dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
60s
max time network
62s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86513494c7861a5a0c9f1c0fb478e36d.exe
Size

2.5MB
MD5

86513494c7861a5a0c9f1c0fb478e36d
SHA1

0e7ef50b5b4d51bda8789151b444505e4fdec51f
SHA256

80c020c2f71b279f7fdf6ad878ea772cbbcf248aab8c0b08b4db327d7dc86794
SHA512

e80e51cc26d5952cfbeda8154f785cd31688ac0e643c86f915ababb2cfac31ed7133621065e336ac56cf707865997707e1d1d189c4db36a8f87f6719e810a1ff
SSDEEP

49152:bcuxJ/hk+7ZklWBJPxWMbKdZeQUj5xqJb6TquwYhx19ZyBNDGE:bcsSFlWBJJVbKkl2z/YhryBNDn

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 7 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	1180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	1180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	1180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	1180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1180	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1180	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2248	powershell.exe
2284	powershell.exe
2772	powershell.exe
2168	powershell.exe
1752	powershell.exe
1144	powershell.exe
2032	powershell.exe
2028	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
1740	smss.exe
2728	smss.exe
3060	smss.exe
2644	smss.exe
2476	smss.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\PerfLogs\\Admin\\smss.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\\sppsvc.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\lsm.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files (x86)\\Google\\CrashReports\\wininit.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Users\\Default\\Music\\spoolsv.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Users\\Default\\Favorites\\OSPPSVC.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Windows\\assembly\\lsass.exe\""	86513494c7861a5a0c9f1c0fb478e36d.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\CrashReports\wininit.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Program Files (x86)\Google\CrashReports\56085415360792	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXD59F.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXD60D.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\wininit.exe	86513494c7861a5a0c9f1c0fb478e36d.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\assembly\6203df4a6bafc7	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\assembly\RCXDD62.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\assembly\RCXDDD1.tmp	86513494c7861a5a0c9f1c0fb478e36d.exe
File opened for modification	C:\Windows\assembly\lsass.exe	86513494c7861a5a0c9f1c0fb478e36d.exe
File created	C:\Windows\assembly\lsass.exe	86513494c7861a5a0c9f1c0fb478e36d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2924	schtasks.exe
2776	schtasks.exe
2952	schtasks.exe
2448	schtasks.exe
1412	schtasks.exe
1784	schtasks.exe
2728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
2028	powershell.exe
2248	powershell.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
2032	powershell.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1144	powershell.exe
2168	powershell.exe
2772	powershell.exe
1752	powershell.exe
2284	powershell.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1852	86513494c7861a5a0c9f1c0fb478e36d.exe
1740	smss.exe
1740	smss.exe
1740	smss.exe
1740	smss.exe
1740	smss.exe
1740	smss.exe
1740	smss.exe
1740	smss.exe
1740	smss.exe
1740	smss.exe
1740	smss.exe
1740	smss.exe
1740	smss.exe
1740	smss.exe
1740	smss.exe
1740	smss.exe
2728	smss.exe
2728	smss.exe
2728	smss.exe
2728	smss.exe
2728	smss.exe
2728	smss.exe
2728	smss.exe
2728	smss.exe
2728	smss.exe
2728	smss.exe
2728	smss.exe
2728	smss.exe
2728	smss.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	86513494c7861a5a0c9f1c0fb478e36d.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	1740	smss.exe
Token: SeDebugPrivilege	2728	smss.exe
Token: SeDebugPrivilege	3060	smss.exe
Token: SeDebugPrivilege	2644	smss.exe
Token: SeDebugPrivilege	2476	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2028	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	39
PID 1852 wrote to memory of 2028	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	39
PID 1852 wrote to memory of 2028	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	39
PID 1852 wrote to memory of 2032	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	40
PID 1852 wrote to memory of 2032	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	40
PID 1852 wrote to memory of 2032	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	40
PID 1852 wrote to memory of 1144	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	41
PID 1852 wrote to memory of 1144	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	41
PID 1852 wrote to memory of 1144	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	41
PID 1852 wrote to memory of 1752	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	45
PID 1852 wrote to memory of 1752	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	45
PID 1852 wrote to memory of 1752	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	45
PID 1852 wrote to memory of 2168	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	46
PID 1852 wrote to memory of 2168	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	46
PID 1852 wrote to memory of 2168	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	46
PID 1852 wrote to memory of 2284	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	47
PID 1852 wrote to memory of 2284	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	47
PID 1852 wrote to memory of 2284	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	47
PID 1852 wrote to memory of 2248	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	48
PID 1852 wrote to memory of 2248	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	48
PID 1852 wrote to memory of 2248	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	48
PID 1852 wrote to memory of 2772	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	49
PID 1852 wrote to memory of 2772	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	49
PID 1852 wrote to memory of 2772	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	49
PID 1852 wrote to memory of 1740	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	55
PID 1852 wrote to memory of 1740	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	55
PID 1852 wrote to memory of 1740	1852	86513494c7861a5a0c9f1c0fb478e36d.exe	55
PID 1740 wrote to memory of 2440	1740	smss.exe	56
PID 1740 wrote to memory of 2440	1740	smss.exe	56
PID 1740 wrote to memory of 2440	1740	smss.exe	56
PID 1740 wrote to memory of 2780	1740	smss.exe	57
PID 1740 wrote to memory of 2780	1740	smss.exe	57
PID 1740 wrote to memory of 2780	1740	smss.exe	57
PID 2440 wrote to memory of 2728	2440	WScript.exe	58
PID 2440 wrote to memory of 2728	2440	WScript.exe	58
PID 2440 wrote to memory of 2728	2440	WScript.exe	58
PID 2728 wrote to memory of 2896	2728	smss.exe	59
PID 2728 wrote to memory of 2896	2728	smss.exe	59
PID 2728 wrote to memory of 2896	2728	smss.exe	59
PID 2728 wrote to memory of 580	2728	smss.exe	60
PID 2728 wrote to memory of 580	2728	smss.exe	60
PID 2728 wrote to memory of 580	2728	smss.exe	60
PID 2896 wrote to memory of 3060	2896	WScript.exe	61
PID 2896 wrote to memory of 3060	2896	WScript.exe	61
PID 2896 wrote to memory of 3060	2896	WScript.exe	61
PID 3060 wrote to memory of 2100	3060	smss.exe	62
PID 3060 wrote to memory of 2100	3060	smss.exe	62
PID 3060 wrote to memory of 2100	3060	smss.exe	62
PID 3060 wrote to memory of 1124	3060	smss.exe	63
PID 3060 wrote to memory of 1124	3060	smss.exe	63
PID 3060 wrote to memory of 1124	3060	smss.exe	63
PID 2100 wrote to memory of 2644	2100	WScript.exe	64
PID 2100 wrote to memory of 2644	2100	WScript.exe	64
PID 2100 wrote to memory of 2644	2100	WScript.exe	64
PID 2644 wrote to memory of 1744	2644	smss.exe	65
PID 2644 wrote to memory of 1744	2644	smss.exe	65
PID 2644 wrote to memory of 1744	2644	smss.exe	65
PID 2644 wrote to memory of 828	2644	smss.exe	66
PID 2644 wrote to memory of 828	2644	smss.exe	66
PID 2644 wrote to memory of 828	2644	smss.exe	66
PID 1744 wrote to memory of 2476	1744	WScript.exe	67
PID 1744 wrote to memory of 2476	1744	WScript.exe	67
PID 1744 wrote to memory of 2476	1744	WScript.exe	67
PID 2476 wrote to memory of 2272	2476	smss.exe	68

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe
"C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86513494c7861a5a0c9f1c0fb478e36d.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\PerfLogs\Admin\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\PerfLogs\Admin\smss.exe
  "C:\PerfLogs\Admin\smss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06a67f62-6056-459a-97f2-27b90e7a7380.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\PerfLogs\Admin\smss.exe
      C:\PerfLogs\Admin\smss.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3ac8f66-3489-433b-b331-67e2424af666.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\PerfLogs\Admin\smss.exe
        
        C:\PerfLogs\Admin\smss.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b20d3072-7154-4c44-8193-88a0ac6950ec.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\PerfLogs\Admin\smss.exe
        
        C:\PerfLogs\Admin\smss.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3526667e-e4db-4009-b5c9-5bad48fd5103.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\PerfLogs\Admin\smss.exe
        
        C:\PerfLogs\Admin\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b01e48bf-dfb2-44f0-a4e2-6934b8a1e233.vbs"
        11⤵
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94fa16fd-85d3-4c4f-9966-654c1417ac85.vbs"
        11⤵
        
        PID:2636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0ec56d5-215b-439d-835e-a8a7efed9b2c.vbs"
        9⤵
        
        PID:828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fea1515-51f5-460b-b495-26a940e2b10a.vbs"
        7⤵
        
        PID:1124
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67aa02e5-e478-4882-b3a0-0db2c302a459.vbs"
        5⤵
        
        PID:580
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1638da1b-91b5-4c1e-92b3-eafdac8a93c1.vbs"
    3⤵
    PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\PerfLogs\Admin\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Music\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Favorites\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\assembly\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\Admin\smss.exe

Filesize
2.5MB

MD5
d859d14c7f3b4c4802e8a06e69ae8d18

SHA1
c551b35055ef4c48a190538acdb2d2f4a319faf6

SHA256
13928a4a42a312fd1bec1bdeb2106063a0e568d2b2e60246a91b05dce96b3e96

SHA512
6e8cd2cced810e0cda84406e52aa6aa7d89ad18927259322cf9983aaefb557e116e3dda52268cb3db0ae5699a5a9a2ab7c10a50cf498be928d751f4f5f195ad6

Download Submit
C:\Program Files (x86)\Google\CrashReports\wininit.exe

Filesize
2.5MB

MD5
07aacc20909604c0763d9c97f8771ab8

SHA1
60d27b4d9686f03223fa883437f6762e10c441e6

SHA256
f91fc27c8bc5b97287e68477acc4b1b56149c457da168abd0abf6fe13bb97298

SHA512
ec26dbbfb77528f1e4d8996d5b927f0c3c5c416f3d6607a631851ae5770d0dd5a39ee4c112ece756a1bf2f60b4c062c4e75b3222003efa9de1112053db87e687

Download Submit
C:\Users\Admin\AppData\Local\Temp\06a67f62-6056-459a-97f2-27b90e7a7380.vbs

Filesize
702B

MD5
454d4b35644b20c81bff48b3594c8bc0

SHA1
1bcad892281366c01f8c62dcb506760cf37acd86

SHA256
2db5b47ab4a43523eee90d1d2966276c11cf1713a6e8e8e942b5af6574f37e11

SHA512
317cafa49665b4c717fd48842e4bc19072a561eab9de35c0eb665e70ef43d3db5ef9ffa99c0e66da7a023c1288643255966c8020e296f3657272152495ee1162

Download Submit
C:\Users\Admin\AppData\Local\Temp\1638da1b-91b5-4c1e-92b3-eafdac8a93c1.vbs

Filesize
478B

MD5
762a2e5db17ebd72e373be57af4a3913

SHA1
d8b06d68a9b3fecf0bf4aebd0b46ed254986cc97

SHA256
ddb44a3b16a48fe072a0b458ed0d885a98a69bee3c8eec53929a480ae893ae6f

SHA512
3bbe0991159f4883b940f6543b52caf52863038bbc0f757b54a0973f1a9bee6e4e8816e7cd6cdd144a0fc61dbacb4e4ca4e9ca439e9292c363411568a151dafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\3526667e-e4db-4009-b5c9-5bad48fd5103.vbs

Filesize
702B

MD5
0a6ddfeca6fd67570da98d221c3980ff

SHA1
22a5a44e8f7c825970a48bcb7e36724236d2db18

SHA256
489ad00e23b7775baf4f2fd8290cdeb48df969408c336a8784bab1498c63a3e4

SHA512
39a4dfb34660f74247ef685dbb8f4dbf2fcbdf6e2b1bf74e245981104528f2d6c1caacdbc241428821f1ab0b387cbb333b84ed8f6c2da781e22763f4e235bb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b01e48bf-dfb2-44f0-a4e2-6934b8a1e233.vbs

Filesize
702B

MD5
5594b215adf9d47841f0c43b4c6b1ca6

SHA1
852bc1aa8705e92b3079f06f0fd35f47711d01f4

SHA256
f8c6e3c6d9bf95f333a65873038644c9f3f69f5777a859bbf3ff8da3e44aedcc

SHA512
097320db9b63487dfe11839c85ea64e97c790a855b7cdf3059b9425f9b901ca638d07ea19d5531e5f6707aad7af57531136db193247e9dcccf2e001f3f34362e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b20d3072-7154-4c44-8193-88a0ac6950ec.vbs

Filesize
702B

MD5
2979677c85c025d4a8dfea1365d2ff77

SHA1
023ee4163038e9d836f3160201d1c12cd6ba6ff0

SHA256
7745766c08b442ea6b3767b5c10d19249b22ff6dc166ce99833fe673a01fc5bd

SHA512
43fcab7485a723210a557d81200231ef1da7761d7d52e985ba36d88835c2d9e80c449752f749534b830c973e4ec7579543109e006556166cb3c9940ef4eab67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3ac8f66-3489-433b-b331-67e2424af666.vbs

Filesize
702B

MD5
25668c755cdf5220d9f6588771e4d6c4

SHA1
a5f82eb97e273dd542ceca5e00dca3598ffba6f1

SHA256
63de71461653611cb9298375211a28f22bf33fbee28b52535243254726eee811

SHA512
639de17bd65985b19cc5826ef300ee2258ead5292c324d212138421c92d8fa2dac76495f2e9aefde0d105640dffa4e1fa1b3d1f901ce7469aac476327fdc6cf7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9be502ecfc6e530facfad032d9e6a13f

SHA1
ab4853abc4aa403e2b4a4ac4b6da3aa0cb62de65

SHA256
9f0b28b91dc631afc114652281d28278567f1fa9e2c506b5d90725271f20fe34

SHA512
544cd7eba281d6112a1100ee10f36535ce1f9292c60285b08688295012b9b95785775738866a7975ab7da237b458f1f9c3f7771a55005e16f9987eefb93f9da2

Download Submit
C:\Users\Default\Music\spoolsv.exe

Filesize
2.5MB

MD5
86513494c7861a5a0c9f1c0fb478e36d

SHA1
0e7ef50b5b4d51bda8789151b444505e4fdec51f

SHA256
80c020c2f71b279f7fdf6ad878ea772cbbcf248aab8c0b08b4db327d7dc86794

SHA512
e80e51cc26d5952cfbeda8154f785cd31688ac0e643c86f915ababb2cfac31ed7133621065e336ac56cf707865997707e1d1d189c4db36a8f87f6719e810a1ff

Download Submit
C:\Windows\assembly\lsass.exe

Filesize
2.5MB

MD5
3259b586592314208acbd962dfb19b19

SHA1
6d858d2fb921100aa3b4ba70a9477605c60b4b65

SHA256
cea6b7d3347ecc4b8497424d308206ad6a65e464f217c1c812190c1610b2a377

SHA512
ca6a0c61706371c8c792a674049c195e006e854b7de5c33b5811d5d670fd4946da755d05840b4a6219c6b47cb4911c7ef9a7c572b3a596e8e9fb1c116eb26bb6

Download Submit
memory/1740-160-0x0000000001270000-0x00000000014F6000-memory.dmp

Filesize
2.5MB

Download
memory/1852-12-0x0000000000D00000-0x0000000000D0C000-memory.dmp

Filesize
48KB

Download
memory/1852-161-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/1852-15-0x0000000000D30000-0x0000000000D38000-memory.dmp

Filesize
32KB

Download
memory/1852-14-0x0000000000D10000-0x0000000000D1C000-memory.dmp

Filesize
48KB

Download
memory/1852-13-0x0000000000D20000-0x0000000000D2A000-memory.dmp

Filesize
40KB

Download
memory/1852-10-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/1852-2-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/1852-1-0x00000000011F0000-0x0000000001476000-memory.dmp

Filesize
2.5MB

Download
memory/1852-3-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download
memory/1852-11-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

Filesize
40KB

Download
memory/1852-7-0x00000000005A0000-0x00000000005F6000-memory.dmp

Filesize
344KB

Download
memory/1852-4-0x0000000000570000-0x000000000058C000-memory.dmp

Filesize
112KB

Download
memory/1852-9-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/1852-16-0x0000000000F40000-0x0000000000F4A000-memory.dmp

Filesize
40KB

Download
memory/1852-8-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/1852-0-0x000007FEF5B93000-0x000007FEF5B94000-memory.dmp

Filesize
4KB

Download
memory/1852-5-0x0000000000550000-0x0000000000560000-memory.dmp

Filesize
64KB

Download
memory/1852-6-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2028-118-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2028-123-0x00000000028A0000-0x00000000028A8000-memory.dmp

Filesize
32KB

Download
memory/2476-210-0x0000000000EB0000-0x0000000001136000-memory.dmp

Filesize
2.5MB

Download
memory/2476-211-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2644-198-0x0000000000050000-0x00000000002D6000-memory.dmp

Filesize
2.5MB

Download
memory/2728-172-0x0000000000290000-0x0000000000516000-memory.dmp

Filesize
2.5MB

Download
memory/3060-184-0x0000000000B20000-0x0000000000DA6000-memory.dmp

Filesize
2.5MB

Download
memory/3060-185-0x0000000000AD0000-0x0000000000B26000-memory.dmp

Filesize
344KB

Download
memory/3060-186-0x0000000000A40000-0x0000000000A52000-memory.dmp

Filesize
72KB

Download