dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
60s
max time network
61s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
Size

1.6MB
MD5

e38a8ba2db5ea28f0f52d37b4a9d0d45
SHA1

eeb67e1eb72370ce24df9b82c6a7664176dfe064
SHA256

1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6
SHA512

ee6f813b71c0c56c5794cb6b5ba48fdf527a9f0077aaf1a100e1f36c914e28bb6675f8ae90544ada72d0e315b436db8016dffe27467b6891cbbd1ef07d7b661e
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2524	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2524	schtasks.exe	30

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral7/memory/2820-1-0x0000000001090000-0x0000000001232000-memory.dmp	dcrat
behavioral7/files/0x00050000000186e4-25.dat	dcrat
behavioral7/files/0x00060000000193c2-50.dat	dcrat
behavioral7/files/0x0007000000017492-74.dat	dcrat
behavioral7/memory/1992-129-0x0000000000110000-0x00000000002B2000-memory.dmp	dcrat
behavioral7/memory/2424-140-0x00000000009B0000-0x0000000000B52000-memory.dmp	dcrat
behavioral7/memory/2800-152-0x0000000000C30000-0x0000000000DD2000-memory.dmp	dcrat
behavioral7/memory/1912-164-0x00000000012C0000-0x0000000001462000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2224	powershell.exe
2280	powershell.exe
2056	powershell.exe
1360	powershell.exe
2156	powershell.exe
2064	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
1992	lsm.exe
2424	lsm.exe
2800	lsm.exe
1912	lsm.exe
2964	lsm.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Idle.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Program Files\Windows Media Player\6ccacd8608530f	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX7C99.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX7C9A.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Program Files\Windows Media Player\Idle.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\L2Schemas\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Windows\L2Schemas\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File created	C:\Windows\L2Schemas\afa331d0951d21	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\L2Schemas\RCX7A27.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
File opened for modification	C:\Windows\L2Schemas\RCX7A96.tmp	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3004	schtasks.exe
2276	schtasks.exe
2036	schtasks.exe
2504	schtasks.exe
2992	schtasks.exe
2440	schtasks.exe
1564	schtasks.exe
1700	schtasks.exe
692	schtasks.exe
2436	schtasks.exe
2292	schtasks.exe
2220	schtasks.exe
1836	schtasks.exe
588	schtasks.exe
2616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
2056	powershell.exe
2224	powershell.exe
2064	powershell.exe
2156	powershell.exe
1360	powershell.exe
2280	powershell.exe
1992	lsm.exe
2424	lsm.exe
2800	lsm.exe
1912	lsm.exe
2964	lsm.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1992	lsm.exe
Token: SeDebugPrivilege	2424	lsm.exe
Token: SeDebugPrivilege	2800	lsm.exe
Token: SeDebugPrivilege	1912	lsm.exe
Token: SeDebugPrivilege	2964	lsm.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 1360	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	46
PID 2820 wrote to memory of 1360	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	46
PID 2820 wrote to memory of 1360	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	46
PID 2820 wrote to memory of 2156	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	47
PID 2820 wrote to memory of 2156	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	47
PID 2820 wrote to memory of 2156	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	47
PID 2820 wrote to memory of 2064	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	48
PID 2820 wrote to memory of 2064	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	48
PID 2820 wrote to memory of 2064	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	48
PID 2820 wrote to memory of 2224	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	49
PID 2820 wrote to memory of 2224	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	49
PID 2820 wrote to memory of 2224	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	49
PID 2820 wrote to memory of 2280	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	50
PID 2820 wrote to memory of 2280	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	50
PID 2820 wrote to memory of 2280	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	50
PID 2820 wrote to memory of 2056	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	51
PID 2820 wrote to memory of 2056	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	51
PID 2820 wrote to memory of 2056	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	51
PID 2820 wrote to memory of 764	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	58
PID 2820 wrote to memory of 764	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	58
PID 2820 wrote to memory of 764	2820	1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe	58
PID 764 wrote to memory of 1576	764	cmd.exe	60
PID 764 wrote to memory of 1576	764	cmd.exe	60
PID 764 wrote to memory of 1576	764	cmd.exe	60
PID 764 wrote to memory of 1992	764	cmd.exe	61
PID 764 wrote to memory of 1992	764	cmd.exe	61
PID 764 wrote to memory of 1992	764	cmd.exe	61
PID 1992 wrote to memory of 1396	1992	lsm.exe	62
PID 1992 wrote to memory of 1396	1992	lsm.exe	62
PID 1992 wrote to memory of 1396	1992	lsm.exe	62
PID 1992 wrote to memory of 2696	1992	lsm.exe	63
PID 1992 wrote to memory of 2696	1992	lsm.exe	63
PID 1992 wrote to memory of 2696	1992	lsm.exe	63
PID 1396 wrote to memory of 2424	1396	WScript.exe	64
PID 1396 wrote to memory of 2424	1396	WScript.exe	64
PID 1396 wrote to memory of 2424	1396	WScript.exe	64
PID 2424 wrote to memory of 2772	2424	lsm.exe	65
PID 2424 wrote to memory of 2772	2424	lsm.exe	65
PID 2424 wrote to memory of 2772	2424	lsm.exe	65
PID 2424 wrote to memory of 1236	2424	lsm.exe	66
PID 2424 wrote to memory of 1236	2424	lsm.exe	66
PID 2424 wrote to memory of 1236	2424	lsm.exe	66
PID 2772 wrote to memory of 2800	2772	WScript.exe	68
PID 2772 wrote to memory of 2800	2772	WScript.exe	68
PID 2772 wrote to memory of 2800	2772	WScript.exe	68
PID 2800 wrote to memory of 856	2800	lsm.exe	69
PID 2800 wrote to memory of 856	2800	lsm.exe	69
PID 2800 wrote to memory of 856	2800	lsm.exe	69
PID 2800 wrote to memory of 2976	2800	lsm.exe	70
PID 2800 wrote to memory of 2976	2800	lsm.exe	70
PID 2800 wrote to memory of 2976	2800	lsm.exe	70
PID 856 wrote to memory of 1912	856	WScript.exe	71
PID 856 wrote to memory of 1912	856	WScript.exe	71
PID 856 wrote to memory of 1912	856	WScript.exe	71
PID 1912 wrote to memory of 2952	1912	lsm.exe	72
PID 1912 wrote to memory of 2952	1912	lsm.exe	72
PID 1912 wrote to memory of 2952	1912	lsm.exe	72
PID 1912 wrote to memory of 2352	1912	lsm.exe	73
PID 1912 wrote to memory of 2352	1912	lsm.exe	73
PID 1912 wrote to memory of 2352	1912	lsm.exe	73
PID 2952 wrote to memory of 2964	2952	WScript.exe	74
PID 2952 wrote to memory of 2964	2952	WScript.exe	74
PID 2952 wrote to memory of 2964	2952	WScript.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe
"C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4fYIssV3ek.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1576
- - C:\Users\Default\lsm.exe
    "C:\Users\Default\lsm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8b8b502-3069-4856-8640-87c7c2bbfe00.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Users\Default\lsm.exe
        
        C:\Users\Default\lsm.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1fbe5f2-6dd7-4697-bf86-a74cd3888927.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Users\Default\lsm.exe
        
        C:\Users\Default\lsm.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97d362a3-2ca4-41ea-8b40-fd1a3f153bc1.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Users\Default\lsm.exe
        
        C:\Users\Default\lsm.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d1b72b5-dbb2-4423-92f9-57b4bbbfb5c3.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Users\Default\lsm.exe
        
        C:\Users\Default\lsm.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df1a1546-53a4-4bd7-80ae-7486341214ee.vbs"
        12⤵
        
        PID:1524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a9b40b7-921e-4b79-89e5-e276bf5729fc.vbs"
        12⤵
        
        PID:2260
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7669c9e-66dc-498b-8817-7401e340fed4.vbs"
        10⤵
        
        PID:2352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7557e4e-befd-43b4-93bf-497d71cbddfd.vbs"
        8⤵
        
        PID:2976
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8158f75e-4266-4d98-a48d-5093095c1a8f.vbs"
        6⤵
        
        PID:1236
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ec10f03-0e81-437a-9dd0-933f57db2072.vbs"
      4⤵
      PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Default\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd61" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6" /sc ONLOGON /tr "'C:\Windows\L2Schemas\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd61" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\Idle.exe

Filesize
1.6MB

MD5
e38a8ba2db5ea28f0f52d37b4a9d0d45

SHA1
eeb67e1eb72370ce24df9b82c6a7664176dfe064

SHA256
1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6

SHA512
ee6f813b71c0c56c5794cb6b5ba48fdf527a9f0077aaf1a100e1f36c914e28bb6675f8ae90544ada72d0e315b436db8016dffe27467b6891cbbd1ef07d7b661e

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe

Filesize
1.6MB

MD5
c1b6f181148e79f671b20e00c9f3bbfb

SHA1
0ca461ed4078a0b6748fbc55745a58c2422d0216

SHA256
7061d2317b03f2f8ca66dc7bf79f197f8e17d32d1da2eaf4e8c219d1b433f17e

SHA512
704a4f58aeb0ee1f51deff8bcbac75259ffab632835131db14204ae748a3ad0ba8f0b28f60282dd2987b67ce316bd558f8358fba77301cf366c02805f8a5509b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ec10f03-0e81-437a-9dd0-933f57db2072.vbs

Filesize
476B

MD5
bf2ba61c2660ee90229dfa17423f77c7

SHA1
278e35cef5828373322e30fe5687bb62cbd7ff67

SHA256
3c695a3275d1dd1fa5039903bb6367b258246beb302cde7ef5f63ac6c67a27b4

SHA512
f707ff30cf0a2e068ef4e849851f783ab30acc44b622f9cae00fa11599f47e6f5c500b4cfc2bffd4247f0dad80d35445e852078f495ef3d43da88973e47307f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fYIssV3ek.bat

Filesize
189B

MD5
d8fc68e6b24c4cdf2b31bcaea0a6cdff

SHA1
ca785d7d29abddb5b81d05593cd3a0405afb7113

SHA256
8c69e5552945f7d1d242301fd9674bcbbe570b22ad159403b240a459e3dbce5b

SHA512
29732e9392efbfc8b0f60d47a401d6e5d596f63c12cde3a0c79d207600e63b900b8a2f35ee778ff033a625d2fe7be6650f862a2ef3f4dbd7179379484c1c1310

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d1b72b5-dbb2-4423-92f9-57b4bbbfb5c3.vbs

Filesize
700B

MD5
e8672fca28f0de506ee35ba17db9226e

SHA1
a292e5cf57fc489460613db17fe535aaa584d257

SHA256
1d4a2d1e6b1c6ec2a300e0e1a9267e76c42518faa17f245ed07223c4c8444b2c

SHA512
870e1590738a6d45d56932cb2a6926392cd3b2ce590489452b5db36da18ce40f67d41cc13e05880208c5235da9f6bc9afdb0922874536651b099a890c9e04d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\97d362a3-2ca4-41ea-8b40-fd1a3f153bc1.vbs

Filesize
700B

MD5
6bcf3196d9f2c725a77a93e9ed667c33

SHA1
22ac32666107c565e681e339c1c1ff36386d54fc

SHA256
193f948d31e3dbb9dad1297d091c639ba60cd2e26b60cb29248e8640bdadc510

SHA512
952cf9b122089e1abd92c33a203932e7ae4054d23f27686d160cd2f081071643226abf37520643b97e59b16967d71d2c70a4009ee859857e9aa8a4dbaf4db4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1fbe5f2-6dd7-4697-bf86-a74cd3888927.vbs

Filesize
700B

MD5
11ca89e4bf8c35a347f87a150defc6d4

SHA1
cca0a8ccd29824f091db6255a8e2eb9c3a5c7f10

SHA256
c44b4c42b7007765fa98de7520e920f7252bcbe80a3c796e2067a884ed154b40

SHA512
44ed84eec9ebbe3ab136fbadc9be13a286e289cf0fc944b2d74b4f997dffa101a7913070de351764d6b0c1473d88b2c264e3691b3ffe7075491a86f3579de815

Download Submit
C:\Users\Admin\AppData\Local\Temp\df1a1546-53a4-4bd7-80ae-7486341214ee.vbs

Filesize
700B

MD5
4ce3c1a085fcdf9128c9af6caf8620ef

SHA1
f2d9ab8f442e67cb2478247f375ba43da72c1343

SHA256
fb013166eea90488e0f703e99e5fd3425dab2c9185b3fd1456bd03b59705a5f8

SHA512
9662e4a8137e197780153dfc3193cbecf6c2f7d59098abf3e6fe956ce349548f5682e3233a111b71b97a242d0d64fc265b06c78b2bb00412e2d3418f61fe1460

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8b8b502-3069-4856-8640-87c7c2bbfe00.vbs

Filesize
700B

MD5
e40a515f55cb456982ee21bf4fb8b422

SHA1
6da37f57a46c9d68697feabbe0dc04829f15745d

SHA256
92a722f5bc5a20f5f70f2ce3c5ea3269f719013dc30f8b03400b64a142f197c1

SHA512
7d4342b5b936bce682295d710a958352477bd2e9637a17e2e3a39d769d5a3e1c8bb460566cc01a48cd4902b09f605ef290e1d739d789d2a2b2c3c25266f32581

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b694f861a91f3d109ae2e6c6ab8e33b8

SHA1
5a1b37590b04f0b53b2c89997bbc0f3a5df47fee

SHA256
89f21e3b6a04f1b4d69ba6a714b6698ffd79c76a9580ab93e3a9a514c1cab6d6

SHA512
4ba84f994bb4ec316f2073f96cfd2df0bedbb0d101a575bc447df57e950166f43a3e918e0f43f27e6adc5e24c258caab84bbf1b86bc01b331a79e202fe4da094

Download Submit
C:\Windows\L2Schemas\1df5615c53dd390e494c93dd90caada8678eb2fccdddaccf063e96fc3956abd6.exe

Filesize
1.6MB

MD5
7f2fd314ccee12fc6359d26dcd85b4a0

SHA1
b0a9d60fb5b07b4cac680785f5b133be2cda5477

SHA256
5a49109197306e2abf46826bdd0c1ecaf1941f2026239b4699a323120fc17b3a

SHA512
e05038536935e3e29978ad4996ac5036c8c40bde069ec3694493d0aa69c63eea4e42cf1d733ffa6687520835644923f32953186ee2bdecfd7fdda7e02f378980

Download Submit
memory/1912-164-0x00000000012C0000-0x0000000001462000-memory.dmp

Filesize
1.6MB

Download
memory/1992-129-0x0000000000110000-0x00000000002B2000-memory.dmp

Filesize
1.6MB

Download
memory/2064-113-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2224-115-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2424-140-0x00000000009B0000-0x0000000000B52000-memory.dmp

Filesize
1.6MB

Download
memory/2800-152-0x0000000000C30000-0x0000000000DD2000-memory.dmp

Filesize
1.6MB

Download
memory/2820-13-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/2820-9-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2820-16-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/2820-14-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/2820-15-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

Filesize
40KB

Download
memory/2820-11-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2820-12-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/2820-121-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2820-10-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2820-0-0x000007FEF5433000-0x000007FEF5434000-memory.dmp

Filesize
4KB

Download
memory/2820-8-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2820-6-0x0000000000170000-0x0000000000178000-memory.dmp

Filesize
32KB

Download
memory/2820-7-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/2820-5-0x0000000000480000-0x0000000000496000-memory.dmp

Filesize
88KB

Download
memory/2820-4-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/2820-3-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/2820-2-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2820-1-0x0000000001090000-0x0000000001232000-memory.dmp

Filesize
1.6MB

Download