Overview

overview

10

Static

static

10

96c2e9a237...d0.exe

windows7-x64

10

96c2e9a237...d0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2024 02:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    96c2e9a2370d0df91033333bb9f4dd0662af2c7cd15a2f23ba2b9bb8a699aad0.exe

  • Size

    2.3MB

  • MD5

    d9b4b4579b6c61fd94d69d7fceb5f51e

  • SHA1

    7c14d43649b8f78065f6a53e38fb20e69f77c376

  • SHA256

    96c2e9a2370d0df91033333bb9f4dd0662af2c7cd15a2f23ba2b9bb8a699aad0

  • SHA512

    fa37fb61c39d089f3e0313c6b35e2644b26d8cb5af90691589b17d30509cde4af74c93c5dd585d6fafae3a1319a8e3ffa6aa4878bdd3bb7d8a33eecf598dae11

  • SSDEEP

    49152:UbA30/6uKKVR8qNFi+fY8GNTQbVxZdmbvCy6xk0lMA2u/lgqY:UbOuN8qbfY85KbvCjuQ2r

Score
10/10
dcratdiscoveryevasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 63 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 63 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\96c2e9a2370d0df91033333bb9f4dd0662af2c7cd15a2f23ba2b9bb8a699aad0.exe
    "C:\Users\Admin\AppData\Local\Temp\96c2e9a2370d0df91033333bb9f4dd0662af2c7cd15a2f23ba2b9bb8a699aad0.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Agentref\owPgZv.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3664
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Agentref\x525Aw58wgGh.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2052
        • C:\Agentref\serverDriverMonitor.exe
          "C:\Agentref\serverDriverMonitor.exe"
          4⤵
          • DcRat
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4928
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k6Sj7BHaIo.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2384
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3124
              • C:\Agentref\serverDriverMonitor.exe
                "C:\Agentref\serverDriverMonitor.exe"
                6⤵
                • UAC bypass
                • Checks computer location settings
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                • System policy modification
                PID:3876
                • C:\Recovery\WindowsRE\WaaSMedicAgent.exe
                  "C:\Recovery\WindowsRE\WaaSMedicAgent.exe"
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1656
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0dd12eda-00ca-490f-9def-d2b68c55de1f.vbs"
                    8⤵
                      PID:3592
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2496939c-7cf2-40ec-bdda-05ae81731df3.vbs"
                      8⤵
                        PID:2884
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Agentref\taskhostw.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1656
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Agentref\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3420
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Agentref\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5052
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Agentref\spoolsv.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1048
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Agentref\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2944
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Agentref\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2912
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3240
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2712
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3216
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Agentref\fontdrvhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3396
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Agentref\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2892
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Agentref\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4992
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Agentref\SearchApp.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3908
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Agentref\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2024
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Agentref\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4620
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4084
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:464
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:312
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2624
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4512
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4720
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:804
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1448
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3480
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\sppsvc.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1632
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5000
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2412
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4784
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:972
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3880
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3828
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4176
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3460
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\upfc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4224
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\upfc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2552
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\upfc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:760
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Start Menu\services.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4160
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4600
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Start Menu\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2740
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Agentref\cmd.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4196
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Agentref\cmd.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4152
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Agentref\cmd.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4920
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5004
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:644
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\conhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:368
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\reports\services.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2616
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3900
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Crashpad\reports\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:512
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\RuntimeBroker.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1428
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2592
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2604
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4476
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4532
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3948
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Windows\IdentityCRL\INT\TextInputHost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:384
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\TextInputHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2104
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Windows\IdentityCRL\INT\TextInputHost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2496
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4952
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4000
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\WaaSMedicAgent.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1888
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\Application\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4696
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\Writers\Application\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1556

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Agentref\owPgZv.vbe
          Filesize

          197B

          MD5

          0d5aefa3c43518d920c22edbedbc89a9

          SHA1

          c83cca811f929b69bf1b4f718373f8a37f5721cd

          SHA256

          c4204aba735a3ffed104da1e734b06e30ccf4c30cec6447a6c7c07e8c262b6f9

          SHA512

          431067fbca5b0d27d290d3627acfd5edc4461e540359d13a0b17a964c93141f0a98be739c5c4d7405d6b4293b8c161f856d1619eb1f75823f769cc0faa60425c

          Download Submit

        • C:\Agentref\serverDriverMonitor.exe
          Filesize

          2.0MB

          MD5

          fc975c6529d815edd1ad7fdcf717a85f

          SHA1

          84c7b446e4d3915a6968242ef8fa2bd2facf2314

          SHA256

          67b1bda1f5c4225232425b51ebd6ad53d12bea40d581823d3491bdb3c3f34cf1

          SHA512

          ecd2d6db9fe10b138951b558fb8f00ae30b9495fd14d7766e2f70045bef6908ba3492711e62adb3af750e373dc47121520302757fcbbb00a47fdf2545fbbb22a

          Download Submit

        • C:\Agentref\x525Aw58wgGh.bat
          Filesize

          37B

          MD5

          f89871c7b07a892e3b5b74f32b3ded9a

          SHA1

          7d425f9f3a2796307ca2a5acd5c743038f73c7d7

          SHA256

          c1844a2fcb48d78a6b3755e29f6bb41ecd194414bbe0f2a9f21a9d846171141e

          SHA512

          772c36d0a490a2aff151582d2d7f1f06f828baaf0a5d7b7651d758097db6a7aab9659944ec41a73ac9b7103866ad4077dd6dd813c1cd307109b9548aa879b750

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\serverDriverMonitor.exe.log
          Filesize

          1KB

          MD5

          7f3c0ae41f0d9ae10a8985a2c327b8fb

          SHA1

          d58622bf6b5071beacf3b35bb505bde2000983e3

          SHA256

          519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

          SHA512

          8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\0dd12eda-00ca-490f-9def-d2b68c55de1f.vbs
          Filesize

          716B

          MD5

          8e72a4673f18c1f1aea71a75e5fee546

          SHA1

          b592282e245b1c8688f5bcda0859af9633ced61e

          SHA256

          df2af051dd68db1a781837819090999ec6b9131ff1763cb1284b4a3c75579681

          SHA512

          d7da969b896c143faf590edcf85d692321ce50194b352abcedfd6eb747ab43e8a767340f7df469e0a478c1537e6640454fe6575626b916c7c09f23d6c27ef11c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\2496939c-7cf2-40ec-bdda-05ae81731df3.vbs
          Filesize

          492B

          MD5

          6cbc135d7995b319c5a24865ba973298

          SHA1

          7c8229814c254c6b299ad7c0ac70f8f949c2cf95

          SHA256

          df853ec8aa2e9794ac4b8a23f8d52959675c75605895300169563414085df00b

          SHA512

          91b15034dade578165721d06c925b8be7d08957ede0344841423aae8cec82e8b397831f62df797e421e2ca34d97d1cdbaad1b2d9dc57f370b318a87e5104c81f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\k6Sj7BHaIo.bat
          Filesize

          200B

          MD5

          fd78dbef8f2a8405b4737e50542807bc

          SHA1

          9f229083860d6b2d0cd40b53a243a8916e004092

          SHA256

          6ebd1888e6e99acfcb81c9e6f80e562bb6c5836cc5510e7acfc4798059b6f6a8

          SHA512

          a21fc20c31fa21f4354c89df62a057519e77056413f0a4ac10ca0c33aa7db45e687d5b563b751e41692f7017bdc6668f987d083ce5c8651b5b0b5126207dafa2

          Download Submit

        • memory/4928-15-0x000000001C350000-0x000000001C3A6000-memory.dmp

          Filesize

          344KB

          Download

        • memory/4928-17-0x000000001C3B0000-0x000000001C3BA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4928-18-0x000000001C3C0000-0x000000001C3CC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4928-56-0x00007FFDEF5D0000-0x00007FFDEF925000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/4928-16-0x000000001C3A0000-0x000000001C3AC000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4928-14-0x000000001BC20000-0x000000001BC2A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4928-13-0x0000000000F30000-0x0000000001130000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4928-12-0x00007FFDEF5D0000-0x00007FFDEF925000-memory.dmp

          Filesize

          3.3MB

          Download