dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Size

1.6MB
MD5

7fbc72dcc67b2b7366c90f81051bd68a
SHA1

bdd22f70686afb5bf32d638eee6fdd0891ec3248
SHA256

1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82
SHA512

e06c18cc9823741d8eea0ff78ad38ae88125fb5c795661107f09aaf977786fe420323d5be0990bc9cb1138e1cbe21d7cb21ce826f6e18df71354e710836b7025
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2860	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2860	schtasks.exe	30

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral17/memory/3004-1-0x0000000000D50000-0x0000000000EF2000-memory.dmp	dcrat
behavioral17/files/0x000b0000000122cf-27.dat	dcrat
behavioral17/memory/1436-71-0x00000000002F0000-0x0000000000492000-memory.dmp	dcrat
behavioral17/memory/2244-83-0x00000000009D0000-0x0000000000B72000-memory.dmp	dcrat
behavioral17/memory/880-95-0x00000000002B0000-0x0000000000452000-memory.dmp	dcrat
behavioral17/memory/3012-107-0x0000000000E40000-0x0000000000FE2000-memory.dmp	dcrat
behavioral17/memory/2196-119-0x00000000001F0000-0x0000000000392000-memory.dmp	dcrat
behavioral17/memory/948-131-0x0000000000F70000-0x0000000001112000-memory.dmp	dcrat
behavioral17/memory/732-143-0x0000000001370000-0x0000000001512000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1576	powershell.exe
752	powershell.exe
844	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
1436	dwm.exe
2244	dwm.exe
880	dwm.exe
3012	dwm.exe
2196	dwm.exe
948	dwm.exe
732	dwm.exe
2988	dwm.exe
784	dwm.exe
2604	dwm.exe
1592	dwm.exe
732	dwm.exe
2956	dwm.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\lsm.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files\Windows Sidebar\es-ES\lsm.exe	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File created	C:\Program Files\Windows Sidebar\es-ES\101b941d020240	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\RCXC833.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\RCXC834.tmp	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2652	schtasks.exe
2932	schtasks.exe
2848	schtasks.exe
2776	schtasks.exe
2904	schtasks.exe
2780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3004	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
752	powershell.exe
1576	powershell.exe
844	powershell.exe
1436	dwm.exe
2244	dwm.exe
880	dwm.exe
3012	dwm.exe
2196	dwm.exe
948	dwm.exe
732	dwm.exe
2988	dwm.exe
784	dwm.exe
2604	dwm.exe
1592	dwm.exe
732	dwm.exe
2956	dwm.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	1436	dwm.exe
Token: SeDebugPrivilege	2244	dwm.exe
Token: SeDebugPrivilege	880	dwm.exe
Token: SeDebugPrivilege	3012	dwm.exe
Token: SeDebugPrivilege	2196	dwm.exe
Token: SeDebugPrivilege	948	dwm.exe
Token: SeDebugPrivilege	732	dwm.exe
Token: SeDebugPrivilege	2988	dwm.exe
Token: SeDebugPrivilege	784	dwm.exe
Token: SeDebugPrivilege	2604	dwm.exe
Token: SeDebugPrivilege	1592	dwm.exe
Token: SeDebugPrivilege	732	dwm.exe
Token: SeDebugPrivilege	2956	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 1576	3004	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	37
PID 3004 wrote to memory of 1576	3004	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	37
PID 3004 wrote to memory of 1576	3004	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	37
PID 3004 wrote to memory of 752	3004	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	38
PID 3004 wrote to memory of 752	3004	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	38
PID 3004 wrote to memory of 752	3004	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	38
PID 3004 wrote to memory of 844	3004	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	39
PID 3004 wrote to memory of 844	3004	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	39
PID 3004 wrote to memory of 844	3004	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	39
PID 3004 wrote to memory of 1436	3004	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	43
PID 3004 wrote to memory of 1436	3004	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	43
PID 3004 wrote to memory of 1436	3004	1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe	43
PID 1436 wrote to memory of 1704	1436	dwm.exe	44
PID 1436 wrote to memory of 1704	1436	dwm.exe	44
PID 1436 wrote to memory of 1704	1436	dwm.exe	44
PID 1436 wrote to memory of 2228	1436	dwm.exe	45
PID 1436 wrote to memory of 2228	1436	dwm.exe	45
PID 1436 wrote to memory of 2228	1436	dwm.exe	45
PID 1704 wrote to memory of 2244	1704	WScript.exe	47
PID 1704 wrote to memory of 2244	1704	WScript.exe	47
PID 1704 wrote to memory of 2244	1704	WScript.exe	47
PID 2244 wrote to memory of 2060	2244	dwm.exe	48
PID 2244 wrote to memory of 2060	2244	dwm.exe	48
PID 2244 wrote to memory of 2060	2244	dwm.exe	48
PID 2244 wrote to memory of 1632	2244	dwm.exe	49
PID 2244 wrote to memory of 1632	2244	dwm.exe	49
PID 2244 wrote to memory of 1632	2244	dwm.exe	49
PID 2060 wrote to memory of 880	2060	WScript.exe	50
PID 2060 wrote to memory of 880	2060	WScript.exe	50
PID 2060 wrote to memory of 880	2060	WScript.exe	50
PID 880 wrote to memory of 2756	880	dwm.exe	51
PID 880 wrote to memory of 2756	880	dwm.exe	51
PID 880 wrote to memory of 2756	880	dwm.exe	51
PID 880 wrote to memory of 2880	880	dwm.exe	52
PID 880 wrote to memory of 2880	880	dwm.exe	52
PID 880 wrote to memory of 2880	880	dwm.exe	52
PID 2756 wrote to memory of 3012	2756	WScript.exe	53
PID 2756 wrote to memory of 3012	2756	WScript.exe	53
PID 2756 wrote to memory of 3012	2756	WScript.exe	53
PID 3012 wrote to memory of 2004	3012	dwm.exe	54
PID 3012 wrote to memory of 2004	3012	dwm.exe	54
PID 3012 wrote to memory of 2004	3012	dwm.exe	54
PID 3012 wrote to memory of 1260	3012	dwm.exe	55
PID 3012 wrote to memory of 1260	3012	dwm.exe	55
PID 3012 wrote to memory of 1260	3012	dwm.exe	55
PID 2004 wrote to memory of 2196	2004	WScript.exe	56
PID 2004 wrote to memory of 2196	2004	WScript.exe	56
PID 2004 wrote to memory of 2196	2004	WScript.exe	56
PID 2196 wrote to memory of 2140	2196	dwm.exe	57
PID 2196 wrote to memory of 2140	2196	dwm.exe	57
PID 2196 wrote to memory of 2140	2196	dwm.exe	57
PID 2196 wrote to memory of 2940	2196	dwm.exe	58
PID 2196 wrote to memory of 2940	2196	dwm.exe	58
PID 2196 wrote to memory of 2940	2196	dwm.exe	58
PID 2140 wrote to memory of 948	2140	WScript.exe	59
PID 2140 wrote to memory of 948	2140	WScript.exe	59
PID 2140 wrote to memory of 948	2140	WScript.exe	59
PID 948 wrote to memory of 2088	948	dwm.exe	60
PID 948 wrote to memory of 2088	948	dwm.exe	60
PID 948 wrote to memory of 2088	948	dwm.exe	60
PID 948 wrote to memory of 2968	948	dwm.exe	61
PID 948 wrote to memory of 2968	948	dwm.exe	61
PID 948 wrote to memory of 2968	948	dwm.exe	61
PID 2088 wrote to memory of 732	2088	WScript.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe
"C:\Users\Admin\AppData\Local\Temp\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\es-ES\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
  "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28385eb7-401f-44c0-9cac-b1761397528b.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
      C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e186d45-d9a1-4d15-bd29-73b20da9d184.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2060
      - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcd408dd-6b3d-44e9-8051-d836ff4b2676.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2c68ad6-22e7-4fc6-b9a1-518011a0dd8c.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b2fa967-6fc4-4b1b-a848-b0af10298d1d.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a28f65c-37f1-44fc-b650-abe8d7e57563.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d4eccef-047b-4780-88fb-2a09d2d4f687.vbs"
        15⤵
        
        PID:2628
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce59b313-8a80-493d-adb1-9ae9863329bb.vbs"
        17⤵
        
        PID:1664
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c57898bb-2acf-44e4-9551-def1a3386b60.vbs"
        19⤵
        
        PID:2004
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ba2cce3-7d7d-4099-a79c-bf2404734e42.vbs"
        21⤵
        
        PID:2936
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\816321db-7396-41c5-b025-7dea199d6777.vbs"
        23⤵
        
        PID:2544
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9894bb53-396f-44fa-9e55-a13515bcd29e.vbs"
        25⤵
        
        PID:2372
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e584039-64fa-4e0f-a9c6-fd7790d8c41c.vbs"
        25⤵
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6911ab6-860f-48c8-b31c-01ba1b30455f.vbs"
        23⤵
        
        PID:2872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afddb3ce-23c8-4cf6-8051-e6b935135edc.vbs"
        21⤵
        
        PID:1776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ede7f57e-330b-45bf-8bb1-09927fc2458d.vbs"
        19⤵
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d2b6870-f62b-4c29-a0cb-7b2b1ac90d41.vbs"
        17⤵
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e1ab559-9bab-4f17-8395-aa806c9046a8.vbs"
        15⤵
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2af7574-a35e-4a6d-80d4-70f6f29abf4a.vbs"
        13⤵
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2935ee52-5bbe-41fc-bd7a-47bb6dae6ff6.vbs"
        11⤵
        
        PID:2940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\228da9dc-9a2f-4b5b-9c5c-bde21392224a.vbs"
        9⤵
        
        PID:1260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a1e89a6-d008-418a-abaf-84811ab51c5c.vbs"
        7⤵
        
        PID:2880
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31781010-59be-465d-96ad-9ca16df7d9fa.vbs"
        5⤵
        
        PID:1632
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf6dd38f-82d3-4274-bc81-9a86090bb82c.vbs"
    3⤵
    PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\es-ES\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe

Filesize
1.6MB

MD5
7fbc72dcc67b2b7366c90f81051bd68a

SHA1
bdd22f70686afb5bf32d638eee6fdd0891ec3248

SHA256
1ecd5f6fdf2f65654ca8817c13079375770ae5a21f0899a7f35a86777cedee82

SHA512
e06c18cc9823741d8eea0ff78ad38ae88125fb5c795661107f09aaf977786fe420323d5be0990bc9cb1138e1cbe21d7cb21ce826f6e18df71354e710836b7025

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a28f65c-37f1-44fc-b650-abe8d7e57563.vbs

Filesize
731B

MD5
ab6b25e83b7b5a21e9894be1a74619b7

SHA1
84fe8e8093e8ebb4502b5b4347d439dba2807934

SHA256
f29b1929b095f2cd7e7dd8dbaddd9529812f8652ef73643913736e1302ca704d

SHA512
edf8785f67b67b020ba0a31c71676e3996ae022e818ad3815c0691b0d9f86e1c66509c34fe0b2116f7365ea8fe40a1e40f58e31607f8eb000bb4821dc5d4d8bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\28385eb7-401f-44c0-9cac-b1761397528b.vbs

Filesize
732B

MD5
e2c99e5d3d51a47ad06875a6046c03b5

SHA1
044b3048558d795549dae1ce0a57ae59c7040dbf

SHA256
a25520e8748ec3858038aa5eb4215f052a35ea0ec96dbb0fe723e25600affe8f

SHA512
4f6cf5e7d87a5187a30c8876cb6fe8e827aa9167b3d44b34a5fb610519970a474e979e90b988246cc77abeb45b8367c4edf98cd9b01abfede063f414cbe17a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e186d45-d9a1-4d15-bd29-73b20da9d184.vbs

Filesize
732B

MD5
2105ff904499fad93dccd8f29e6f9638

SHA1
bb747a2059969e521052869b6da2ef18fabf2d58

SHA256
73d6cf41e79f40065e236afb9b0f760fad69104ff17f25ccaafcc31c9d246920

SHA512
6ab02e5cf2c1fa0339ee86e595777834fcca87eec89c404e169bb77026d864e54ee925dd2a184bc596362b41f2087e812c90fe16e49edd7f51d5a87d278afe7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ba2cce3-7d7d-4099-a79c-bf2404734e42.vbs

Filesize
732B

MD5
b07c2564b31e5f78516b84ec61856735

SHA1
da879703d8378ec2f9badae95289c35dd893e5e8

SHA256
d060e4d7209a29ce8139fc628c5d81f79f3bbe223009a4ffc7f34d785d92ea8c

SHA512
fd84d7b9f98d465a7604bc5a93f894d8088d02da628b36a96fc9586356f4fd84d54adf6674f2104134b0f5dc6a7ccee63f64c685b8616ac574311b08eb3b24f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d4eccef-047b-4780-88fb-2a09d2d4f687.vbs

Filesize
731B

MD5
c79e23649b8bc64d90b0791a6da57f9a

SHA1
1d10ded314e3aa0b4f0864b452cb6fb5b2b8872c

SHA256
a7b5689e573012995290a7f316929eddb5a28232744904bc5e3437ba00f4bed6

SHA512
6642d1ff4f8e5ba978a56a8c7042c9cc4c7ed56584b3fa58de61cd50044c1c68822cd6fb5f840088d9fba4b909d56faca1b7ad77c391630b7f969c04155ded9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b2fa967-6fc4-4b1b-a848-b0af10298d1d.vbs

Filesize
732B

MD5
35f204ba0a7c55b0084fe7085a8646e5

SHA1
b5ee37531832de6870cb0af635f66401c0ec9d0f

SHA256
d17af5a709cdd0662f9f74878dcb98043fa7be2d46bffae46bc6c087a5a78b81

SHA512
53b238a4c9703601b9be59988989d862b11a2984df41386dc5a730ac5ba837fe3b9517f3c140c0a9cc453ca2323ddee0c8b4deae9df46f8d2ca75434ee006e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\816321db-7396-41c5-b025-7dea199d6777.vbs

Filesize
732B

MD5
648a0e9da9d25aa1f5a39e50d58a053f

SHA1
6de7624dd5f1a81ca45640be052808d931d5b37a

SHA256
da96a615dc9990e5b9debcfc4b434409e94cf770b894d4fee9ecc931328a9172

SHA512
8c32fb24463cda292a1162bfbcc04c00a9a14942de597a7becb1b3db72a5ba04bdc1076bb4278cfa1d90713e6d8b0e4883d12d076a3ce695233876ce403b990b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf6dd38f-82d3-4274-bc81-9a86090bb82c.vbs

Filesize
508B

MD5
0fc2b20e342dda1b27ee81048cedd1fc

SHA1
89f543611c7ca26411c60cd67a431d7844a97832

SHA256
613e45ef37c805cd4ef038404bb24b052b726118a17d2fb29034718f64e5375b

SHA512
da38b5a68f92916290ce80e1ad534778dda49ae43d3fd2f074c943519fcfe04e991e0f03703c3bd68d80fec43449de1ed966edc2c02bf61cecc5fb06da58ce75

Download Submit
C:\Users\Admin\AppData\Local\Temp\c57898bb-2acf-44e4-9551-def1a3386b60.vbs

Filesize
731B

MD5
380ae2c70c4f268bc676bc78011004a6

SHA1
9f39e6f8deea57977bb285a6ad4635633e6b7dcb

SHA256
d7bd3fc2739ef1ba098931c4e8fa450cf48928bc57a42c84a6d46254d4800a96

SHA512
828b8c1edf4781f2a337df95927e96fb53e34c1263fd2128ef15de22fd73491460feced140e7a55f99e6925a85afe5525c473655fc6a127f4992e776d9f5ac9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce59b313-8a80-493d-adb1-9ae9863329bb.vbs

Filesize
732B

MD5
fe7cc3e8dd116df5e363cd3cc047336f

SHA1
7905c857ceb3ed6b0eb5c666cde470cf4a992a15

SHA256
630f6ae5178d024d72dfd11bc6a8542bf43134c4fbc739825e144bcf1b65b676

SHA512
986cf6c2192356e74f083836804c1743364c95b3e248986e5058db26b94154b1c4f108198de0a1b7dbf8d65115da5b58c0ee73adb7447df7a6eea074a1cb3ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2c68ad6-22e7-4fc6-b9a1-518011a0dd8c.vbs

Filesize
732B

MD5
f9a675e216ad7aafddd545a8e559e1a8

SHA1
29eb11f6dc62037550e618f2448fca85c851d930

SHA256
c3a5a95d5f6125f3be53ec8b08e5d68eeee795be617bac4e84001893eff0df53

SHA512
ea3bb8f61df2b8116d436d62bece5b772d3fca869732a88ce1ddfc38c53bc8be5b5bb6060cae9ff2fbcd9db644bddd204352ec49cdd4cdead0ef0e2519c79404

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcd408dd-6b3d-44e9-8051-d836ff4b2676.vbs

Filesize
731B

MD5
75b289d3d1b0940e4fa3b02008ba68c5

SHA1
549b965d9433471bfaf294a7aaf4e9226026e75a

SHA256
9114e3498e95be3cb73c562782e6c47ea4d52a12570134ad211a9fc872abf5aa

SHA512
be0374e7bd67ab5333464505d75b2ad0bbb778749645c29735bdfe7f8d6b1d8e6b7aa22ff5fbd357209dbfc0a80b238298eefec7bfb8c22b9d61c20b7473265b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
09b6677b6a8cc4ae804c5b66c6602628

SHA1
9ac1e23428dc71e63bb6943b98950920f5b61ade

SHA256
34842ceb66d2ce48c6f7b296abd325e8591e6d0e4ce6a0c5e4852ac7e657441d

SHA512
ecc347cbfaca12fe6bf646b07210789f73c6e974d9b8e6b54c2c9948fb6ebab1e413c6b4909717b36b2aa7c33040cd6879fb30c91824ad44e99485c754540e9f

Download Submit
memory/732-143-0x0000000001370000-0x0000000001512000-memory.dmp

Filesize
1.6MB

Download
memory/752-70-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/844-69-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/880-95-0x00000000002B0000-0x0000000000452000-memory.dmp

Filesize
1.6MB

Download
memory/948-131-0x0000000000F70000-0x0000000001112000-memory.dmp

Filesize
1.6MB

Download
memory/1436-71-0x00000000002F0000-0x0000000000492000-memory.dmp

Filesize
1.6MB

Download
memory/2196-119-0x00000000001F0000-0x0000000000392000-memory.dmp

Filesize
1.6MB

Download
memory/2244-83-0x00000000009D0000-0x0000000000B72000-memory.dmp

Filesize
1.6MB

Download
memory/3004-10-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/3004-16-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/3004-14-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/3004-72-0x000007FEF67C0000-0x000007FEF71AC000-memory.dmp

Filesize
9.9MB

Download
memory/3004-13-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/3004-12-0x0000000000BC0000-0x0000000000BCE000-memory.dmp

Filesize
56KB

Download
memory/3004-11-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/3004-1-0x0000000000D50000-0x0000000000EF2000-memory.dmp

Filesize
1.6MB

Download
memory/3004-0-0x000007FEF67C3000-0x000007FEF67C4000-memory.dmp

Filesize
4KB

Download
memory/3004-15-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/3004-9-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/3004-8-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/3004-7-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/3004-6-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/3004-5-0x0000000000730000-0x0000000000746000-memory.dmp

Filesize
88KB

Download
memory/3004-4-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/3004-3-0x0000000000250000-0x000000000026C000-memory.dmp

Filesize
112KB

Download
memory/3004-2-0x000007FEF67C0000-0x000007FEF71AC000-memory.dmp

Filesize
9.9MB

Download
memory/3012-107-0x0000000000E40000-0x0000000000FE2000-memory.dmp

Filesize
1.6MB

Download