dcrat | df025008bab8a9d1b780276526007d60abaafb894af2cca82bc633c715945ec5

Analysis

max time kernel
149s
max time network
157s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43e3cf7f28351d5c551164a74a93d356.exe
Size

885KB
MD5

43e3cf7f28351d5c551164a74a93d356
SHA1

9437db06357fce38247b3f3ef0f67185b3f5a9f0
SHA256

ed6e748881b649402434d33ab8831f87d239ef339b7909620877678b09c0e6eb
SHA512

c5651323110e6af4400664baab5238b5b5ab55835737b64d2e0cb971694023e8bce2307d26dcbfc7b7a2a2a53b4bb3c157f55156ba095795d081fe19208516cc
SSDEEP

12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:8lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2768	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2768	schtasks.exe	29

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1712-1-0x00000000002A0000-0x0000000000384000-memory.dmp	dcrat
behavioral1/files/0x000500000001a4d7-18.dat	dcrat
behavioral1/files/0x000800000001a4e8-55.dat	dcrat
behavioral1/memory/996-86-0x0000000000C10000-0x0000000000CF4000-memory.dmp	dcrat
behavioral1/memory/1884-109-0x0000000001390000-0x0000000001474000-memory.dmp	dcrat
behavioral1/memory/2776-121-0x00000000013E0000-0x00000000014C4000-memory.dmp	dcrat
behavioral1/memory/2068-155-0x00000000002D0000-0x00000000003B4000-memory.dmp	dcrat
behavioral1/memory/1572-167-0x0000000000050000-0x0000000000134000-memory.dmp	dcrat
behavioral1/memory/1872-179-0x0000000000F30000-0x0000000001014000-memory.dmp	dcrat
behavioral1/memory/1132-191-0x0000000000F70000-0x0000000001054000-memory.dmp	dcrat
behavioral1/memory/1004-203-0x0000000001340000-0x0000000001424000-memory.dmp	dcrat

Executes dropped EXE 11 IoCs

pid	Process
996	OSPPSVC.exe
2300	OSPPSVC.exe
1884	OSPPSVC.exe
2776	OSPPSVC.exe
2604	OSPPSVC.exe
2064	OSPPSVC.exe
2068	OSPPSVC.exe
1572	OSPPSVC.exe
1872	OSPPSVC.exe
1132	OSPPSVC.exe
1004	OSPPSVC.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe	43e3cf7f28351d5c551164a74a93d356.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\1610b97d3ab4a7	43e3cf7f28351d5c551164a74a93d356.exe
File opened for modification	C:\Program Files\Microsoft Office\RCX4770.tmp	43e3cf7f28351d5c551164a74a93d356.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCX47FF.tmp	43e3cf7f28351d5c551164a74a93d356.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\RCX4841.tmp	43e3cf7f28351d5c551164a74a93d356.exe
File created	C:\Program Files\Microsoft Office\smss.exe	43e3cf7f28351d5c551164a74a93d356.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\1610b97d3ab4a7	43e3cf7f28351d5c551164a74a93d356.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\OSPPSVC.exe	43e3cf7f28351d5c551164a74a93d356.exe
File opened for modification	C:\Program Files\Microsoft Office\RCX4771.tmp	43e3cf7f28351d5c551164a74a93d356.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCX4782.tmp	43e3cf7f28351d5c551164a74a93d356.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\RCX4842.tmp	43e3cf7f28351d5c551164a74a93d356.exe
File created	C:\Program Files\Microsoft Office\69ddcba757bf72	43e3cf7f28351d5c551164a74a93d356.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2744	schtasks.exe
2292	schtasks.exe
2844	schtasks.exe
2644	schtasks.exe
2960	schtasks.exe
2848	schtasks.exe
2840	schtasks.exe
2776	schtasks.exe
2732	schtasks.exe
2692	schtasks.exe
2632	schtasks.exe
2084	schtasks.exe
2184	schtasks.exe
2360	schtasks.exe
2376	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1712	43e3cf7f28351d5c551164a74a93d356.exe
996	OSPPSVC.exe
2300	OSPPSVC.exe
1884	OSPPSVC.exe
2776	OSPPSVC.exe
2604	OSPPSVC.exe
2064	OSPPSVC.exe
2068	OSPPSVC.exe
1572	OSPPSVC.exe
1872	OSPPSVC.exe
1132	OSPPSVC.exe
1004	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	43e3cf7f28351d5c551164a74a93d356.exe
Token: SeDebugPrivilege	996	OSPPSVC.exe
Token: SeDebugPrivilege	2300	OSPPSVC.exe
Token: SeDebugPrivilege	1884	OSPPSVC.exe
Token: SeDebugPrivilege	2776	OSPPSVC.exe
Token: SeDebugPrivilege	2604	OSPPSVC.exe
Token: SeDebugPrivilege	2064	OSPPSVC.exe
Token: SeDebugPrivilege	2068	OSPPSVC.exe
Token: SeDebugPrivilege	1572	OSPPSVC.exe
Token: SeDebugPrivilege	1872	OSPPSVC.exe
Token: SeDebugPrivilege	1132	OSPPSVC.exe
Token: SeDebugPrivilege	1004	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 996	1712	43e3cf7f28351d5c551164a74a93d356.exe	45
PID 1712 wrote to memory of 996	1712	43e3cf7f28351d5c551164a74a93d356.exe	45
PID 1712 wrote to memory of 996	1712	43e3cf7f28351d5c551164a74a93d356.exe	45
PID 996 wrote to memory of 2212	996	OSPPSVC.exe	46
PID 996 wrote to memory of 2212	996	OSPPSVC.exe	46
PID 996 wrote to memory of 2212	996	OSPPSVC.exe	46
PID 996 wrote to memory of 2340	996	OSPPSVC.exe	47
PID 996 wrote to memory of 2340	996	OSPPSVC.exe	47
PID 996 wrote to memory of 2340	996	OSPPSVC.exe	47
PID 2212 wrote to memory of 2300	2212	WScript.exe	48
PID 2212 wrote to memory of 2300	2212	WScript.exe	48
PID 2212 wrote to memory of 2300	2212	WScript.exe	48
PID 2300 wrote to memory of 1860	2300	OSPPSVC.exe	49
PID 2300 wrote to memory of 1860	2300	OSPPSVC.exe	49
PID 2300 wrote to memory of 1860	2300	OSPPSVC.exe	49
PID 2300 wrote to memory of 2408	2300	OSPPSVC.exe	50
PID 2300 wrote to memory of 2408	2300	OSPPSVC.exe	50
PID 2300 wrote to memory of 2408	2300	OSPPSVC.exe	50
PID 1860 wrote to memory of 1884	1860	WScript.exe	51
PID 1860 wrote to memory of 1884	1860	WScript.exe	51
PID 1860 wrote to memory of 1884	1860	WScript.exe	51
PID 1884 wrote to memory of 2712	1884	OSPPSVC.exe	52
PID 1884 wrote to memory of 2712	1884	OSPPSVC.exe	52
PID 1884 wrote to memory of 2712	1884	OSPPSVC.exe	52
PID 1884 wrote to memory of 2284	1884	OSPPSVC.exe	53
PID 1884 wrote to memory of 2284	1884	OSPPSVC.exe	53
PID 1884 wrote to memory of 2284	1884	OSPPSVC.exe	53
PID 2712 wrote to memory of 2776	2712	WScript.exe	54
PID 2712 wrote to memory of 2776	2712	WScript.exe	54
PID 2712 wrote to memory of 2776	2712	WScript.exe	54
PID 2776 wrote to memory of 2908	2776	OSPPSVC.exe	55
PID 2776 wrote to memory of 2908	2776	OSPPSVC.exe	55
PID 2776 wrote to memory of 2908	2776	OSPPSVC.exe	55
PID 2776 wrote to memory of 1896	2776	OSPPSVC.exe	56
PID 2776 wrote to memory of 1896	2776	OSPPSVC.exe	56
PID 2776 wrote to memory of 1896	2776	OSPPSVC.exe	56
PID 2908 wrote to memory of 2604	2908	WScript.exe	57
PID 2908 wrote to memory of 2604	2908	WScript.exe	57
PID 2908 wrote to memory of 2604	2908	WScript.exe	57
PID 2604 wrote to memory of 1124	2604	OSPPSVC.exe	58
PID 2604 wrote to memory of 1124	2604	OSPPSVC.exe	58
PID 2604 wrote to memory of 1124	2604	OSPPSVC.exe	58
PID 2604 wrote to memory of 820	2604	OSPPSVC.exe	59
PID 2604 wrote to memory of 820	2604	OSPPSVC.exe	59
PID 2604 wrote to memory of 820	2604	OSPPSVC.exe	59
PID 1124 wrote to memory of 2064	1124	WScript.exe	60
PID 1124 wrote to memory of 2064	1124	WScript.exe	60
PID 1124 wrote to memory of 2064	1124	WScript.exe	60
PID 2064 wrote to memory of 940	2064	OSPPSVC.exe	61
PID 2064 wrote to memory of 940	2064	OSPPSVC.exe	61
PID 2064 wrote to memory of 940	2064	OSPPSVC.exe	61
PID 2064 wrote to memory of 1412	2064	OSPPSVC.exe	62
PID 2064 wrote to memory of 1412	2064	OSPPSVC.exe	62
PID 2064 wrote to memory of 1412	2064	OSPPSVC.exe	62
PID 940 wrote to memory of 2068	940	WScript.exe	63
PID 940 wrote to memory of 2068	940	WScript.exe	63
PID 940 wrote to memory of 2068	940	WScript.exe	63
PID 2068 wrote to memory of 1392	2068	OSPPSVC.exe	64
PID 2068 wrote to memory of 1392	2068	OSPPSVC.exe	64
PID 2068 wrote to memory of 1392	2068	OSPPSVC.exe	64
PID 2068 wrote to memory of 2452	2068	OSPPSVC.exe	65
PID 2068 wrote to memory of 2452	2068	OSPPSVC.exe	65
PID 2068 wrote to memory of 2452	2068	OSPPSVC.exe	65
PID 1392 wrote to memory of 1572	1392	WScript.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\43e3cf7f28351d5c551164a74a93d356.exe
"C:\Users\Admin\AppData\Local\Temp\43e3cf7f28351d5c551164a74a93d356.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe
  "C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e694f6c-0b61-4842-9db9-9510dedddf8a.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe
      "C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c5fb64a-7e24-4ab2-8350-7d9d61f5d309.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1860
      - C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b03011e-909b-45e9-b265-414f2b0b1dcd.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfe5149d-5288-41c3-a65b-6c3c44002d3e.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e987f0be-9c6e-465e-94b1-d1873943c08d.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\022fa669-6a81-4c46-afde-5488410b0121.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30803f14-1142-4206-a6aa-decf5bff0e5b.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9867b173-eba2-467b-a7ce-92c4984bb12a.vbs"
        17⤵
        
        PID:2516
        
        C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5dc430e4-1577-43ba-8457-402d8ea3f25b.vbs"
        19⤵
        
        PID:1940
        
        C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef9336ec-73f1-492d-bb43-b3f713dcc58a.vbs"
        21⤵
        
        PID:684
        
        C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe
        
        "C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2b7cd57-93b0-4e0a-a635-fe9560a6ba70.vbs"
        23⤵
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07c51949-6c47-4b05-bb73-281e1a8c54cc.vbs"
        23⤵
        
        PID:1584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da9f1a1a-93e3-4715-8a3e-f8be53419799.vbs"
        21⤵
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ebdd326-4adf-4ab8-aa4d-6e6dc627d60a.vbs"
        19⤵
        
        PID:2484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d759814b-547f-440f-b7d1-6d1c3dc2b7e9.vbs"
        17⤵
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b395c3c-a94b-41ac-8d00-1fb991c8c4f5.vbs"
        15⤵
        
        PID:2452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\70aaf852-87bf-4e1f-a767-576a9e9e8758.vbs"
        13⤵
        
        PID:1412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0fa833b-5a0f-445c-ad92-f002bd78c71c.vbs"
        11⤵
        
        PID:820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8b971a3-996e-4627-a8eb-73b519a2a2d8.vbs"
        9⤵
        
        PID:1896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\504a2ce5-0278-43a7-a18b-beba8ac1322a.vbs"
        7⤵
        
        PID:2284
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e91701fe-a91d-4844-970e-45712f79e5af.vbs"
        5⤵
        
        PID:2408
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9be0305-d8ec-457e-a8cc-9bbeea3c8e0b.vbs"
    3⤵
    PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\OSPPSVC.exe

Filesize
885KB

MD5
43e3cf7f28351d5c551164a74a93d356

SHA1
9437db06357fce38247b3f3ef0f67185b3f5a9f0

SHA256
ed6e748881b649402434d33ab8831f87d239ef339b7909620877678b09c0e6eb

SHA512
c5651323110e6af4400664baab5238b5b5ab55835737b64d2e0cb971694023e8bce2307d26dcbfc7b7a2a2a53b4bb3c157f55156ba095795d081fe19208516cc

Download Submit
C:\Program Files (x86)\Windows Media Player\ja-JP\OSPPSVC.exe

Filesize
885KB

MD5
8b5ec1391761b8e1b6673adfbc9a34b5

SHA1
0e2605a1c181670b4d2e16d92ec1c02c73efce91

SHA256
1c295e2c4aaaa1885123ae30cc1461993d7e281cdd571afa1bac12e98cfa76ea

SHA512
97208608931f767c157396e9fab8275218c6b80f03b7e0349c28540a62ace6341a0db6504f5691f11f2503094c99f3c5c9c1c423be9fd87d384239aeff941db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\022fa669-6a81-4c46-afde-5488410b0121.vbs

Filesize
737B

MD5
b57ab511abe767209e78e88a88513e28

SHA1
c80327da89a1db9e19d5dd11c4f5c075295b5e01

SHA256
61fdd1454f91e34e7a14de7bdfdb6557099b372bdc3a9fed7859d808c5923fd1

SHA512
5b0749806e730e437abee6dbf1c6681f1006b4681e9360ae378af90cf3f297d8df59229776fcaba06ae884a7d2540c237318e80042f35f1368f3230baf05db2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e694f6c-0b61-4842-9db9-9510dedddf8a.vbs

Filesize
736B

MD5
fb20ac79fa7cec372788515515653dc3

SHA1
ada185fb5f132a77a417ecb48c1d0e9772ad989f

SHA256
effed800d30a7ea635ae699005723950a964c2c699813feb30ec42dace2feb99

SHA512
2c72eef8d04ff2711046f06b9d792b882116b1f2d3783d5081e92dc5a84fe171f21617b2dd479263e33ef2dec8aa68109cdb8c70cca751f85544974d9d5aa489

Download Submit
C:\Users\Admin\AppData\Local\Temp\30803f14-1142-4206-a6aa-decf5bff0e5b.vbs

Filesize
737B

MD5
0ebce02df38ce5ac07fea4b063e9fe8b

SHA1
c7b68efb617b8ef872f3f63f1e45cbfcd2baa798

SHA256
c653aa15ced7ce340d6887bba82837783464705998fe24226bc603953aaab602

SHA512
3ba23658ba387fb09c25b7beff3b496ec5b4fa7cf7116f06c9eb7824273ddfaabca10fcc7ee2dccff469359f157939594d6e51ececb25afb8e8ee02916583b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c5fb64a-7e24-4ab2-8350-7d9d61f5d309.vbs

Filesize
737B

MD5
17f5a6d3529f967bcc5f87f6f33efafd

SHA1
495c0bda4e0a2b952ae3a3522e3574436540bad0

SHA256
b8a0d0e7d8c5354db80337d74932e8d46ea3765476ff50ffddd609f5632541a5

SHA512
aaf9cf99877b4f28e927bd29a50f60fcd7cf754399368fd660d5c30ae8e19148b4ce47f8c4e2076fdd57b56b3723976b6ad003bf8285d76bd85e231e44d6dd9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5dc430e4-1577-43ba-8457-402d8ea3f25b.vbs

Filesize
737B

MD5
b83519b83225ef749b5f1c57e1381eff

SHA1
fc108c0b8ddaafee5e3923762d99ecfa2d9563f5

SHA256
141b02aca5bfe2f3ebfaad3d834413fdba9f8abc13ccd99ee555da16f52eb7db

SHA512
e5f01212961c27e70d7b49087f548b317e179f13096965a136d0bb08865542824c6b90df35754027bf932a365241c85b4ae6fb5db610632f80fab3628490eaff

Download Submit
C:\Users\Admin\AppData\Local\Temp\9867b173-eba2-467b-a7ce-92c4984bb12a.vbs

Filesize
737B

MD5
03dfac8c84c3a5c5e93dfb47a96171cf

SHA1
6758f91c526c5e4d4c1f95680e4c8f143d05d0ef

SHA256
29f106e57fafc4b80ccb03d2c343e9b90457e3608fd70e6e881925a34e299fdb

SHA512
613758f3642ec938cfe57482fd9c1b0525ac0f7e7679faa06075375c7c3c06cf5150ca03c574609d3f1b63f97c19057737ddfeb57b0534cac7e22b8461588127

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b03011e-909b-45e9-b265-414f2b0b1dcd.vbs

Filesize
737B

MD5
91cf3c8972ce6c508fbf8a9b33708a67

SHA1
8812c44fe9c0e693d4a4fbffcd6937ce4b672fce

SHA256
b5cbd0e31c59d3426172cf9443cc03771e21f34e290c5da24b2f83a000891f8c

SHA512
0affa1b9bb0b306491805a873deeae456339a49dca3ffd98b3b7c7a9584ee40a307a0de7bd62fc966f3a3cc0c740ded0c7b33288f55afbbcc94431c34856c7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfe5149d-5288-41c3-a65b-6c3c44002d3e.vbs

Filesize
737B

MD5
3868e13988fbfc09ff7f54ad3b026225

SHA1
8ce1edf281ec20c923f58d05ff557f14f038c615

SHA256
658b1f53f70f33e0dd24fc4fe018ff8a528c9baccd1739857c40ecb513f5ce52

SHA512
03e6a346d562e184d0d471a17d09efd766a576733342b2d2e8107639d3989dc6f48b4fdd62e3ba069c98d391f1f4ddbca25f4383cc69ba5c24c737cc34733a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2b7cd57-93b0-4e0a-a635-fe9560a6ba70.vbs

Filesize
737B

MD5
ab9fc55940b509f29cf212a350ad64c0

SHA1
ff1ec4f174238351f12295d12b57f29fb5aecd9d

SHA256
cabf56966d1a438e7bdb7745bb318d4a9499cf7b82ed0d7f9a030eb6efb58933

SHA512
a38eb8734ac4f4fac0208cd0ba3b468e035e12f4f73045a646afa104e824234e103aec82cd0dbd78335629a8bebe845ee368269ff67850a7ebeb8ff5798339c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\e987f0be-9c6e-465e-94b1-d1873943c08d.vbs

Filesize
737B

MD5
eed45189d463d399aaab9d68b246dd62

SHA1
25c56dd92d6cf48b41cd8298eaf2547b6fbbc6e6

SHA256
9628f7fc90872ab016e21af8e5f0b69833f5b32bed496187af7d3b1866007908

SHA512
c923969371944e20d678e0020197d6b136911bce01dbe2783bfe21ea0b0f30c3d7cd8a46a7617187012b227b288366b2ec3708b51c39cf8e6ba40df436782c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9be0305-d8ec-457e-a8cc-9bbeea3c8e0b.vbs

Filesize
513B

MD5
3c2b685cb62eb12842e669168015ae90

SHA1
bf0e52dbb54d052098aec794d4e2727baf0f4c26

SHA256
14db73cd08e202b0a08cee9b2dbebab8000cda0bab35f54625eac3f86735cd5a

SHA512
db45f1b1432591737fa8291cc4a91c9457ff884d90e568c8d879bc505d8d3ad6fd71a8936fa8cd6fd2b771bcd7a8a364d48c80cc6d90dae74a14c0a8389db70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef9336ec-73f1-492d-bb43-b3f713dcc58a.vbs

Filesize
737B

MD5
a7f23d4ee06b3bc910d134d30b45873c

SHA1
2e7030b17b7519d4f2a6902ee20e6e1a736900fb

SHA256
4b207c56a9fdb17a8baa0e7433486f96a1619573752d08b3f35966daabb0b6b7

SHA512
b1bfb5c06fcc12b7cf282afac32630677097af49f5420f23b1ebb6dc9f502febc9a7f606c8201ddfeea3653e1d681e4d650f826fb71a8984e6457f6d59ffee83

Download Submit
memory/996-86-0x0000000000C10000-0x0000000000CF4000-memory.dmp

Filesize
912KB

Download
memory/1004-203-0x0000000001340000-0x0000000001424000-memory.dmp

Filesize
912KB

Download
memory/1132-191-0x0000000000F70000-0x0000000001054000-memory.dmp

Filesize
912KB

Download
memory/1572-167-0x0000000000050000-0x0000000000134000-memory.dmp

Filesize
912KB

Download
memory/1712-3-0x0000000000250000-0x000000000026C000-memory.dmp

Filesize
112KB

Download
memory/1712-6-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/1712-7-0x00000000003A0000-0x00000000003AE000-memory.dmp

Filesize
56KB

Download
memory/1712-4-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1712-2-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/1712-87-0x000007FEF5E00000-0x000007FEF67EC000-memory.dmp

Filesize
9.9MB

Download
memory/1712-1-0x00000000002A0000-0x0000000000384000-memory.dmp

Filesize
912KB

Download
memory/1712-5-0x0000000000280000-0x0000000000296000-memory.dmp

Filesize
88KB

Download
memory/1712-9-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/1712-0-0x000007FEF5E03000-0x000007FEF5E04000-memory.dmp

Filesize
4KB

Download
memory/1712-8-0x0000000000760000-0x0000000000768000-memory.dmp

Filesize
32KB

Download
memory/1872-179-0x0000000000F30000-0x0000000001014000-memory.dmp

Filesize
912KB

Download
memory/1884-109-0x0000000001390000-0x0000000001474000-memory.dmp

Filesize
912KB

Download
memory/2068-155-0x00000000002D0000-0x00000000003B4000-memory.dmp

Filesize
912KB

Download
memory/2776-121-0x00000000013E0000-0x00000000014C4000-memory.dmp

Filesize
912KB

Download