dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0343adab1970d928320ce2aa587fd3.exe
Size

1.6MB
MD5

1f0343adab1970d928320ce2aa587fd3
SHA1

e9ba72eefebbc990b9d87fdc6c900ba0ab4160b8
SHA256

9543bb2076f9b8c0d465689514dfc89f7cddc872620b5158cff2e2fa270963c4
SHA512

c6ae66f4ee2e2307da2176d9ea1e8a57ee96c59a15c633d8ca618cc4c167744063fa189d03eb134e1789ad544cef426e1b6da8c61dd1785888b204f84cdc316c
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2776	schtasks.exe	30

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral19/memory/2484-1-0x0000000000C00000-0x0000000000DA2000-memory.dmp	dcrat
behavioral19/files/0x000500000001a497-25.dat	dcrat
behavioral19/files/0x000b00000001a4b5-90.dat	dcrat
behavioral19/memory/1908-147-0x0000000000B60000-0x0000000000D02000-memory.dmp	dcrat
behavioral19/memory/2924-158-0x0000000001160000-0x0000000001302000-memory.dmp	dcrat
behavioral19/memory/2808-203-0x0000000001260000-0x0000000001402000-memory.dmp	dcrat
behavioral19/memory/1928-237-0x00000000012B0000-0x0000000001452000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1956	powershell.exe
2068	powershell.exe
1808	powershell.exe
340	powershell.exe
1208	powershell.exe
2456	powershell.exe
1156	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
1908	taskhost.exe
2924	taskhost.exe
1736	taskhost.exe
852	taskhost.exe
2648	taskhost.exe
2808	taskhost.exe
2800	taskhost.exe
2728	taskhost.exe
1928	taskhost.exe
2544	taskhost.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\b75386f1303e64	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\RCX8FF9.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\OSPPSVC.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCX946F.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\OSPPSVC.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\1610b97d3ab4a7	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\RCX8FF8.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCX9470.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\taskhost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Windows Defender\taskhost.exe	1f0343adab1970d928320ce2aa587fd3.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\de-DE\RCX8BF0.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\de-DE\winlogon.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\de-DE\winlogon.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\de-DE\cc11b995f2a76d	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\de-DE\RCX8BEF.tmp	1f0343adab1970d928320ce2aa587fd3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1376	schtasks.exe
2832	schtasks.exe
2600	schtasks.exe
2308	schtasks.exe
2540	schtasks.exe
2296	schtasks.exe
2816	schtasks.exe
2720	schtasks.exe
2076	schtasks.exe
1812	schtasks.exe
1432	schtasks.exe
2984	schtasks.exe
1844	schtasks.exe
2404	schtasks.exe
2512	schtasks.exe
2952	schtasks.exe
2944	schtasks.exe
2852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2484	1f0343adab1970d928320ce2aa587fd3.exe
340	powershell.exe
1208	powershell.exe
2456	powershell.exe
2068	powershell.exe
1956	powershell.exe
1808	powershell.exe
1156	powershell.exe
1908	taskhost.exe
2924	taskhost.exe
1736	taskhost.exe
852	taskhost.exe
2648	taskhost.exe
2808	taskhost.exe
2800	taskhost.exe
2728	taskhost.exe
1928	taskhost.exe
2544	taskhost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	1f0343adab1970d928320ce2aa587fd3.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	1908	taskhost.exe
Token: SeDebugPrivilege	2924	taskhost.exe
Token: SeDebugPrivilege	1736	taskhost.exe
Token: SeDebugPrivilege	852	taskhost.exe
Token: SeDebugPrivilege	2648	taskhost.exe
Token: SeDebugPrivilege	2808	taskhost.exe
Token: SeDebugPrivilege	2800	taskhost.exe
Token: SeDebugPrivilege	2728	taskhost.exe
Token: SeDebugPrivilege	1928	taskhost.exe
Token: SeDebugPrivilege	2544	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 1808	2484	1f0343adab1970d928320ce2aa587fd3.exe	49
PID 2484 wrote to memory of 1808	2484	1f0343adab1970d928320ce2aa587fd3.exe	49
PID 2484 wrote to memory of 1808	2484	1f0343adab1970d928320ce2aa587fd3.exe	49
PID 2484 wrote to memory of 340	2484	1f0343adab1970d928320ce2aa587fd3.exe	50
PID 2484 wrote to memory of 340	2484	1f0343adab1970d928320ce2aa587fd3.exe	50
PID 2484 wrote to memory of 340	2484	1f0343adab1970d928320ce2aa587fd3.exe	50
PID 2484 wrote to memory of 1208	2484	1f0343adab1970d928320ce2aa587fd3.exe	51
PID 2484 wrote to memory of 1208	2484	1f0343adab1970d928320ce2aa587fd3.exe	51
PID 2484 wrote to memory of 1208	2484	1f0343adab1970d928320ce2aa587fd3.exe	51
PID 2484 wrote to memory of 2456	2484	1f0343adab1970d928320ce2aa587fd3.exe	52
PID 2484 wrote to memory of 2456	2484	1f0343adab1970d928320ce2aa587fd3.exe	52
PID 2484 wrote to memory of 2456	2484	1f0343adab1970d928320ce2aa587fd3.exe	52
PID 2484 wrote to memory of 1156	2484	1f0343adab1970d928320ce2aa587fd3.exe	53
PID 2484 wrote to memory of 1156	2484	1f0343adab1970d928320ce2aa587fd3.exe	53
PID 2484 wrote to memory of 1156	2484	1f0343adab1970d928320ce2aa587fd3.exe	53
PID 2484 wrote to memory of 1956	2484	1f0343adab1970d928320ce2aa587fd3.exe	54
PID 2484 wrote to memory of 1956	2484	1f0343adab1970d928320ce2aa587fd3.exe	54
PID 2484 wrote to memory of 1956	2484	1f0343adab1970d928320ce2aa587fd3.exe	54
PID 2484 wrote to memory of 2068	2484	1f0343adab1970d928320ce2aa587fd3.exe	55
PID 2484 wrote to memory of 2068	2484	1f0343adab1970d928320ce2aa587fd3.exe	55
PID 2484 wrote to memory of 2068	2484	1f0343adab1970d928320ce2aa587fd3.exe	55
PID 2484 wrote to memory of 1768	2484	1f0343adab1970d928320ce2aa587fd3.exe	63
PID 2484 wrote to memory of 1768	2484	1f0343adab1970d928320ce2aa587fd3.exe	63
PID 2484 wrote to memory of 1768	2484	1f0343adab1970d928320ce2aa587fd3.exe	63
PID 1768 wrote to memory of 1708	1768	cmd.exe	65
PID 1768 wrote to memory of 1708	1768	cmd.exe	65
PID 1768 wrote to memory of 1708	1768	cmd.exe	65
PID 1768 wrote to memory of 1908	1768	cmd.exe	66
PID 1768 wrote to memory of 1908	1768	cmd.exe	66
PID 1768 wrote to memory of 1908	1768	cmd.exe	66
PID 1908 wrote to memory of 2324	1908	taskhost.exe	67
PID 1908 wrote to memory of 2324	1908	taskhost.exe	67
PID 1908 wrote to memory of 2324	1908	taskhost.exe	67
PID 1908 wrote to memory of 2984	1908	taskhost.exe	68
PID 1908 wrote to memory of 2984	1908	taskhost.exe	68
PID 1908 wrote to memory of 2984	1908	taskhost.exe	68
PID 2324 wrote to memory of 2924	2324	WScript.exe	70
PID 2324 wrote to memory of 2924	2324	WScript.exe	70
PID 2324 wrote to memory of 2924	2324	WScript.exe	70
PID 2924 wrote to memory of 608	2924	taskhost.exe	71
PID 2924 wrote to memory of 608	2924	taskhost.exe	71
PID 2924 wrote to memory of 608	2924	taskhost.exe	71
PID 2924 wrote to memory of 2200	2924	taskhost.exe	72
PID 2924 wrote to memory of 2200	2924	taskhost.exe	72
PID 2924 wrote to memory of 2200	2924	taskhost.exe	72
PID 608 wrote to memory of 1736	608	WScript.exe	73
PID 608 wrote to memory of 1736	608	WScript.exe	73
PID 608 wrote to memory of 1736	608	WScript.exe	73
PID 1736 wrote to memory of 1636	1736	taskhost.exe	74
PID 1736 wrote to memory of 1636	1736	taskhost.exe	74
PID 1736 wrote to memory of 1636	1736	taskhost.exe	74
PID 1736 wrote to memory of 984	1736	taskhost.exe	75
PID 1736 wrote to memory of 984	1736	taskhost.exe	75
PID 1736 wrote to memory of 984	1736	taskhost.exe	75
PID 1636 wrote to memory of 852	1636	WScript.exe	76
PID 1636 wrote to memory of 852	1636	WScript.exe	76
PID 1636 wrote to memory of 852	1636	WScript.exe	76
PID 852 wrote to memory of 976	852	taskhost.exe	77
PID 852 wrote to memory of 976	852	taskhost.exe	77
PID 852 wrote to memory of 976	852	taskhost.exe	77
PID 852 wrote to memory of 640	852	taskhost.exe	78
PID 852 wrote to memory of 640	852	taskhost.exe	78
PID 852 wrote to memory of 640	852	taskhost.exe	78
PID 976 wrote to memory of 2648	976	WScript.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe
"C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\es-ES\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m147yiIR6h.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1708
- - C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe
    "C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa7c3777-d819-4258-b2bc-e934a190427e.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe966828-6734-4d5f-b7ca-c4ae02a1c75b.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55d53c0d-c199-4cae-97f0-242f3bdf6b6c.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fe08952-1298-41de-a608-96742cff5f9c.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c182d2a4-d229-4ec8-b530-b609aeae9104.vbs"
        12⤵
        
        PID:2508
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b6413d1-5d5b-420e-8b48-db4fb48711b9.vbs"
        14⤵
        
        PID:980
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efdbe7c0-a8e0-4ff4-b4e4-d27b348818ea.vbs"
        16⤵
        
        PID:2556
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e1a3e5f-f3b4-4261-bdb5-743f189cd64c.vbs"
        18⤵
        
        PID:1740
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf0209b5-b8f0-40a3-b588-c9314f7d86d1.vbs"
        20⤵
        
        PID:2616
        
        C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe
        
        "C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\395160f0-af58-48ee-b7c4-8e3770c22f45.vbs"
        22⤵
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f667eea-fe74-4175-b2f1-6d8d16fd8af6.vbs"
        22⤵
        
        PID:604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9faeeee8-b848-44ae-beec-950a9dc144d6.vbs"
        20⤵
        
        PID:1232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a965864c-f31f-4016-8beb-8233f310b1f6.vbs"
        18⤵
        
        PID:2008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bf423c1-999b-4342-b877-336189a1d981.vbs"
        16⤵
        
        PID:552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\610bb9c5-ca0d-4c4f-8066-c37a76671ec7.vbs"
        14⤵
        
        PID:1820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\233ab7b9-7661-4ad0-ba5d-4434d1079355.vbs"
        12⤵
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\346bc1d2-202c-41ce-a8a3-3b48a5ea12f3.vbs"
        10⤵
        
        PID:640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b7f652b-d4a2-4a29-9ad8-47135b37fc32.vbs"
        8⤵
        
        PID:984
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b611c70-1514-434d-96d8-b79d9a7dd15f.vbs"
        6⤵
        
        PID:2200
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a9d978a-a253-449d-b0f1-860b512c640f.vbs"
      4⤵
      PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe

Filesize
1.6MB

MD5
1f0343adab1970d928320ce2aa587fd3

SHA1
e9ba72eefebbc990b9d87fdc6c900ba0ab4160b8

SHA256
9543bb2076f9b8c0d465689514dfc89f7cddc872620b5158cff2e2fa270963c4

SHA512
c6ae66f4ee2e2307da2176d9ea1e8a57ee96c59a15c633d8ca618cc4c167744063fa189d03eb134e1789ad544cef426e1b6da8c61dd1785888b204f84cdc316c

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe

Filesize
1.6MB

MD5
c96886099d46af697ee1a1b49dcb00a8

SHA1
e81577d823617f5c086cd54cb7710d77cbbeb6a3

SHA256
0daabdb4ab763cd0ce003ca123483792f25ac66aeb00a70ec3d5df0aa602037f

SHA512
cb360cb35076508a80be41615d6b0601c61ea6af3376092f03c8568e90bdc8abb34eed884137f95ec966d7403e4b0390f54b9d8777d924fd34aad2e531e6f40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e1a3e5f-f3b4-4261-bdb5-743f189cd64c.vbs

Filesize
744B

MD5
ff609ca7654b538fc5f1773b6266f76e

SHA1
3a56093859c941034a848bee5169b9baa03c56b5

SHA256
21fcf32c4ff8c48ee25feba0a11aac2b55a9d39c1ea3d8b9f17aba590905993f

SHA512
88d02cd9098179f1b2895e04991a1e98a43e2dc6aeec94612515414592c567b349d52bf8bb107f176757e2734ffd0af23494e13f0e75fa6f9f5eb45a7167b3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fe08952-1298-41de-a608-96742cff5f9c.vbs

Filesize
743B

MD5
ca234d72c89436e5b46f85d5c9139396

SHA1
b84bc0c8de9737d4388f083615860af2262025cb

SHA256
7d5b72d5dc743b50d587e92583141a865c4106eab38a31f910a8edd75af8922c

SHA512
3598586b1c58265c780ac2a27417764b346f26ee0d86c19d4c3984fc6571fee6676c8fec5cc60d159335474ade2bb29d56d6ffea853f771c632a882252d8f11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\395160f0-af58-48ee-b7c4-8e3770c22f45.vbs

Filesize
744B

MD5
aa5032e277dd97fbff5fa3043d463811

SHA1
f42897dd6e90ba3bffb56b0e17d916b8422afe27

SHA256
1e26d3a376483b7d06290e0233e33db286df0312e6962b862eece0cf48416851

SHA512
6b9957596274c83152f946f742ed0527add69f9270b1a9ece661329c503f085af6be517b27575aec672d8274bb0273ab59953d477c17112a1dfa3d461f0a203e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a9d978a-a253-449d-b0f1-860b512c640f.vbs

Filesize
520B

MD5
fb49d9f039e4ada7ea0dba8898bf9958

SHA1
e6fdadf2ebf9759d1d6c6061d2ba615eda12d348

SHA256
b36b312522e54c6bd41cd82ac0d9f6bca8390a78555b92655b092d5ebc13e582

SHA512
ab163d6807d2ac4c7fcf10847e8335eaccfdc3d6012b380e54be81da59600a142977a23d18b870ef36d54420a43ead548016df92ceabd35b151d46f8b92767a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\55d53c0d-c199-4cae-97f0-242f3bdf6b6c.vbs

Filesize
744B

MD5
25b3469cea3d291bcfc05b2822a22681

SHA1
5ef984928fa2416bf02cbf24088bb4ca07152228

SHA256
ac14b741fbcc32e1f3ad038794212ff9965aa60ef76f0fd13568ae8bbfdf37ae

SHA512
db67789b171d8fcae0fbf0b6d3ed38681e43d1fefe7a218ad01c589acdabea92ea1c7ba4cb8876298f9c27952ad7e188bcf5c0f472a511f0a168fd08b5cd6968

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b6413d1-5d5b-420e-8b48-db4fb48711b9.vbs

Filesize
744B

MD5
ffde8c065d59d2b3ffdcdb42876681d6

SHA1
d0b9d627189aa751d3cb9618ac2eaada88770df1

SHA256
cd1ea41e0574860d5986b1a429c45384cc6642bce3101114e63bcd9b87d9c4cb

SHA512
6508b6d4e04c257f7729fa9ed5775652cc1c2a424cf24f1539fe1cfe8374b4ab5c1441535f52081db1c86f19501dd3923dbf209bf91493f8f683e2e48d6a8df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\c182d2a4-d229-4ec8-b530-b609aeae9104.vbs

Filesize
744B

MD5
00908c1082a87c7cc419b0e5bd5bca1f

SHA1
8bf22a5764d776ad625be02de568a3cea1405f9d

SHA256
c1c1f53193a7975e520e91cd984e3da567682f2b4218a42935e4e3253d2f68c0

SHA512
f16ce0c0f1dfc40923cc62718e90d6db6878d45c23ac1ed11b424c0d97725e1df201aa573ae083081f06265252cbbfc367603167cb81635ab55dad91d2d96539

Download Submit
C:\Users\Admin\AppData\Local\Temp\cf0209b5-b8f0-40a3-b588-c9314f7d86d1.vbs

Filesize
744B

MD5
6088a3c875e2c14b2271cbef11e08414

SHA1
086c8fc63ee3eb39b0dc4c36e733bf9fa46fae51

SHA256
a132e00e0154c671d325f5c51adca7cf3f79083c2b2931121f386e74a8a49dbb

SHA512
5b94069186c929268c854c108b6eb9a4766279434fd825f59d3ce0e9009d1d994eebebbb1802dd8127cdef81b8434ba1693c6cc7de6b4867ed7fa5fc419e981d

Download Submit
C:\Users\Admin\AppData\Local\Temp\efdbe7c0-a8e0-4ff4-b4e4-d27b348818ea.vbs

Filesize
744B

MD5
808d8a9bb64424e23e0865dbf633a4ae

SHA1
4bff07f182c099cd3e098c67e72c6abaf87688c7

SHA256
c6f157f9e23d030efd2a4fe09cc972636761a61faac0b5ad03dd1ed4518416b4

SHA512
e92090056d708f25061307b8356b2387c2ada01317816e1dea98fe894f4b15a062e1c81b604e67e945e8818100a7eee322bccd6fa1ab62b8df13a97f081902a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa7c3777-d819-4258-b2bc-e934a190427e.vbs

Filesize
744B

MD5
a83bd3e91467266dba30ae4c34aef2bc

SHA1
59427513d35aef0b6597c0c5afc7002ba365a363

SHA256
8fac58cc4ca84965c593f8507de0076249d41c6c433a94fded86923f92968ad6

SHA512
485a5f8417fcadb5a8515acebce9899de5a5480c999280780438b3a665a1ab132e7acfc90cd3a7f606c0ef42da3d93ad63bc8699b4f76465eedfb994bb8697cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe966828-6734-4d5f-b7ca-c4ae02a1c75b.vbs

Filesize
744B

MD5
d3bd621c737793fc3483c9ca9c63f49e

SHA1
750865ce6210a16919afca29ae92c6f4c3fc018e

SHA256
b08b7e3d416c83b4826c5771a92ba452b8f480ae2e25e99b98b60847854909fd

SHA512
424feabc043544eb0f908d4cec31838e423900e33b124fd2438083802359dd24cd56607e2f9507e8bf1a734919f2c4d6d7a72342562438260d833b8a02e9bf65

Download Submit
C:\Users\Admin\AppData\Local\Temp\m147yiIR6h.bat

Filesize
233B

MD5
ea32dcf0d6f6a74ef20c0e6c3c0e0215

SHA1
9882420d3fdc4ab55ca5ec9912fc3ff7a10d446c

SHA256
db8a8cc457188c63669e51bb1f12ae03912d67b0af50b1ed19d92a40c5af9053

SHA512
a7f0ca66b089e52147d70bdf842983d34e9bcbdc54f43d123998557c7aa9be8dbeeeec2fa0b0ed8cdf011d65d0a75423300198031c04ba9c46a3ef5c77ca1695

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C6OTJH11XL2BDQ5T8ZJ1.temp

Filesize
7KB

MD5
770e1e48203dce24dd346d32d5faea85

SHA1
2a9071c991f5997326a195d9345ce3920cf1fd40

SHA256
fd83735984b4cef4f2db0e2eaabaad1015365b5f13a24d913034b31018fc4f53

SHA512
a122b7961302230bfc070ceece77bd017287826312122baa0b59d2e096b7a6fda4e4d4ffa68c64801e8a32f827bd850c69f9c63acc241aaca46c502d64de60a2

Download Submit
memory/340-135-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download
memory/340-116-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/1908-147-0x0000000000B60000-0x0000000000D02000-memory.dmp

Filesize
1.6MB

Download
memory/1928-237-0x00000000012B0000-0x0000000001452000-memory.dmp

Filesize
1.6MB

Download
memory/2484-9-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/2484-10-0x0000000000810000-0x000000000081C000-memory.dmp

Filesize
48KB

Download
memory/2484-16-0x00000000022D0000-0x00000000022DC000-memory.dmp

Filesize
48KB

Download
memory/2484-14-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/2484-15-0x00000000022C0000-0x00000000022CA000-memory.dmp

Filesize
40KB

Download
memory/2484-13-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/2484-12-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

Filesize
56KB

Download
memory/2484-11-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/2484-1-0x0000000000C00000-0x0000000000DA2000-memory.dmp

Filesize
1.6MB

Download
memory/2484-110-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-0-0x000007FEF5443000-0x000007FEF5444000-memory.dmp

Filesize
4KB

Download
memory/2484-8-0x00000000007C0000-0x00000000007C8000-memory.dmp

Filesize
32KB

Download
memory/2484-7-0x00000000007D0000-0x00000000007E0000-memory.dmp

Filesize
64KB

Download
memory/2484-2-0x000007FEF5440000-0x000007FEF5E2C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-6-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/2484-5-0x0000000000370000-0x0000000000386000-memory.dmp

Filesize
88KB

Download
memory/2484-4-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/2484-3-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/2808-203-0x0000000001260000-0x0000000001402000-memory.dmp

Filesize
1.6MB

Download
memory/2924-158-0x0000000001160000-0x0000000001302000-memory.dmp

Filesize
1.6MB

Download