dcrat | df025008bab8a9d1b780276526007d60abaafb894af2cca82bc633c715945ec5

Analysis

max time kernel
129s
max time network
148s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

442867883ccfe230ba518cbc7ccc1faa.exe
Size

1.6MB
MD5

442867883ccfe230ba518cbc7ccc1faa
SHA1

395dc86a807f4675c172bc5e4177aca9cb948cf7
SHA256

e73b6a783715ee86d06a645c158eb006e14b7eaed35c23d2b83afa9377fb7be1
SHA512

507d50d70abbc07b9f46d5567da998850bae6423c8a77ac7369347bb238a14c96788f9149654dda34eb3d0f5f710df8d369e3d00b52024ead4bf87a4fc9d12b3
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2420	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2420	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2420	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2420	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2420	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2420	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2420	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2420	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2420	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2420	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2420	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2420	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2420	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2420	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2420	schtasks.exe	30

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral5/memory/2596-1-0x0000000000170000-0x0000000000312000-memory.dmp	dcrat
behavioral5/files/0x0005000000019509-25.dat	dcrat
behavioral5/files/0x000500000001962f-40.dat	dcrat
behavioral5/memory/1356-98-0x0000000001360000-0x0000000001502000-memory.dmp	dcrat
behavioral5/memory/1028-150-0x00000000013C0000-0x0000000001562000-memory.dmp	dcrat
behavioral5/files/0x0005000000019451-238.dat	dcrat
behavioral5/files/0x000d000000019641-242.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1516	powershell.exe
1372	powershell.exe
2424	powershell.exe
2184	powershell.exe
2076	powershell.exe
2176	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
1356	OSPPSVC.exe
2740	OSPPSVC.exe
1028	OSPPSVC.exe
2088	OSPPSVC.exe
1136	OSPPSVC.exe
1424	OSPPSVC.exe
1952	OSPPSVC.exe
2288	OSPPSVC.exe
1692	OSPPSVC.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXCDA3.tmp	442867883ccfe230ba518cbc7ccc1faa.exe
File created	C:\Program Files\Windows Media Player\cc11b995f2a76d	442867883ccfe230ba518cbc7ccc1faa.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe	442867883ccfe230ba518cbc7ccc1faa.exe
File created	C:\Program Files (x86)\Google\Temp\System.exe	442867883ccfe230ba518cbc7ccc1faa.exe
File opened for modification	C:\Program Files\Windows Media Player\RCXC796.tmp	442867883ccfe230ba518cbc7ccc1faa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe	442867883ccfe230ba518cbc7ccc1faa.exe
File opened for modification	C:\Program Files\Windows Media Player\winlogon.exe	442867883ccfe230ba518cbc7ccc1faa.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe	442867883ccfe230ba518cbc7ccc1faa.exe
File created	C:\Program Files (x86)\Google\Temp\27d1bcfc3c54e0	442867883ccfe230ba518cbc7ccc1faa.exe
File opened for modification	C:\Program Files\Windows Media Player\RCXC728.tmp	442867883ccfe230ba518cbc7ccc1faa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXCB9F.tmp	442867883ccfe230ba518cbc7ccc1faa.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXCDA4.tmp	442867883ccfe230ba518cbc7ccc1faa.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6203df4a6bafc7	442867883ccfe230ba518cbc7ccc1faa.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\System.exe	442867883ccfe230ba518cbc7ccc1faa.exe
File created	C:\Program Files\Windows Media Player\winlogon.exe	442867883ccfe230ba518cbc7ccc1faa.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\1610b97d3ab4a7	442867883ccfe230ba518cbc7ccc1faa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXC99A.tmp	442867883ccfe230ba518cbc7ccc1faa.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\RCXC99B.tmp	442867883ccfe230ba518cbc7ccc1faa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXCBA0.tmp	442867883ccfe230ba518cbc7ccc1faa.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe	442867883ccfe230ba518cbc7ccc1faa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2912	schtasks.exe
2140	schtasks.exe
2024	schtasks.exe
2836	schtasks.exe
2868	schtasks.exe
2828	schtasks.exe
2844	schtasks.exe
2708	schtasks.exe
340	schtasks.exe
2148	schtasks.exe
1308	schtasks.exe
2508	schtasks.exe
2856	schtasks.exe
2808	schtasks.exe
2716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2596	442867883ccfe230ba518cbc7ccc1faa.exe
2184	powershell.exe
1516	powershell.exe
2176	powershell.exe
2076	powershell.exe
2424	powershell.exe
1372	powershell.exe
1356	OSPPSVC.exe
2740	OSPPSVC.exe
1028	OSPPSVC.exe
2088	OSPPSVC.exe
1136	OSPPSVC.exe
1424	OSPPSVC.exe
1952	OSPPSVC.exe
2288	OSPPSVC.exe
1692	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	442867883ccfe230ba518cbc7ccc1faa.exe
Token: SeDebugPrivilege	1356	OSPPSVC.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	2740	OSPPSVC.exe
Token: SeDebugPrivilege	1028	OSPPSVC.exe
Token: SeDebugPrivilege	2088	OSPPSVC.exe
Token: SeDebugPrivilege	1136	OSPPSVC.exe
Token: SeDebugPrivilege	1424	OSPPSVC.exe
Token: SeDebugPrivilege	1952	OSPPSVC.exe
Token: SeDebugPrivilege	2288	OSPPSVC.exe
Token: SeDebugPrivilege	1692	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2176	2596	442867883ccfe230ba518cbc7ccc1faa.exe	47
PID 2596 wrote to memory of 2176	2596	442867883ccfe230ba518cbc7ccc1faa.exe	47
PID 2596 wrote to memory of 2176	2596	442867883ccfe230ba518cbc7ccc1faa.exe	47
PID 2596 wrote to memory of 2076	2596	442867883ccfe230ba518cbc7ccc1faa.exe	48
PID 2596 wrote to memory of 2076	2596	442867883ccfe230ba518cbc7ccc1faa.exe	48
PID 2596 wrote to memory of 2076	2596	442867883ccfe230ba518cbc7ccc1faa.exe	48
PID 2596 wrote to memory of 2184	2596	442867883ccfe230ba518cbc7ccc1faa.exe	49
PID 2596 wrote to memory of 2184	2596	442867883ccfe230ba518cbc7ccc1faa.exe	49
PID 2596 wrote to memory of 2184	2596	442867883ccfe230ba518cbc7ccc1faa.exe	49
PID 2596 wrote to memory of 2424	2596	442867883ccfe230ba518cbc7ccc1faa.exe	52
PID 2596 wrote to memory of 2424	2596	442867883ccfe230ba518cbc7ccc1faa.exe	52
PID 2596 wrote to memory of 2424	2596	442867883ccfe230ba518cbc7ccc1faa.exe	52
PID 2596 wrote to memory of 1372	2596	442867883ccfe230ba518cbc7ccc1faa.exe	54
PID 2596 wrote to memory of 1372	2596	442867883ccfe230ba518cbc7ccc1faa.exe	54
PID 2596 wrote to memory of 1372	2596	442867883ccfe230ba518cbc7ccc1faa.exe	54
PID 2596 wrote to memory of 1516	2596	442867883ccfe230ba518cbc7ccc1faa.exe	56
PID 2596 wrote to memory of 1516	2596	442867883ccfe230ba518cbc7ccc1faa.exe	56
PID 2596 wrote to memory of 1516	2596	442867883ccfe230ba518cbc7ccc1faa.exe	56
PID 2596 wrote to memory of 1356	2596	442867883ccfe230ba518cbc7ccc1faa.exe	59
PID 2596 wrote to memory of 1356	2596	442867883ccfe230ba518cbc7ccc1faa.exe	59
PID 2596 wrote to memory of 1356	2596	442867883ccfe230ba518cbc7ccc1faa.exe	59
PID 1356 wrote to memory of 1496	1356	OSPPSVC.exe	60
PID 1356 wrote to memory of 1496	1356	OSPPSVC.exe	60
PID 1356 wrote to memory of 1496	1356	OSPPSVC.exe	60
PID 1356 wrote to memory of 2888	1356	OSPPSVC.exe	61
PID 1356 wrote to memory of 2888	1356	OSPPSVC.exe	61
PID 1356 wrote to memory of 2888	1356	OSPPSVC.exe	61
PID 1496 wrote to memory of 2740	1496	WScript.exe	62
PID 1496 wrote to memory of 2740	1496	WScript.exe	62
PID 1496 wrote to memory of 2740	1496	WScript.exe	62
PID 2740 wrote to memory of 2932	2740	OSPPSVC.exe	63
PID 2740 wrote to memory of 2932	2740	OSPPSVC.exe	63
PID 2740 wrote to memory of 2932	2740	OSPPSVC.exe	63
PID 2740 wrote to memory of 2856	2740	OSPPSVC.exe	64
PID 2740 wrote to memory of 2856	2740	OSPPSVC.exe	64
PID 2740 wrote to memory of 2856	2740	OSPPSVC.exe	64
PID 2932 wrote to memory of 1028	2932	WScript.exe	65
PID 2932 wrote to memory of 1028	2932	WScript.exe	65
PID 2932 wrote to memory of 1028	2932	WScript.exe	65
PID 1028 wrote to memory of 2272	1028	OSPPSVC.exe	66
PID 1028 wrote to memory of 2272	1028	OSPPSVC.exe	66
PID 1028 wrote to memory of 2272	1028	OSPPSVC.exe	66
PID 1028 wrote to memory of 1588	1028	OSPPSVC.exe	67
PID 1028 wrote to memory of 1588	1028	OSPPSVC.exe	67
PID 1028 wrote to memory of 1588	1028	OSPPSVC.exe	67
PID 2272 wrote to memory of 2088	2272	WScript.exe	68
PID 2272 wrote to memory of 2088	2272	WScript.exe	68
PID 2272 wrote to memory of 2088	2272	WScript.exe	68
PID 2088 wrote to memory of 1704	2088	OSPPSVC.exe	69
PID 2088 wrote to memory of 1704	2088	OSPPSVC.exe	69
PID 2088 wrote to memory of 1704	2088	OSPPSVC.exe	69
PID 2088 wrote to memory of 2188	2088	OSPPSVC.exe	70
PID 2088 wrote to memory of 2188	2088	OSPPSVC.exe	70
PID 2088 wrote to memory of 2188	2088	OSPPSVC.exe	70
PID 1704 wrote to memory of 1136	1704	WScript.exe	71
PID 1704 wrote to memory of 1136	1704	WScript.exe	71
PID 1704 wrote to memory of 1136	1704	WScript.exe	71
PID 1136 wrote to memory of 2388	1136	OSPPSVC.exe	72
PID 1136 wrote to memory of 2388	1136	OSPPSVC.exe	72
PID 1136 wrote to memory of 2388	1136	OSPPSVC.exe	72
PID 1136 wrote to memory of 2952	1136	OSPPSVC.exe	73
PID 1136 wrote to memory of 2952	1136	OSPPSVC.exe	73
PID 1136 wrote to memory of 2952	1136	OSPPSVC.exe	73
PID 2388 wrote to memory of 1424	2388	WScript.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\442867883ccfe230ba518cbc7ccc1faa.exe
"C:\Users\Admin\AppData\Local\Temp\442867883ccfe230ba518cbc7ccc1faa.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\442867883ccfe230ba518cbc7ccc1faa.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1356
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c29a99d-9b04-4eb5-bacd-707af624c9c3.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57a65229-973e-43bc-9793-c1ab80a3c3f6.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e896023f-a248-4e46-b5d9-d4f4733c5c12.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2583a746-4111-4b46-be1e-25729851681e.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a453fe1-2c94-46bc-b452-f2c02a57fc08.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38d21da6-53fd-4f2f-a839-8cf525966f54.vbs"
        13⤵
        
        PID:2832
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaf29db3-c64c-4fe1-9472-a728bf26ee99.vbs"
        15⤵
        
        PID:2892
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c371b3b-269e-47ad-9d95-8f2082115ec9.vbs"
        17⤵
        
        PID:1720
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdffd6af-5728-42b0-9b4c-b3ffe77be2dc.vbs"
        19⤵
        
        PID:2624
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe"
        20⤵
        
        PID:1828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f6fb0e3-3989-4399-9032-471c033af575.vbs"
        21⤵
        
        PID:1628
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe"
        22⤵
        
        PID:1888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bb2d29e-bef3-443a-bbac-fd71866a1fd6.vbs"
        23⤵
        
        PID:2760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10a2825f-7c29-4f92-b384-b16e564e11ff.vbs"
        23⤵
        
        PID:1428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\203ec6d5-be3e-48ad-9e4c-8f15045e8af7.vbs"
        21⤵
        
        PID:1484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7d7ffd2-89b3-4681-ad19-9998c451ff3c.vbs"
        19⤵
        
        PID:660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6238b33c-4315-4cda-b391-1d5dff7cbfee.vbs"
        17⤵
        
        PID:2948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d00e747c-00f5-4d7b-9b22-84e51ad5ac77.vbs"
        15⤵
        
        PID:2200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80782f40-7d8d-4f61-8466-bbd59aeb8a7f.vbs"
        13⤵
        
        PID:2844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\045e5b73-c73b-4000-904e-cd1d8d937384.vbs"
        11⤵
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7aa9261-0f41-4c90-8b50-caf78782e2b2.vbs"
        9⤵
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68a48218-9d78-47c3-aaee-58a06cd4c897.vbs"
        7⤵
        
        PID:1588
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\267c5ff1-209f-4e4c-aa3f-91d289e67a9c.vbs"
        5⤵
        
        PID:2856
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\372b7b67-227a-4c3a-a008-7f779c8ce123.vbs"
    3⤵
    PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe

Filesize
1.6MB

MD5
442867883ccfe230ba518cbc7ccc1faa

SHA1
395dc86a807f4675c172bc5e4177aca9cb948cf7

SHA256
e73b6a783715ee86d06a645c158eb006e14b7eaed35c23d2b83afa9377fb7be1

SHA512
507d50d70abbc07b9f46d5567da998850bae6423c8a77ac7369347bb238a14c96788f9149654dda34eb3d0f5f710df8d369e3d00b52024ead4bf87a4fc9d12b3

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\OSPPSVC.exe

Filesize
898KB

MD5
30adec9b4d8e1fca52e26f1bb94962bf

SHA1
549d754e113ae850219a27d24b442e8513e037e3

SHA256
4f3a6b3e81ed97fd2a8a736246c47d3ae5cf5146fff301d98c37d6da3794a114

SHA512
bf62736731f130e8cbca70d4243ed73aa54ca387c454e06652661e55b55a6d40b14dce45c967f47b07c22991a326fda8dbfc040b4ee10fb0f18553b869ef7611

Download Submit
C:\Program Files\Windows Media Player\winlogon.exe

Filesize
1.6MB

MD5
e179812b72e813d4f07160a7af793fb0

SHA1
6c5a50f07d0c74c63a960055db34726cbf31c169

SHA256
fa543d95cdf8383250c32a9a435c158895f05ed188b0181750444f80f6e56f76

SHA512
80d757108f9eaf1815f42a464cd0268c6b2a6143b649688a8a343da5833c154b7c889f735309898131b39a2928a173e219112126b3dbb5517b9713eceafcfaf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0bb2d29e-bef3-443a-bbac-fd71866a1fd6.vbs

Filesize
731B

MD5
70d6c49104e18a3d653f716d1dbbfb63

SHA1
3a5f5e1e0a9718854f814b289f7bbdfe9791f190

SHA256
73447eb8b9a467e2ccbd3c3f900a55e919d1aaf0c6f90bb0bfcf1ee62def9b80

SHA512
4c6c6c6931a16544521e3eca5709f9ae8e3fe8082015cdea4f3b1dab7b329737699df8b5845c21595278b00f566df7d1c40939aea783ac29de24fb0908eb7b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\2583a746-4111-4b46-be1e-25729851681e.vbs

Filesize
731B

MD5
18b1d9b786d2f4c2ad4915ccf4ac0543

SHA1
22ed71bfbd9d62b81aae23708e2ddf539378a514

SHA256
242767466b0fbee2a5cb56051c5e048eb512a636ca3f1afdee0ddcce254b7aa8

SHA512
f7720a4bde440e2fcd50a3a05d05aee0d7db38b05bcfde58db2d8fec484732f83d30b99af10db5fe84d094f889e919216232c5a403bcea47eb74e1adeb53e429

Download Submit
C:\Users\Admin\AppData\Local\Temp\372b7b67-227a-4c3a-a008-7f779c8ce123.vbs

Filesize
507B

MD5
83d6415b3396ee57c1801efcdcf01c8e

SHA1
504f73bf4a19ce0e6766e9dec989949a074bc014

SHA256
2261914c549bcce10fb2ca41002abde7fd0a50b6359b78c996c21d41a4b1c7d9

SHA512
fa67eb7dece3274b43a69d3c874cd0e3f1424a8d1921d177324b037f9492035824d8999a242c8b35fd06f3ec48e6bee0e0b66ea450d08de18bafa30301dbe26d

Download Submit
C:\Users\Admin\AppData\Local\Temp\38d21da6-53fd-4f2f-a839-8cf525966f54.vbs

Filesize
731B

MD5
890d94e5b5f4d9dc9cabedd560531d4d

SHA1
b7cf69bc16046f5a62b496c58e2e279b859d915f

SHA256
d377481369280b80eb8dc1fcd0322719f4da99f1945ce3c688586c0ae88df436

SHA512
b4c0ec7238fc8e48b4edaa4c806d062de2f9d5be04e166027cdcdc0edd77fc300b99de78246d590d0f5c183794905a64b902481183a49ede8c32db3b29698868

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c29a99d-9b04-4eb5-bacd-707af624c9c3.vbs

Filesize
731B

MD5
2aa16f4b18494cd307981b13fd7f6595

SHA1
317ed555f0121c06f238b6832960a01704e0daba

SHA256
4299587fdb1fd8d330e9e1cfe9822993f1536bf512f7f363fef679422eeab640

SHA512
1573eedb42497540df7d6bc959cbffdb555fdc8ff08c8672185edc58a43b07cca05b51ac55ed6b088358ca3e7bf72643a77f13e435ea8b3a87dc12eea5cd4b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4c371b3b-269e-47ad-9d95-8f2082115ec9.vbs

Filesize
731B

MD5
7e44a7b2f8e1cc6959ad0961744c5d61

SHA1
1d779decabb94bdf0695ea2395d163e87e372b43

SHA256
128c9509baceeb8ca1d8f723c3331dbd7d1976d0ecea655c1fa18069a498d087

SHA512
dda6035fc19532a4ad2d6fb49103bce7d8d57455c478e34e016d5475c16766a7777fb96cf1c875dd85a440a2b003c012fa885d55ce88b9de14464aba33d126b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\57a65229-973e-43bc-9793-c1ab80a3c3f6.vbs

Filesize
731B

MD5
0783f21dc3abc10a534c815d05b5144a

SHA1
88bebfadc696040820e517df694b82a2225cd0ce

SHA256
f8bd4f025a20f46a053988800a601658133e306cd683e5b604c93094fc9474c5

SHA512
5420c245f746575282752ec11830e7c26821d53b2504225b5f74b034099930ce4ad7cf54c6a83bb375d3e8528abac94c01c259cbe98c53892dd6a1186f3193ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a453fe1-2c94-46bc-b452-f2c02a57fc08.vbs

Filesize
731B

MD5
faffd25d305a79c3ae0db3c3f3cf1416

SHA1
788a718c93ba76fe018a74f9639b34442cf7f8b0

SHA256
b117b84a0b5ad087ead76e5b6935778e527b8d21f1b05a1bd86bea5234701fa4

SHA512
96873f771140ebe3efd722fa82181d4647d71d5a41b98d20ff0f4976f8edb1d943979273ec423814255ac879472d758590b23e5247ea6c9f7d9e18be53e0323c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f6fb0e3-3989-4399-9032-471c033af575.vbs

Filesize
731B

MD5
3c8a487ea898e4c6a829896fcfa8b43b

SHA1
138f8a4e7f23387b83a4895e378b616f98117d68

SHA256
381be8388da58b97901c814c7e33d8a1677ab22c3c7886e056b16606a5196356

SHA512
26dc3be90983461ca7968a50a488bcca773757282dea8720027c2b81f9acefdd4a07359f300cf7930ee1127d4ba297a6c575173ea52444ddc7df7eac931a0981

Download Submit
C:\Users\Admin\AppData\Local\Temp\aed8e25df82f4ea2ec0de33810a5339b52426169.exe

Filesize
638KB

MD5
f26ab067d82c1e763482db2dc7be565a

SHA1
9dc4affe91f10fba2c6ee8d7e9cbbd295144a912

SHA256
cb842d8b90d93f3371ae6d6c832cc0a346e2540b66729d70ac96df26d0b4f6b9

SHA512
4997d2ffba1447ee3319e41db459d5a1645d777154f0ca53a400459d865389afdaecfde0ed2abbc6af2f13c4ee02025dfaef6d149aa16fac612d327d94412522

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdffd6af-5728-42b0-9b4c-b3ffe77be2dc.vbs

Filesize
731B

MD5
faf155ccc33f4af7f84c5993cbf1b4dd

SHA1
f69803b354c75910e415184af5df11dbf4181a69

SHA256
bf58ef4afc553bdf6733dbb416d545aa387861bee4513e3334c904255b37b5f7

SHA512
a847960e863aa39cea888172e61cac799a1f0e1fba11894b815fb02158ac4ecd3a565585ea07a76a5c4cfb46a50f11ad6ed6ffb877e584849467b065d43b5b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\e896023f-a248-4e46-b5d9-d4f4733c5c12.vbs

Filesize
731B

MD5
78fbbec90765345a28d53ddad1dfe9fc

SHA1
3b3a59fbdb5589a94f271f8d30b784093366389f

SHA256
9ef0957185258780a5530242f7ab8bc61fce8a1912fdca3cedeedb08cd5e9554

SHA512
dea474e452217853ad26ae0c7e66930eab714eb36f620ffe7ea26bfb2413e22c3e5811b335e5837f6f3a92e30372d942133946bf0b52ea394d3ede612d276c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaf29db3-c64c-4fe1-9472-a728bf26ee99.vbs

Filesize
731B

MD5
9e630c2d2716c9690439bcf3458ba289

SHA1
d972e6eed7e478ee8eb6966a67c16b1716fbb7fa

SHA256
0fbc0208536eefd23a3dbbbc31a6740660676231dcf8c9dbc6b3675b1986d90c

SHA512
2704c8b565e774a975526852b784b4e45f49f5621ed00bd3530b21b67a6f9c2502679c7a7bc044c38e91934a9d49baa3aec235c32443aa62b19785c91606b8c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TVJT8ALG704HBGSP1MJ5.temp

Filesize
7KB

MD5
e2e91abc4518d2dc1c4e4c57c7ae5d4a

SHA1
b27d8a9110775207bc514aab53e5f048495cfcb7

SHA256
a11ef5d969191508f251e7a62599e87c40550fae12a6c187136c155b9be3cb4f

SHA512
299e1bd3756853475ed49a2ac77bf8d91219a111088353b96ee7962216d8e8960d039ec45ac33c35987c479813a29636fd56c87602e8c14716a4a59235584ab7

Download Submit
memory/1028-150-0x00000000013C0000-0x0000000001562000-memory.dmp

Filesize
1.6MB

Download
memory/1356-98-0x0000000001360000-0x0000000001502000-memory.dmp

Filesize
1.6MB

Download
memory/2184-125-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2184-126-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2596-14-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/2596-16-0x000000001A820000-0x000000001A82C000-memory.dmp

Filesize
48KB

Download
memory/2596-10-0x00000000020E0000-0x00000000020EC000-memory.dmp

Filesize
48KB

Download
memory/2596-11-0x00000000020F0000-0x00000000020FA000-memory.dmp

Filesize
40KB

Download
memory/2596-12-0x0000000002100000-0x000000000210E000-memory.dmp

Filesize
56KB

Download
memory/2596-13-0x0000000002270000-0x0000000002278000-memory.dmp

Filesize
32KB

Download
memory/2596-0-0x000007FEF53F3000-0x000007FEF53F4000-memory.dmp

Filesize
4KB

Download
memory/2596-8-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/2596-15-0x000000001A810000-0x000000001A81A000-memory.dmp

Filesize
40KB

Download
memory/2596-115-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2596-9-0x0000000001FA0000-0x0000000001FAC000-memory.dmp

Filesize
48KB

Download
memory/2596-5-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/2596-6-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2596-7-0x0000000001FC0000-0x0000000001FD0000-memory.dmp

Filesize
64KB

Download
memory/2596-4-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/2596-3-0x0000000000490000-0x00000000004AC000-memory.dmp

Filesize
112KB

Download
memory/2596-2-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2596-1-0x0000000000170000-0x0000000000312000-memory.dmp

Filesize
1.6MB

Download