dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
60s
max time network
60s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 20:17 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Size

2.5MB
MD5

3dbf7d9fdfd5a0151f1003095ba9655c
SHA1

4f5de06a720298a5e32660fd0f56733ad611060f
SHA256

86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26
SHA512

3405c202bad0e95f18341f8c664f94626bec55db6ef9c15ff9a5b6cb2632e73375fec802d64e5ca3b924829ec1729c06f01fcb9a5013ac22d5b5b437812eb2ef
SSDEEP

49152:qGVFTkAxSKOfsx79ZnGGHMgVj2x+0XrSqWsn+fz+pV6ZKvTYnp:qGVyWNGGN2sqWs+fz+pVZTYp

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2748	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2748	schtasks.exe	30

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1816	powershell.exe
2040	powershell.exe
112	powershell.exe
536	powershell.exe
1088	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
3008	winlogon.exe
2924	winlogon.exe
2312	winlogon.exe
1756	winlogon.exe
2088	winlogon.exe
2400	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\System32\\msls31\\winlogon.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft .NET Framework 4.7.2 Setup_20240903_051533842\\86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\perfi00A\\csrss.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPCEXT\\OSPPSVC.exe\""	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\perfi00A\csrss.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\perfi00A\RCXA950.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\perfi00A\RCXA951.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\perfi00A\csrss.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Windows\System32\msls31\cc11b995f2a76d	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Windows\System32\perfi00A\886983d96e3d3e	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\msls31\RCXA4C9.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\msls31\RCXA538.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Windows\System32\msls31\winlogon.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Windows\System32\msls31\winlogon.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT\RCXABC3.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT\OSPPSVC.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT\OSPPSVC.exe	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT\1610b97d3ab4a7	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT\RCXABC2.tmp	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2848	schtasks.exe
2452	schtasks.exe
2752	schtasks.exe
2780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
112	powershell.exe
2040	powershell.exe
1816	powershell.exe
1088	powershell.exe
2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
536	powershell.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
3008	winlogon.exe
2924	winlogon.exe
2924	winlogon.exe
2924	winlogon.exe
2924	winlogon.exe
2924	winlogon.exe
2924	winlogon.exe
2924	winlogon.exe
2924	winlogon.exe
2924	winlogon.exe
2924	winlogon.exe
2924	winlogon.exe
2924	winlogon.exe
2924	winlogon.exe
2924	winlogon.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	3008	winlogon.exe
Token: SeDebugPrivilege	2924	winlogon.exe
Token: SeDebugPrivilege	2312	winlogon.exe
Token: SeDebugPrivilege	1756	winlogon.exe
Token: SeDebugPrivilege	2088	winlogon.exe
Token: SeDebugPrivilege	2400	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 1816	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	35
PID 2400 wrote to memory of 1816	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	35
PID 2400 wrote to memory of 1816	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	35
PID 2400 wrote to memory of 2040	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	36
PID 2400 wrote to memory of 2040	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	36
PID 2400 wrote to memory of 2040	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	36
PID 2400 wrote to memory of 112	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	37
PID 2400 wrote to memory of 112	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	37
PID 2400 wrote to memory of 112	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	37
PID 2400 wrote to memory of 536	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	38
PID 2400 wrote to memory of 536	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	38
PID 2400 wrote to memory of 536	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	38
PID 2400 wrote to memory of 1088	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	39
PID 2400 wrote to memory of 1088	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	39
PID 2400 wrote to memory of 1088	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	39
PID 2400 wrote to memory of 3008	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	45
PID 2400 wrote to memory of 3008	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	45
PID 2400 wrote to memory of 3008	2400	86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe	45
PID 3008 wrote to memory of 840	3008	winlogon.exe	46
PID 3008 wrote to memory of 840	3008	winlogon.exe	46
PID 3008 wrote to memory of 840	3008	winlogon.exe	46
PID 3008 wrote to memory of 1560	3008	winlogon.exe	47
PID 3008 wrote to memory of 1560	3008	winlogon.exe	47
PID 3008 wrote to memory of 1560	3008	winlogon.exe	47
PID 840 wrote to memory of 2924	840	WScript.exe	49
PID 840 wrote to memory of 2924	840	WScript.exe	49
PID 840 wrote to memory of 2924	840	WScript.exe	49
PID 2924 wrote to memory of 2996	2924	winlogon.exe	50
PID 2924 wrote to memory of 2996	2924	winlogon.exe	50
PID 2924 wrote to memory of 2996	2924	winlogon.exe	50
PID 2924 wrote to memory of 3040	2924	winlogon.exe	51
PID 2924 wrote to memory of 3040	2924	winlogon.exe	51
PID 2924 wrote to memory of 3040	2924	winlogon.exe	51
PID 2996 wrote to memory of 2312	2996	WScript.exe	52
PID 2996 wrote to memory of 2312	2996	WScript.exe	52
PID 2996 wrote to memory of 2312	2996	WScript.exe	52
PID 2312 wrote to memory of 2452	2312	winlogon.exe	53
PID 2312 wrote to memory of 2452	2312	winlogon.exe	53
PID 2312 wrote to memory of 2452	2312	winlogon.exe	53
PID 2312 wrote to memory of 2668	2312	winlogon.exe	54
PID 2312 wrote to memory of 2668	2312	winlogon.exe	54
PID 2312 wrote to memory of 2668	2312	winlogon.exe	54
PID 2452 wrote to memory of 1756	2452	WScript.exe	55
PID 2452 wrote to memory of 1756	2452	WScript.exe	55
PID 2452 wrote to memory of 1756	2452	WScript.exe	55
PID 1756 wrote to memory of 1824	1756	winlogon.exe	56
PID 1756 wrote to memory of 1824	1756	winlogon.exe	56
PID 1756 wrote to memory of 1824	1756	winlogon.exe	56
PID 1756 wrote to memory of 2108	1756	winlogon.exe	57
PID 1756 wrote to memory of 2108	1756	winlogon.exe	57
PID 1756 wrote to memory of 2108	1756	winlogon.exe	57
PID 1824 wrote to memory of 2088	1824	WScript.exe	58
PID 1824 wrote to memory of 2088	1824	WScript.exe	58
PID 1824 wrote to memory of 2088	1824	WScript.exe	58
PID 2088 wrote to memory of 1872	2088	winlogon.exe	59
PID 2088 wrote to memory of 1872	2088	winlogon.exe	59
PID 2088 wrote to memory of 1872	2088	winlogon.exe	59
PID 2088 wrote to memory of 332	2088	winlogon.exe	60
PID 2088 wrote to memory of 332	2088	winlogon.exe	60
PID 2088 wrote to memory of 332	2088	winlogon.exe	60
PID 1872 wrote to memory of 2400	1872	WScript.exe	61
PID 1872 wrote to memory of 2400	1872	WScript.exe	61
PID 1872 wrote to memory of 2400	1872	WScript.exe	61
PID 2400 wrote to memory of 1884	2400	winlogon.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe
"C:\Users\Admin\AppData\Local\Temp\86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\msls31\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240903_051533842\86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\perfi00A\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\System32\msls31\winlogon.exe
  "C:\Windows\System32\msls31\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ea26b17-f674-41f9-8413-c63a3312d59e.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\System32\msls31\winlogon.exe
      C:\Windows\System32\msls31\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d17c9da-a28b-4997-86e2-9f624c12a58f.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Windows\System32\msls31\winlogon.exe
        
        C:\Windows\System32\msls31\winlogon.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00370549-0001-4939-9197-d7b558d4915b.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\System32\msls31\winlogon.exe
        
        C:\Windows\System32\msls31\winlogon.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b6e90189-a88e-4e25-9c59-44fac0cbb4db.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\System32\msls31\winlogon.exe
        
        C:\Windows\System32\msls31\winlogon.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fa97a4f-ca9f-475d-92bf-df7f495016a2.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\System32\msls31\winlogon.exe
        
        C:\Windows\System32\msls31\winlogon.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5899388a-d72a-4134-80eb-3639d65c69dc.vbs"
        13⤵
        
        PID:1884
        
        C:\Windows\System32\msls31\winlogon.exe
        
        C:\Windows\System32\msls31\winlogon.exe
        14⤵
        
        PID:1764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e431540-f04c-4ab6-81e4-03ea9da763bb.vbs"
        13⤵
        
        PID:628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29d5f2a7-8274-4071-9dfe-0f00b0845a67.vbs"
        11⤵
        
        PID:332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c07a1a59-c4d5-485f-ab78-c903d0f22581.vbs"
        9⤵
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79791a24-5e12-4b4d-bcc7-f27936a83960.vbs"
        7⤵
        
        PID:2668
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\986378bc-4d06-493a-a50b-de62be3b35cf.vbs"
        5⤵
        
        PID:3040
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c02e90f4-51fd-472f-98c9-da84e74ed7d4.vbs"
    3⤵
    PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\msls31\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240903_051533842\86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\perfi00A\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

Network

DNS

u13794788m.ha003.t.justns.ru

winlogon.exe

Remote address:

8.8.8.8:53

Request

u13794788m.ha003.t.justns.ru

IN A

Response

No results found

8.8.8.8:53

u13794788m.ha003.t.justns.ru

dns

winlogon.exe

74 B
134 B
1
1

DNS Request

u13794788m.ha003.t.justns.ru

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\00370549-0001-4939-9197-d7b558d4915b.vbs

Filesize
715B

MD5
7f0718434ca2adb6ff967fcbe923a0a4

SHA1
c2512d86aed786335394880c72251ee1b5c0dd8d

SHA256
457a12bc5b35dc2534c73bd6bad82c9cd915e490d89474898ab14e790bc96cb8

SHA512
84cadbc4711c41b150df07f31c45b6ce9e28a7022118eeb23568c0a1f8b49fd9f6da2e62a9b0eb65d4baa5e198766aab8e1fd1955ba3fb2adc6375e3a36170bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\5899388a-d72a-4134-80eb-3639d65c69dc.vbs

Filesize
715B

MD5
3aa3156ca4249c4ea80837e74835e3cb

SHA1
b9a055b1514e0636dbe8e575df0e999bb9fc504b

SHA256
10e9cf7141c1175e986c7640b4797d866083a9f65907a2d30b7749b39d08ac8e

SHA512
4f2173fe23885068c58612712c9071e756ed1802d6980a92eaee6506fc0fd78922eef278235c9bf7bdeb5261ce37e7cd481a4d01d4731dbc821704f62599810b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ea26b17-f674-41f9-8413-c63a3312d59e.vbs

Filesize
715B

MD5
d41820e9704cd8968ec00ca60a757d71

SHA1
1abf23a222cc145bfde81633a6ce96538b44a927

SHA256
80d0cc33d41745d246a67d9d8d1b8ef488514e0bf9bc0c36758232cc2e25d63b

SHA512
72bcd5e179fd6767328543c6707fc00150af368d533aa76a17290535dd86b7d842d545b08d4bfce8a3f2f6cf759bed3b6c030ca1390cbb0af173f5886c001942

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d17c9da-a28b-4997-86e2-9f624c12a58f.vbs

Filesize
715B

MD5
32737b501563f2fc60853651bfc8ebed

SHA1
98fcca835103e9cb07a88e064a26f23b70f8a31b

SHA256
650a8cc797eb47d1360c1f5743be89b8775464a3d9fce443b6ce63434de2b58c

SHA512
22d287a26e8877378541df6bc5f4c89d0e8ce0ff8c48e5a217ef328a367043dbb2a6179df5c21ad7edd5dccb6d6019f01e64047b409d1d82e09b570e10070206

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fa97a4f-ca9f-475d-92bf-df7f495016a2.vbs

Filesize
715B

MD5
f96ddf1710cc8ccf320bac0d03d05e94

SHA1
5236f56c93dd6bea00df90aee675d586fc35b586

SHA256
494c92e60067131bcf8e5b715b91277d1acb22a793ed8d8589accb667ae48dc8

SHA512
d394c4e3797a8348b516a9df5078b76d01b9d64be9133f2cf98f7e2375f1158d3edb3c6f5c78a22f1ef1fb71cc7f3c05c1d2ebdc2aedacaff5994605a6b94d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCXA2C6.tmp

Filesize
2.5MB

MD5
3dbf7d9fdfd5a0151f1003095ba9655c

SHA1
4f5de06a720298a5e32660fd0f56733ad611060f

SHA256
86ca2f06f1e43f97c616f5789068661219c9f549b8a3ad2ad0a481eac0bdea26

SHA512
3405c202bad0e95f18341f8c664f94626bec55db6ef9c15ff9a5b6cb2632e73375fec802d64e5ca3b924829ec1729c06f01fcb9a5013ac22d5b5b437812eb2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6e90189-a88e-4e25-9c59-44fac0cbb4db.vbs

Filesize
715B

MD5
f35623f0c47ca912382633ae0d75b92d

SHA1
e0a0e66a5604431a3b2fd9c0e6d97d0f26200274

SHA256
a7ea041399025d0629ef8d3984e98ee5e6edf792233ea49396c9bb9bd0d2e1f0

SHA512
2326dbb48668a0d2a6c567a03e6cdda063726ac80e37046aaa906de5a4e2dcc151c1e2199507a1058b6978d09305cbccd42c522981459ba868cec618b958dd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\c02e90f4-51fd-472f-98c9-da84e74ed7d4.vbs

Filesize
491B

MD5
218a3d6baa3b8265457250673432d6a5

SHA1
15571c08ea18efe06d36f1ace26ee3872c752316

SHA256
e96962f3ad2aa706a140dd23204d855addcb5035ab514bb0fe1f85b60255f35a

SHA512
4abd22514dcc3dbc0029f0e2cc8b454f490f050d4987fcae02fa5b61552a2ec734aef74d1f04fe00e2497cb9b6fe1f3c0411bac943ad6af05b0d7b897a4ae061

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
895e4408e1ae09961745cd1314e9f245

SHA1
3159ded595a584dee4c602e4b15d245657fcb054

SHA256
12b34ad904e5df1c7add648942e76f5476decf3a91e53547e820aeab7ba6455b

SHA512
286bec9236de8a4f7bbf33c291cd49c89b115af2a5984dd91fe9bab1b63334133dca22b6f27e9eafe01a7fca97bd9a3ae4590e651435def0befffecda836232a

Download Submit
C:\Windows\System32\msls31\winlogon.exe

Filesize
1.1MB

MD5
2043482b41600b155c3aa1a393aeb4df

SHA1
e0e94ba90d6f598ae02d901b3b2356a44c0b8de3

SHA256
67c245b7ebeae9648bd9cf11cec87b22be23a19f523aec4541d34150263ae2a3

SHA512
15f782ae3431d4f1fbc4ae8d698e526a8c7ff3465c3fe815619e0dc51624e37dc1c378458a6973671eedf9dbad1a270f575b8d43ce92478eb41c7ecd56cc3c47

Download Submit
C:\Windows\System32\msls31\winlogon.exe

Filesize
2.5MB

MD5
4af45d1e4d80d51cb2bcf70142a6256e

SHA1
53a8c0a333b72a27bf7f1b41db1c38807bb1680a

SHA256
78bda4e0219b0fcf981bdef3be7427787cfe8a5d4d845402a02927f4b807b332

SHA512
ce324981350711a2d8089ba0b9dbd1bf8e2408a6698b41d02d4868b22207b22c98e1dc8f7e219c2d5221ba6534cd3e45a97deb969242dc544c6da8ef476a4073

Download Submit
memory/112-95-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2040-96-0x0000000002900000-0x0000000002908000-memory.dmp

Filesize
32KB

Download
memory/2400-16-0x0000000000D30000-0x0000000000D3A000-memory.dmp

Filesize
40KB

Download
memory/2400-5-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/2400-15-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download
memory/2400-0-0x000007FEF5923000-0x000007FEF5924000-memory.dmp

Filesize
4KB

Download
memory/2400-13-0x0000000000D10000-0x0000000000D1A000-memory.dmp

Filesize
40KB

Download
memory/2400-12-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/2400-10-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/2400-11-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

Filesize
40KB

Download
memory/2400-9-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

Filesize
72KB

Download
memory/2400-105-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2400-1-0x00000000010D0000-0x0000000001356000-memory.dmp

Filesize
2.5MB

Download
memory/2400-2-0x000007FEF5920000-0x000007FEF630C000-memory.dmp

Filesize
9.9MB

Download
memory/2400-3-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2400-8-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download
memory/2400-7-0x00000000005B0000-0x0000000000606000-memory.dmp

Filesize
344KB

Download
memory/2400-6-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/2400-14-0x0000000000D00000-0x0000000000D0C000-memory.dmp

Filesize
48KB

Download
memory/2400-4-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3008-111-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

Filesize
72KB

Download
memory/3008-110-0x0000000000BC0000-0x0000000000C16000-memory.dmp

Filesize
344KB

Download
memory/3008-104-0x0000000001340000-0x00000000015C6000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.