dcrat | 3c5d4007aabc7835b586d15313645af2e823dfad1d487cad46453dc3474e2693

Analysis

max time kernel
57s
max time network
56s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

855deb7775f714f1fc46d29fea8008d7.exe
Size

1.6MB
MD5

855deb7775f714f1fc46d29fea8008d7
SHA1

421d56096458fc456190f7c8d13fa3435c051264
SHA256

795cdb953a299acec277e31a6c97b38acdc44dfca7a2ce6bda2785a48bdfafdf
SHA512

7fd5597d07dd4597262a6122c3b165b0624d99ee9d222f448e2161c07bcef791a08be95bf52eb4cf37c8105e53855bf96d1bf026d887cb3ef85d132c07b40d99
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2136	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2136	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2136	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2136	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2136	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2136	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2136	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2136	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2136	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2136	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2136	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2136	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2136	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2136	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2136	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2136	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2136	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2136	schtasks.exe	30

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral9/memory/2112-1-0x00000000001B0000-0x0000000000352000-memory.dmp	dcrat
behavioral9/files/0x000500000001a322-25.dat	dcrat
behavioral9/files/0x000900000001a4de-66.dat	dcrat
behavioral9/files/0x000600000001a09f-88.dat	dcrat
behavioral9/memory/2196-147-0x0000000000940000-0x0000000000AE2000-memory.dmp	dcrat
behavioral9/memory/2216-158-0x0000000000AC0000-0x0000000000C62000-memory.dmp	dcrat
behavioral9/memory/700-170-0x00000000000E0000-0x0000000000282000-memory.dmp	dcrat
behavioral9/memory/1748-182-0x0000000000A70000-0x0000000000C12000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1152	powershell.exe
780	powershell.exe
1640	powershell.exe
2168	powershell.exe
1268	powershell.exe
2892	powershell.exe
1852	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
2196	services.exe
2216	services.exe
700	services.exe
1748	services.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\101b941d020240	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\spoolsv.exe	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXC6DE.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\RCXC951.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXCC40.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files\Windows Portable Devices\lsass.exe	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\f3b6ecef712a24	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files\Windows Portable Devices\lsass.exe	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\RCXC950.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXCBD1.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files\Windows Portable Devices\6203df4a6bafc7	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\1610b97d3ab4a7	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC4DA.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files\Uninstall Information\lsm.exe	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXC2D4.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXC2D5.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXC4D9.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXC74C.tmp	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files\Uninstall Information\lsm.exe	855deb7775f714f1fc46d29fea8008d7.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\spoolsv.exe	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	855deb7775f714f1fc46d29fea8008d7.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\886983d96e3d3e	855deb7775f714f1fc46d29fea8008d7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2676	schtasks.exe
2236	schtasks.exe
760	schtasks.exe
1260	schtasks.exe
2580	schtasks.exe
2672	schtasks.exe
2564	schtasks.exe
2976	schtasks.exe
2956	schtasks.exe
2688	schtasks.exe
2808	schtasks.exe
2772	schtasks.exe
2668	schtasks.exe
2876	schtasks.exe
1812	schtasks.exe
684	schtasks.exe
2216	schtasks.exe
2264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2112	855deb7775f714f1fc46d29fea8008d7.exe
2112	855deb7775f714f1fc46d29fea8008d7.exe
2112	855deb7775f714f1fc46d29fea8008d7.exe
2112	855deb7775f714f1fc46d29fea8008d7.exe
2112	855deb7775f714f1fc46d29fea8008d7.exe
1640	powershell.exe
2892	powershell.exe
1268	powershell.exe
780	powershell.exe
1152	powershell.exe
1852	powershell.exe
2168	powershell.exe
2196	services.exe
2216	services.exe
700	services.exe
1748	services.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	855deb7775f714f1fc46d29fea8008d7.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2196	services.exe
Token: SeDebugPrivilege	2216	services.exe
Token: SeDebugPrivilege	700	services.exe
Token: SeDebugPrivilege	1748	services.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2892	2112	855deb7775f714f1fc46d29fea8008d7.exe	50
PID 2112 wrote to memory of 2892	2112	855deb7775f714f1fc46d29fea8008d7.exe	50
PID 2112 wrote to memory of 2892	2112	855deb7775f714f1fc46d29fea8008d7.exe	50
PID 2112 wrote to memory of 1268	2112	855deb7775f714f1fc46d29fea8008d7.exe	51
PID 2112 wrote to memory of 1268	2112	855deb7775f714f1fc46d29fea8008d7.exe	51
PID 2112 wrote to memory of 1268	2112	855deb7775f714f1fc46d29fea8008d7.exe	51
PID 2112 wrote to memory of 2168	2112	855deb7775f714f1fc46d29fea8008d7.exe	52
PID 2112 wrote to memory of 2168	2112	855deb7775f714f1fc46d29fea8008d7.exe	52
PID 2112 wrote to memory of 2168	2112	855deb7775f714f1fc46d29fea8008d7.exe	52
PID 2112 wrote to memory of 1640	2112	855deb7775f714f1fc46d29fea8008d7.exe	54
PID 2112 wrote to memory of 1640	2112	855deb7775f714f1fc46d29fea8008d7.exe	54
PID 2112 wrote to memory of 1640	2112	855deb7775f714f1fc46d29fea8008d7.exe	54
PID 2112 wrote to memory of 780	2112	855deb7775f714f1fc46d29fea8008d7.exe	55
PID 2112 wrote to memory of 780	2112	855deb7775f714f1fc46d29fea8008d7.exe	55
PID 2112 wrote to memory of 780	2112	855deb7775f714f1fc46d29fea8008d7.exe	55
PID 2112 wrote to memory of 1152	2112	855deb7775f714f1fc46d29fea8008d7.exe	57
PID 2112 wrote to memory of 1152	2112	855deb7775f714f1fc46d29fea8008d7.exe	57
PID 2112 wrote to memory of 1152	2112	855deb7775f714f1fc46d29fea8008d7.exe	57
PID 2112 wrote to memory of 1852	2112	855deb7775f714f1fc46d29fea8008d7.exe	58
PID 2112 wrote to memory of 1852	2112	855deb7775f714f1fc46d29fea8008d7.exe	58
PID 2112 wrote to memory of 1852	2112	855deb7775f714f1fc46d29fea8008d7.exe	58
PID 2112 wrote to memory of 1548	2112	855deb7775f714f1fc46d29fea8008d7.exe	64
PID 2112 wrote to memory of 1548	2112	855deb7775f714f1fc46d29fea8008d7.exe	64
PID 2112 wrote to memory of 1548	2112	855deb7775f714f1fc46d29fea8008d7.exe	64
PID 1548 wrote to memory of 880	1548	cmd.exe	66
PID 1548 wrote to memory of 880	1548	cmd.exe	66
PID 1548 wrote to memory of 880	1548	cmd.exe	66
PID 1548 wrote to memory of 2196	1548	cmd.exe	67
PID 1548 wrote to memory of 2196	1548	cmd.exe	67
PID 1548 wrote to memory of 2196	1548	cmd.exe	67
PID 2196 wrote to memory of 2948	2196	services.exe	68
PID 2196 wrote to memory of 2948	2196	services.exe	68
PID 2196 wrote to memory of 2948	2196	services.exe	68
PID 2196 wrote to memory of 2860	2196	services.exe	69
PID 2196 wrote to memory of 2860	2196	services.exe	69
PID 2196 wrote to memory of 2860	2196	services.exe	69
PID 2948 wrote to memory of 2216	2948	WScript.exe	70
PID 2948 wrote to memory of 2216	2948	WScript.exe	70
PID 2948 wrote to memory of 2216	2948	WScript.exe	70
PID 2216 wrote to memory of 1404	2216	services.exe	71
PID 2216 wrote to memory of 1404	2216	services.exe	71
PID 2216 wrote to memory of 1404	2216	services.exe	71
PID 2216 wrote to memory of 2832	2216	services.exe	72
PID 2216 wrote to memory of 2832	2216	services.exe	72
PID 2216 wrote to memory of 2832	2216	services.exe	72
PID 1404 wrote to memory of 700	1404	WScript.exe	73
PID 1404 wrote to memory of 700	1404	WScript.exe	73
PID 1404 wrote to memory of 700	1404	WScript.exe	73
PID 700 wrote to memory of 2080	700	services.exe	74
PID 700 wrote to memory of 2080	700	services.exe	74
PID 700 wrote to memory of 2080	700	services.exe	74
PID 700 wrote to memory of 2412	700	services.exe	75
PID 700 wrote to memory of 2412	700	services.exe	75
PID 700 wrote to memory of 2412	700	services.exe	75
PID 2080 wrote to memory of 1748	2080	WScript.exe	76
PID 2080 wrote to memory of 1748	2080	WScript.exe	76
PID 2080 wrote to memory of 1748	2080	WScript.exe	76
PID 1748 wrote to memory of 2072	1748	services.exe	77
PID 1748 wrote to memory of 2072	1748	services.exe	77
PID 1748 wrote to memory of 2072	1748	services.exe	77
PID 1748 wrote to memory of 2716	1748	services.exe	78
PID 1748 wrote to memory of 2716	1748	services.exe	78
PID 1748 wrote to memory of 2716	1748	services.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\855deb7775f714f1fc46d29fea8008d7.exe
"C:\Users\Admin\AppData\Local\Temp\855deb7775f714f1fc46d29fea8008d7.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\855deb7775f714f1fc46d29fea8008d7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G58brWjr2x.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:880
- - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
    "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4232acbc-1268-4ad3-b840-b40f3b6d813b.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1412038-c03c-4c32-bc8b-c71b161254db.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\074f483e-e4bc-430f-ab71-654cac30aaeb.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d178eab0-c2df-41da-9301-a983b42aadd7.vbs"
        10⤵
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67159544-df83-4035-9200-6bf130fc6706.vbs"
        10⤵
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac261992-5ecd-4237-bc55-06185cea8c9a.vbs"
        8⤵
        
        PID:2412
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bced560-2390-48d2-bb31-4f674fca3cfe.vbs"
        6⤵
        
        PID:2832
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb52ebee-cc9a-4b55-aa7b-d0273904f2cc.vbs"
      4⤵
      PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe

Filesize
1.6MB

MD5
855deb7775f714f1fc46d29fea8008d7

SHA1
421d56096458fc456190f7c8d13fa3435c051264

SHA256
795cdb953a299acec277e31a6c97b38acdc44dfca7a2ce6bda2785a48bdfafdf

SHA512
7fd5597d07dd4597262a6122c3b165b0624d99ee9d222f448e2161c07bcef791a08be95bf52eb4cf37c8105e53855bf96d1bf026d887cb3ef85d132c07b40d99

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe

Filesize
1.6MB

MD5
6eed97d33ddb070328067e05ba81d942

SHA1
7f7fe0c8ae23e97b9b0296e6ba117d34e64154e6

SHA256
285214db82aa26f0b3473295072be3e656a0849bf91a7d3cdf8a70fc75798273

SHA512
14b3e29b46d6e55f50bf9c1b0237a01dd42b4f5066364fde54165e7244b15400b225c9e0b07581495126f9a400d38f3ec1820d2ce758a75733175d9cac0d7dde

Download Submit
C:\Program Files\Uninstall Information\lsm.exe

Filesize
1.6MB

MD5
e678954cb05212b2ab08652174ce0686

SHA1
70cf5c275e415c957e8955cc7f843f0a84f9e417

SHA256
9e15097938f068ebe43a26e1a23e2e57575f52285053030038fa8a26ef83bc78

SHA512
95bd5a295dc867fbe729579e410c3b40977109e4f847a118b77548250bd5ac0fa6362c660136f93d67e43704bf213b8d1ff1646068c87883b97a8372ec78481b

Download Submit
C:\Users\Admin\AppData\Local\Temp\074f483e-e4bc-430f-ab71-654cac30aaeb.vbs

Filesize
750B

MD5
ffeeedca39632bdfa42c4d277884cfca

SHA1
7176c15711c5e98ebbb2f1f1586a8329e117f502

SHA256
7d2e183ee50ce3348f5cc71b26573fd30ed7f8b77162539b14bde7f35e62be10

SHA512
39d59d84e9e164c78d24d048a35727b25a2dcbe2c4609c1237a68bfd6ad0c987e94396d3579985c9f0c8710edb5d60f3e80315dbdc3ed047ff0b235af903be25

Download Submit
C:\Users\Admin\AppData\Local\Temp\4232acbc-1268-4ad3-b840-b40f3b6d813b.vbs

Filesize
751B

MD5
75af4800c1c520f4bc792c3b404f9733

SHA1
da9715ffc90630f55f5b6b120db3c4715679da3c

SHA256
1d53003492be1f30e9fa4904fc8f1956b5d4893b7428b9552da8ca3fb3db8643

SHA512
4d3eea5503d0d60fe17c31b7440632fbb2f13814bdda6ca690a434c2f1b44d67615620cdc9011bb05e021467e52fe876db626680672c382aa6d6c6c48bc7573f

Download Submit
C:\Users\Admin\AppData\Local\Temp\G58brWjr2x.bat

Filesize
240B

MD5
f121daffcf49d260e66c8280e2d38e93

SHA1
e3701cd64e476c0e564b32b6bebc3ca5fd900ec3

SHA256
17f06acdcf4e9d147cbe1af5c4c2d2ac29d323f379e65327527f641c87301fc3

SHA512
50e3456110211dafaf77662ee6617463a399dc7d4d6ecced016f999f27e6a19870d46ac47bc0ed9c74e56774f17ffd874c67bf479198baf853e7636f8ca87214

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1412038-c03c-4c32-bc8b-c71b161254db.vbs

Filesize
751B

MD5
f970f75372ced4283b5cd22c967591f5

SHA1
4376b5ed8dcf7eb24990cc6ac4a8ba0fb562708c

SHA256
ef60ff3020eee318e592034f4791fdd723b07a52ec1fe52b7519eb77f45825be

SHA512
ab32dae8f79901269913b8b356bc8a2f1253413698370242fa8f85da71693c2ae3ecaab5517f668d0bce2151858f9235493441fe5fc5507c7aa545c02388e088

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb52ebee-cc9a-4b55-aa7b-d0273904f2cc.vbs

Filesize
527B

MD5
0ff3ab817ba72890ee2dbe5bfce48745

SHA1
d1cacd06a5f5913735913087b8924cde502f8d46

SHA256
e2d7f602a80a3232020810ed8623d6813375d6344cb56b9d6f95813c712ee0d4

SHA512
768df766c5c56fd4cdef68d88067321656ba2837841df41ee7bceeebdcb0a0d54ed8a6bc3b35988487630b8a3139e57be91facbfef03fdf436a31f01032555b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d178eab0-c2df-41da-9301-a983b42aadd7.vbs

Filesize
751B

MD5
264b64e9a30443885bd4f8e5bd77f146

SHA1
b2e22fd5ce374aefa8aefd4d397962bb8227308b

SHA256
c7e165ade69530e9331e3921741cd1c0908f908239138ebd70283a735f7b6ae3

SHA512
c0a9476ec4b539b04a6bc602ea98dd3c20f7b17cd40c449560d908a84834e91cc64bd24139fa8436efa3f305d9888909d15296ad0737b0d4057911011b02a4de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9576be2c76857f47baaa77031dc8d3f3

SHA1
f6ffdbbf6243f72f41b51af310387ff903ab5637

SHA256
071f34b9424cd405d0ddebc8f9ba3d44bd3b4bae2f33cea46e4c1fd0a65b14d8

SHA512
75c21c214123a31d084bce4501ded40db9fca3e02d2e99e6aec186c0bd80ce165cfd144007017a4cbe57aa9025225a811b35423f4630ab38c3d535a6ce851242

Download Submit
memory/700-170-0x00000000000E0000-0x0000000000282000-memory.dmp

Filesize
1.6MB

Download
memory/1640-123-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/1640-128-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1748-182-0x0000000000A70000-0x0000000000C12000-memory.dmp

Filesize
1.6MB

Download
memory/2112-13-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/2112-12-0x0000000002340000-0x000000000234E000-memory.dmp

Filesize
56KB

Download
memory/2112-5-0x00000000005F0000-0x0000000000606000-memory.dmp

Filesize
88KB

Download
memory/2112-3-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/2112-7-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/2112-8-0x00000000007A0000-0x00000000007A8000-memory.dmp

Filesize
32KB

Download
memory/2112-112-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2112-10-0x0000000002320000-0x000000000232C000-memory.dmp

Filesize
48KB

Download
memory/2112-11-0x0000000002330000-0x000000000233A000-memory.dmp

Filesize
40KB

Download
memory/2112-6-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2112-0-0x000007FEF5523000-0x000007FEF5524000-memory.dmp

Filesize
4KB

Download
memory/2112-1-0x00000000001B0000-0x0000000000352000-memory.dmp

Filesize
1.6MB

Download
memory/2112-16-0x000000001A800000-0x000000001A80C000-memory.dmp

Filesize
48KB

Download
memory/2112-14-0x000000001A7E0000-0x000000001A7E8000-memory.dmp

Filesize
32KB

Download
memory/2112-2-0x000007FEF5520000-0x000007FEF5F0C000-memory.dmp

Filesize
9.9MB

Download
memory/2112-15-0x000000001A7F0000-0x000000001A7FA000-memory.dmp

Filesize
40KB

Download
memory/2112-9-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/2112-4-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/2196-147-0x0000000000940000-0x0000000000AE2000-memory.dmp

Filesize
1.6MB

Download
memory/2216-158-0x0000000000AC0000-0x0000000000C62000-memory.dmp

Filesize
1.6MB

Download