
behavioral3/memory/2424-169-0x00000000011E0000-0x0000000001382000-memory.dmp	dcrat
behavioral3/memory/3056-214-0x0000000000050000-0x00000000001F2000-memory.dmp	dcrat
behavioral3/memory/556-226-0x0000000000C00000-0x0000000000DA2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1000	powershell.exe
2968	powershell.exe
2700	powershell.exe
1316	powershell.exe
548	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
3060	sppsvc.exe
1364	sppsvc.exe
1452	sppsvc.exe
1788	sppsvc.exe
1832	sppsvc.exe
2424	sppsvc.exe
2336	sppsvc.exe
2972	sppsvc.exe
1952	sppsvc.exe
3056	sppsvc.exe
556	sppsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2428	schtasks.exe
2772	schtasks.exe
2892	schtasks.exe
2788	schtasks.exe
2728	schtasks.exe
2604	schtasks.exe
2336	schtasks.exe
2812	schtasks.exe
2824	schtasks.exe
2740	schtasks.exe
2644	schtasks.exe
2684	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
3060	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
1316	powershell.exe
1000	powershell.exe
2700	powershell.exe
548	powershell.exe
2968	powershell.exe
3060	sppsvc.exe
1364	sppsvc.exe
1452	sppsvc.exe
1788	sppsvc.exe
1832	sppsvc.exe
2424	sppsvc.exe
2336	sppsvc.exe
2972	sppsvc.exe
1952	sppsvc.exe
3056	sppsvc.exe
556	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	3060	sppsvc.exe
Token: SeDebugPrivilege	1364	sppsvc.exe
Token: SeDebugPrivilege	1452	sppsvc.exe
Token: SeDebugPrivilege	1788	sppsvc.exe
Token: SeDebugPrivilege	1832	sppsvc.exe
Token: SeDebugPrivilege	2424	sppsvc.exe
Token: SeDebugPrivilege	2336	sppsvc.exe
Token: SeDebugPrivilege	2972	sppsvc.exe
Token: SeDebugPrivilege	1952	sppsvc.exe
Token: SeDebugPrivilege	3056	sppsvc.exe
Token: SeDebugPrivilege	556	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 548	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	44
PID 2328 wrote to memory of 548	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	44
PID 2328 wrote to memory of 548	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	44
PID 2328 wrote to memory of 1316	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	45
PID 2328 wrote to memory of 1316	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	45
PID 2328 wrote to memory of 1316	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	45
PID 2328 wrote to memory of 2700	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	46
PID 2328 wrote to memory of 2700	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	46
PID 2328 wrote to memory of 2700	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	46
PID 2328 wrote to memory of 2968	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	49
PID 2328 wrote to memory of 2968	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	49
PID 2328 wrote to memory of 2968	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	49
PID 2328 wrote to memory of 1000	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	50
PID 2328 wrote to memory of 1000	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	50
PID 2328 wrote to memory of 1000	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	50
PID 2328 wrote to memory of 2324	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	54
PID 2328 wrote to memory of 2324	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	54
PID 2328 wrote to memory of 2324	2328	0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe	54
PID 2324 wrote to memory of 744	2324	cmd.exe	56
PID 2324 wrote to memory of 744	2324	cmd.exe	56
PID 2324 wrote to memory of 744	2324	cmd.exe	56
PID 2324 wrote to memory of 3060	2324	cmd.exe	57
PID 2324 wrote to memory of 3060	2324	cmd.exe	57
PID 2324 wrote to memory of 3060	2324	cmd.exe	57
PID 2324 wrote to memory of 3060	2324	cmd.exe	57
PID 2324 wrote to memory of 3060	2324	cmd.exe	57
PID 3060 wrote to memory of 2192	3060	sppsvc.exe	58
PID 3060 wrote to memory of 2192	3060	sppsvc.exe	58
PID 3060 wrote to memory of 2192	3060	sppsvc.exe	58
PID 3060 wrote to memory of 1220	3060	sppsvc.exe	59
PID 3060 wrote to memory of 1220	3060	sppsvc.exe	59
PID 3060 wrote to memory of 1220	3060	sppsvc.exe	59
PID 2192 wrote to memory of 1364	2192	WScript.exe	60
PID 2192 wrote to memory of 1364	2192	WScript.exe	60
PID 2192 wrote to memory of 1364	2192	WScript.exe	60
PID 2192 wrote to memory of 1364	2192	WScript.exe	60
PID 2192 wrote to memory of 1364	2192	WScript.exe	60
PID 1364 wrote to memory of 2828	1364	sppsvc.exe	61
PID 1364 wrote to memory of 2828	1364	sppsvc.exe	61
PID 1364 wrote to memory of 2828	1364	sppsvc.exe	61
PID 1364 wrote to memory of 2644	1364	sppsvc.exe	62
PID 1364 wrote to memory of 2644	1364	sppsvc.exe	62
PID 1364 wrote to memory of 2644	1364	sppsvc.exe	62
PID 2828 wrote to memory of 1452	2828	WScript.exe	63
PID 2828 wrote to memory of 1452	2828	WScript.exe	63
PID 2828 wrote to memory of 1452	2828	WScript.exe	63
PID 2828 wrote to memory of 1452	2828	WScript.exe	63
PID 2828 wrote to memory of 1452	2828	WScript.exe	63
PID 1452 wrote to memory of 1936	1452	sppsvc.exe	64
PID 1452 wrote to memory of 1936	1452	sppsvc.exe	64
PID 1452 wrote to memory of 1936	1452	sppsvc.exe	64
PID 1452 wrote to memory of 1948	1452	sppsvc.exe	65
PID 1452 wrote to memory of 1948	1452	sppsvc.exe	65
PID 1452 wrote to memory of 1948	1452	sppsvc.exe	65
PID 1936 wrote to memory of 1788	1936	WScript.exe	66
PID 1936 wrote to memory of 1788	1936	WScript.exe	66
PID 1936 wrote to memory of 1788	1936	WScript.exe	66
PID 1936 wrote to memory of 1788	1936	WScript.exe	66
PID 1936 wrote to memory of 1788	1936	WScript.exe	66
PID 1788 wrote to memory of 1316	1788	sppsvc.exe	67
PID 1788 wrote to memory of 1316	1788	sppsvc.exe	67
PID 1788 wrote to memory of 1316	1788	sppsvc.exe	67
PID 1788 wrote to memory of 1684	1788	sppsvc.exe	68
PID 1788 wrote to memory of 1684	1788	sppsvc.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe
"C:\Users\Admin\AppData\Local\Temp\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EgHMMZxkRU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:744
- - C:\Users\Admin\Downloads\sppsvc.exe
    "C:\Users\Admin\Downloads\sppsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61632a84-8cea-46fd-8e68-a4fe1094f2be.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Users\Admin\Downloads\sppsvc.exe
        
        C:\Users\Admin\Downloads\sppsvc.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbd680ef-2754-4629-b988-018dc2a6e378.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Users\Admin\Downloads\sppsvc.exe
        
        C:\Users\Admin\Downloads\sppsvc.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb1ba657-31b7-4fc9-a632-92497e7c4257.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Users\Admin\Downloads\sppsvc.exe
        
        C:\Users\Admin\Downloads\sppsvc.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed69ed00-4d30-4850-8ad7-0451325969fb.vbs"
        10⤵
        
        PID:1316
        
        C:\Users\Admin\Downloads\sppsvc.exe
        
        C:\Users\Admin\Downloads\sppsvc.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb7ad2d6-897a-410a-8a99-3abe9ca3d517.vbs"
        12⤵
        
        PID:2288
        
        C:\Users\Admin\Downloads\sppsvc.exe
        
        C:\Users\Admin\Downloads\sppsvc.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b778e45a-1c73-4505-ac09-797606878de1.vbs"
        14⤵
        
        PID:1416
        
        C:\Users\Admin\Downloads\sppsvc.exe
        
        C:\Users\Admin\Downloads\sppsvc.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d7180ff-082e-4462-954f-a13313adf841.vbs"
        16⤵
        
        PID:1916
        
        C:\Users\Admin\Downloads\sppsvc.exe
        
        C:\Users\Admin\Downloads\sppsvc.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb3db5b1-cad1-44b1-a398-3eff57328c02.vbs"
        18⤵
        
        PID:668
        
        C:\Users\Admin\Downloads\sppsvc.exe
        
        C:\Users\Admin\Downloads\sppsvc.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52ad6bdc-79f0-4d44-a932-3ea8e3f6e281.vbs"
        20⤵
        
        PID:2416
        
        C:\Users\Admin\Downloads\sppsvc.exe
        
        C:\Users\Admin\Downloads\sppsvc.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce2c0ba4-790c-483d-ba54-d6923ca95480.vbs"
        22⤵
        
        PID:2660
        
        C:\Users\Admin\Downloads\sppsvc.exe
        
        C:\Users\Admin\Downloads\sppsvc.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\784b7701-ac0e-44d4-bd2d-48d48d6f3076.vbs"
        24⤵
        
        PID:1612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b38a36bf-80e4-4691-89da-6ad27f9e190f.vbs"
        24⤵
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a47099dc-25d2-4192-ae4b-15615ce13296.vbs"
        22⤵
        
        PID:2296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\488eecab-55a5-44c3-8365-ea28dea043aa.vbs"
        20⤵
        
        PID:1784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbd9576e-4c5f-4f68-afc4-b143cd7256ca.vbs"
        18⤵
        
        PID:2172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9f06dc6-ad7f-4298-8611-1b4cd7002bb4.vbs"
        16⤵
        
        PID:2948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c451789-16f8-41f0-8bb1-4e015ba167db.vbs"
        14⤵
        
        PID:2344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f1fe857-108e-4f1f-8638-c458756baa9b.vbs"
        12⤵
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60a0841b-bd04-4be4-be71-720e656f5346.vbs"
        10⤵
        
        PID:1684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75ea2988-a2f6-4027-b0e1-50cda769c4bb.vbs"
        8⤵
        
        PID:1948
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09af9f0a-b5d1-4964-8c28-c078f43da080.vbs"
        6⤵
        
        PID:2644
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b90207f-699d-4dd5-b3a3-aa612d3206e6.vbs"
      4⤵
      PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Downloads\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Downloads\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2d7180ff-082e-4462-954f-a13313adf841.vbs

Filesize
711B

MD5
301a7fce23039c96543ff00dfe64832d

SHA1
c659cf5f398b123dafb540d5b49d5c6c7c1cbfd8

SHA256
3988ba4236cabe2fee2b59396c2a590b42a0a6a843e8fcfa7553cc31f49933b8

SHA512
79788347d397787f46b5663b29e518cbc52b5f5575c40ab51a4985c3f37ff662aaf43d4c54aa64e9cb9094c453cfb7342526b8a7cb25134e9f64fac7d6cc156a

Download Submit
C:\Users\Admin\AppData\Local\Temp\52ad6bdc-79f0-4d44-a932-3ea8e3f6e281.vbs

Filesize
711B

MD5
39280ab684a730ac0a8c29798727bda2

SHA1
8a85cb141a53159fe58e13cb1d492fc13e231ae5

SHA256
8b579da90f6a7a9f6e45c91139014b86e2784c472e39f849ee4482bd702d0591

SHA512
bd8e111c23373127ceb8ad83508c5104fe80c761129839b443df9ebd3552e427210d87d7995610dd1146c36b0621ff8673a87acc82c19a5e6134aeea927d3983

Download Submit
C:\Users\Admin\AppData\Local\Temp\61632a84-8cea-46fd-8e68-a4fe1094f2be.vbs

Filesize
711B

MD5
42772353e3801407da795ac3f6e6853c

SHA1
15d62a662e355c852a3ccb18bdc77dede039e6a0

SHA256
2e2529d146129e93d6cc95331c76509ed6ae78c9a95e259ff83d7fb354f586c7

SHA512
de1f4b137af9de4a134c3cb0137888b9b907a891c130e10c9d733d4785c1e36f3d233f7351fca08434b7a7aae6389133a8fd1d2913eca79486ebda51fedb1bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b90207f-699d-4dd5-b3a3-aa612d3206e6.vbs

Filesize
487B

MD5
1a2a79bde2b7505123c941656856393a

SHA1
d7cd964b726135d739c55d412ed682f2de2c9759

SHA256
da4ae5aa0de68eda90b933f506e91deec6ca0b51f97c460dfdbcbdbbf9e1d77b

SHA512
968a2a170e26a5c6779d5ea64d8fdf7aaa2327f8f9929a74f6358af3d04c0ef2e5da5543cd9f084c1ebd0b4529ebc1cc8d37c25c92c62a5afdac5300acfc3b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\784b7701-ac0e-44d4-bd2d-48d48d6f3076.vbs

Filesize
710B

MD5
ebe35a3934a0c997ddc02eb2bde1d21c

SHA1
d35b6b17c21e40a162f99db59c7b6c82edc66510

SHA256
da73e82645eae0b46781aa83acd32e75e4f490bc8975bc0dd5fc91077de7aeb4

SHA512
ef957c7ca1a63c79fa2953516b845b575b38abc923b7e6f2f084c3d1b1447c0bb807782d4015ad55229d1a9b4c4a9d24ea925e2e17370bc32873b0efa0a506dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgHMMZxkRU.bat

Filesize
200B

MD5
3e2412f277d146a94cbb6d05b005dc4b

SHA1
fa0ea591b18bf17e564802c8c5dd4f02f2a6feb9

SHA256
b2cf0b001d73a2ebf824ef4d02bfa534656eaa920526bab5cecbf2881a305fcc

SHA512
7ab761104f8e164e8e242936a917353ee13cb2c42c78935f39f8b2ee37977588255637c00097622f80bcfd24b0a9eadddf04b87dadda4e9d2654d063c9f1558f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXDC9A.tmp

Filesize
1.6MB

MD5
1ce9d2fa35466d6d37d1d56f63408884

SHA1
a389a7bcde0ed2e53bfe20379fd42ec9db7bf8fc

SHA256
0d08fd5994f0570ef78ba20f575849b2e9c9eb01aeb29c0cd7b5c534552870a1

SHA512
f3a939183f5bcac1d5cdf92b3061227e407d8e5d0119f40130ce0e31cdcb63e741ba8978fd0ca9c43e4a6e1e68d5dac54eea2dcc9921fd6e787a799b0c441cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\b778e45a-1c73-4505-ac09-797606878de1.vbs

Filesize
711B

MD5
5eb01b526e797634bf7f0200ed02e250

SHA1
15e6c0e3804902f32dffacf762a0b9aeb881bf17

SHA256
07cdee9a334b8ba9d39d4d140b02f8175bb2855b6398936bfd97265eee021d01

SHA512
a1ecd57c3f990bfb9163d8484b70c080244f9eae06937ff2278281480a7ee4c9cc028393682a23411a6fecb8ae2de697116f8c2a7cb3dc3cbab7b021bf34c4b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb7ad2d6-897a-410a-8a99-3abe9ca3d517.vbs

Filesize
711B

MD5
ac8caab24dd34a084e8753e59ac976a9

SHA1
62b4a5d067559b5c3a70d788654edc4dd7f06950

SHA256
e4bc302252f09a3a3ce606833b75188b6a8666a5cfddf3c064d620a8e11e66c3

SHA512
dd3e45ad1374b08b13d5312d25cf6dffc3054ec745c491e7b393bce76768b97463a4f85213c6de95ab925d001af50bde1272cf111ef031221a5f84aa5e4553ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb1ba657-31b7-4fc9-a632-92497e7c4257.vbs

Filesize
711B

MD5
706f579014472cf65493905035c55b58

SHA1
429fbb61b8e41bcb82808c7e6589bd799bc3b2cc

SHA256
f5504d968b4eed5a0a42bcc51788499a4cde5483571759a305d3f0d404e9c364

SHA512
cb0d17d816c6d4558e3de419f218d62aec62b963df5fabcac49c3e793269cdb34a680617dc605bc597b6b7093b6a6b783aba9572acfd8f0129d3534ffbf916d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce2c0ba4-790c-483d-ba54-d6923ca95480.vbs

Filesize
711B

MD5
bedc2ac535b9a6b939dec64ca7408bd1

SHA1
f4f268f53264696404b9b678fb5073f505b09029

SHA256
a1d5d8de734a92a1b673c708c90ed37a812300955f0f4369122a8f0e18a537da

SHA512
9b04e4f34a51af62b522fb755a97e42ef12d04e110ebaaec487ce9378c48fd836a6efd14076a9b7bcbf5a531494533934b1d1cb76c60aa6d52a64461fed0b15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbd680ef-2754-4629-b988-018dc2a6e378.vbs

Filesize
711B

MD5
a3f1a6b0a3b4815138b223ea24c917e4

SHA1
dc0ea63cc5c85a650c5af2c526f0095a4247a31e

SHA256
9bf76325f26e1a2273acfda54212ba4fbbda268419729bfb8386172664dd3bf3

SHA512
4ec661ef38cf6dd1b376b17a875e770613ecfb4cad126b651f387f936df38f9b9308631d84d7deb5efc3f6c65c1699b06fc529305e2d431106ced29352822095

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb3db5b1-cad1-44b1-a398-3eff57328c02.vbs

Filesize
711B

MD5
59280b14ebdd5dbefd0e2e29aebacd1b

SHA1
0eb5f5cbb55cdcbc5153a7bd48fc9cd3b2d4bbc2

SHA256
df84845eb7bf9d9685cab28c8e964e7aaa4b0eb2e93f6ef2fa7644739e4e2516

SHA512
9283ddca2a44307a065a33d2d8a6a890b728ec62ab97033cd1e496030200a4e12e16910a89169cd74acf7f120871ff7f6ad15c34c624e806b08ecabf9f33268b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed69ed00-4d30-4850-8ad7-0451325969fb.vbs

Filesize
711B

MD5
ad4fe8745ac25bb3a3d83a2fbfcff29f

SHA1
cdaddafa9f6d55938a4b0e25f57fa02921bd9aa0

SHA256
0a59c5cc0e0349f1361cc26f27196f3c818c3dc4c3747760f5353b8fd05f1a4c

SHA512
5115eb166255cf7f08b4e7fec3e4ff0f3375441383a4a3617eb6a8e6b9503c76f8f7c6a599b6bfbc216e3d326d3e770135b920077e7b0079bad7a88ecca7e45f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2f691dd9cf7349a5558a23c677d41b5f

SHA1
3a5a8b1732a8d2e2a9ab3d6d13d063d6c4d1fef7

SHA256
9f543f7551360ec4c7521e6b9a09e621669f28cde77d0f8f76f9f5dcb8124018

SHA512
e9e84171ec1213dbeb518fb0b69f6563fbee3005451fe0d74cc3962c7661db8efcb42eaf2b6d7bf6e3bc1801ec8c700de9a6e742f1bd01f0d611c67119c4f1e8

Download Submit
C:\Users\Admin\Downloads\sppsvc.exe

Filesize
1.6MB

MD5
c0731565f6754fd0a6b17ca944fd5a49

SHA1
fe8f4581a9621d046f9e1c6aff0a28ba08fd06b1

SHA256
54525615718b60011b7065786adc22bd6fa8d4f988d63f114269690cf66870b2

SHA512
920e9dab3d4875f0ac367803d8b07b96303d4a134eb1f58921b3e766b1f9de35333acc47f4bd65643bf1ef2c9608f311a905bd3341203ba343a046e236ff5401

Download Submit
memory/548-101-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/556-226-0x0000000000C00000-0x0000000000DA2000-memory.dmp

Filesize
1.6MB

Download
memory/1316-100-0x00000000029F0000-0x00000000029F8000-memory.dmp

Filesize
32KB

Download
memory/1364-122-0x0000000001170000-0x0000000001312000-memory.dmp

Filesize
1.6MB

Download
memory/1788-145-0x0000000000320000-0x00000000004C2000-memory.dmp

Filesize
1.6MB

Download
memory/1832-157-0x0000000001010000-0x00000000011B2000-memory.dmp

Filesize
1.6MB

Download
memory/2328-8-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2328-9-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2328-1-0x0000000001320000-0x00000000014C2000-memory.dmp

Filesize
1.6MB

Download
memory/2328-16-0x00000000008F0000-0x00000000008FC000-memory.dmp

Filesize
48KB

Download
memory/2328-15-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download
memory/2328-14-0x00000000008D0000-0x00000000008D8000-memory.dmp

Filesize
32KB

Download
memory/2328-12-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/2328-10-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2328-0-0x000007FEF6313000-0x000007FEF6314000-memory.dmp

Filesize
4KB

Download
memory/2328-11-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2328-13-0x00000000008C0000-0x00000000008C8000-memory.dmp

Filesize
32KB

Download
memory/2328-2-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2328-107-0x000007FEF6310000-0x000007FEF6CFC000-memory.dmp

Filesize
9.9MB

Download
memory/2328-5-0x0000000000380000-0x0000000000396000-memory.dmp

Filesize
88KB

Download
memory/2328-7-0x00000000003C0000-0x00000000003D0000-memory.dmp

Filesize
64KB

Download
memory/2328-6-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/2328-4-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2328-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2424-169-0x00000000011E0000-0x0000000001382000-memory.dmp

Filesize
1.6MB

Download
memory/3056-214-0x0000000000050000-0x00000000001F2000-memory.dmp

Filesize
1.6MB

Download
memory/3060-111-0x0000000000E30000-0x0000000000FD2000-memory.dmp

Filesize
1.6MB

Download