dcrat | 3490a06a34fbdc0f9d3ae55ff159fe407bf962f67b56bde78a9ad0bb312a1610

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88F34405800FD589303DD080CB702BF0.exe
Size

2.7MB
MD5

88f34405800fd589303dd080cb702bf0
SHA1

ff0464ed91e346e4a28c66e46b521916daacb839
SHA256

3490a06a34fbdc0f9d3ae55ff159fe407bf962f67b56bde78a9ad0bb312a1610
SHA512

430178b4579e748fb0581090d1a96e3acd234b4d4575a0914f9e083b64ede5351fe929413100b05fa298a4172305ec8cb79c82a53acd849365e165195d1c4765
SSDEEP

49152:kJloZITX1N8fHQxECPA8Wpd9MNZesZb6EIAZwgZILA:kJloSTX1yPQxv0tMNIC6K1Kk

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 58 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2924	schtasks.exe
		2004	schtasks.exe
		2964	schtasks.exe
		2836	schtasks.exe
		1744	schtasks.exe
		1556	schtasks.exe
		1488	schtasks.exe
		2388	schtasks.exe
		3064	schtasks.exe
		480	schtasks.exe
		1792	schtasks.exe
		2180	schtasks.exe
		1828	schtasks.exe
		1764	schtasks.exe
		1776	schtasks.exe
		2880	schtasks.exe
		1908	schtasks.exe
		888	schtasks.exe
		2536	schtasks.exe
		2596	schtasks.exe
		1740	schtasks.exe
		2736	schtasks.exe
		2112	schtasks.exe
		2608	schtasks.exe
		2360	schtasks.exe
		876	schtasks.exe
		2740	schtasks.exe
		712	schtasks.exe
		1824	schtasks.exe
		2152	schtasks.exe
		2524	schtasks.exe
		1956	schtasks.exe
		812	schtasks.exe
		1668	schtasks.exe
		860	schtasks.exe
		2540	schtasks.exe
		2696	schtasks.exe
		1036	schtasks.exe
		1052	schtasks.exe
		2192	schtasks.exe
		1064	schtasks.exe
		1732	schtasks.exe
		1332	schtasks.exe
		832	schtasks.exe
		1840	schtasks.exe
		3032	schtasks.exe
		2056	schtasks.exe
File created	C:\Program Files\Windows Defender\es-ES\1610b97d3ab4a7		88F34405800FD589303DD080CB702BF0.exe
		268	schtasks.exe
		2012	schtasks.exe
		1316	schtasks.exe
		848	schtasks.exe
		2648	schtasks.exe
		900	schtasks.exe
		2932	schtasks.exe
		1164	schtasks.exe
		1784	schtasks.exe
		2444	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2668	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2668	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2912-1-0x00000000003A0000-0x0000000000660000-memory.dmp	dcrat
behavioral1/files/0x0006000000016d4b-31.dat	dcrat
behavioral1/memory/2908-67-0x0000000001300000-0x00000000015C0000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2908	spoolsv.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\c5b4cb5e9653cc	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\spoolsv.exe	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Idle.exe	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files\Microsoft Games\FreeCell\ja-JP\886983d96e3d3e	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files\Windows Defender\es-ES\OSPPSVC.exe	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files\Windows Defender\es-ES\1610b97d3ab4a7	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\6ad2e03527eec9	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\6ccacd8608530f	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files\Microsoft Games\FreeCell\ja-JP\csrss.exe	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\88F34405800FD589303DD080CB702BF0.exe	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\f3b6ecef712a24	88F34405800FD589303DD080CB702BF0.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\88F34405800FD589303DD080CB702BF0.exe	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Windows\es-ES\6ad2e03527eec9	88F34405800FD589303DD080CB702BF0.exe
File created	C:\Windows\schemas\EAPHost\System.exe	88F34405800FD589303DD080CB702BF0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2736	schtasks.exe
1332	schtasks.exe
2012	schtasks.exe
1956	schtasks.exe
1776	schtasks.exe
900	schtasks.exe
860	schtasks.exe
1316	schtasks.exe
1744	schtasks.exe
2388	schtasks.exe
2152	schtasks.exe
1732	schtasks.exe
2444	schtasks.exe
2880	schtasks.exe
812	schtasks.exe
2696	schtasks.exe
1784	schtasks.exe
1488	schtasks.exe
1792	schtasks.exe
2596	schtasks.exe
1840	schtasks.exe
2648	schtasks.exe
832	schtasks.exe
1036	schtasks.exe
1908	schtasks.exe
2192	schtasks.exe
1740	schtasks.exe
3032	schtasks.exe
1052	schtasks.exe
2540	schtasks.exe
2004	schtasks.exe
2608	schtasks.exe
888	schtasks.exe
2924	schtasks.exe
2740	schtasks.exe
2536	schtasks.exe
2524	schtasks.exe
1556	schtasks.exe
3064	schtasks.exe
480	schtasks.exe
876	schtasks.exe
2932	schtasks.exe
2964	schtasks.exe
1164	schtasks.exe
712	schtasks.exe
1824	schtasks.exe
2836	schtasks.exe
2056	schtasks.exe
1064	schtasks.exe
1764	schtasks.exe
2360	schtasks.exe
268	schtasks.exe
2112	schtasks.exe
848	schtasks.exe
2180	schtasks.exe
1828	schtasks.exe
1668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
2912	88F34405800FD589303DD080CB702BF0.exe
2912	88F34405800FD589303DD080CB702BF0.exe
2912	88F34405800FD589303DD080CB702BF0.exe
2260	88F34405800FD589303DD080CB702BF0.exe
2260	88F34405800FD589303DD080CB702BF0.exe
2260	88F34405800FD589303DD080CB702BF0.exe
2260	88F34405800FD589303DD080CB702BF0.exe
2260	88F34405800FD589303DD080CB702BF0.exe
2260	88F34405800FD589303DD080CB702BF0.exe
2260	88F34405800FD589303DD080CB702BF0.exe
2260	88F34405800FD589303DD080CB702BF0.exe
2260	88F34405800FD589303DD080CB702BF0.exe
2260	88F34405800FD589303DD080CB702BF0.exe
2260	88F34405800FD589303DD080CB702BF0.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe
2908	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	88F34405800FD589303DD080CB702BF0.exe
Token: SeDebugPrivilege	2260	88F34405800FD589303DD080CB702BF0.exe
Token: SeDebugPrivilege	2908	spoolsv.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2260	2912	88F34405800FD589303DD080CB702BF0.exe	40
PID 2912 wrote to memory of 2260	2912	88F34405800FD589303DD080CB702BF0.exe	40
PID 2912 wrote to memory of 2260	2912	88F34405800FD589303DD080CB702BF0.exe	40
PID 2260 wrote to memory of 2908	2260	88F34405800FD589303DD080CB702BF0.exe	89
PID 2260 wrote to memory of 2908	2260	88F34405800FD589303DD080CB702BF0.exe	89
PID 2260 wrote to memory of 2908	2260	88F34405800FD589303DD080CB702BF0.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\88F34405800FD589303DD080CB702BF0.exe
"C:\Users\Admin\AppData\Local\Temp\88F34405800FD589303DD080CB702BF0.exe"
1⤵
- DcRat
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Users\Admin\AppData\Local\Temp\88F34405800FD589303DD080CB702BF0.exe
  "C:\Users\Admin\AppData\Local\Temp\88F34405800FD589303DD080CB702BF0.exe"
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\spoolsv.exe
    "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\es-ES\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "88F34405800FD589303DD080CB702BF08" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\88F34405800FD589303DD080CB702BF0.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "88F34405800FD589303DD080CB702BF0" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\88F34405800FD589303DD080CB702BF0.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "88F34405800FD589303DD080CB702BF08" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\88F34405800FD589303DD080CB702BF0.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Favorites\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Favorites\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Favorites\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "88F34405800FD589303DD080CB702BF08" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\88F34405800FD589303DD080CB702BF0.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "88F34405800FD589303DD080CB702BF0" /sc ONLOGON /tr "'C:\Windows\es-ES\88F34405800FD589303DD080CB702BF0.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "88F34405800FD589303DD080CB702BF08" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\88F34405800FD589303DD080CB702BF0.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "88F34405800FD589303DD080CB702BF08" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\88F34405800FD589303DD080CB702BF0.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "88F34405800FD589303DD080CB702BF0" /sc ONLOGON /tr "'C:\MSOCache\All Users\88F34405800FD589303DD080CB702BF0.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "88F34405800FD589303DD080CB702BF08" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\88F34405800FD589303DD080CB702BF0.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Music\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Music\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\FreeCell\ja-JP\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\FreeCell\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\FreeCell\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe

Filesize
2.7MB

MD5
88f34405800fd589303dd080cb702bf0

SHA1
ff0464ed91e346e4a28c66e46b521916daacb839

SHA256
3490a06a34fbdc0f9d3ae55ff159fe407bf962f67b56bde78a9ad0bb312a1610

SHA512
430178b4579e748fb0581090d1a96e3acd234b4d4575a0914f9e083b64ede5351fe929413100b05fa298a4172305ec8cb79c82a53acd849365e165195d1c4765

Download Submit
memory/2260-27-0x0000000002520000-0x0000000002576000-memory.dmp

Filesize
344KB

Download
memory/2260-28-0x00000000007B0000-0x00000000007C2000-memory.dmp

Filesize
72KB

Download
memory/2908-68-0x0000000000BE0000-0x0000000000BF2000-memory.dmp

Filesize
72KB

Download
memory/2908-67-0x0000000001300000-0x00000000015C0000-memory.dmp

Filesize
2.8MB

Download
memory/2912-12-0x0000000002470000-0x0000000002482000-memory.dmp

Filesize
72KB

Download
memory/2912-16-0x000000001A8C0000-0x000000001A8CE000-memory.dmp

Filesize
56KB

Download
memory/2912-7-0x00000000023D0000-0x00000000023E6000-memory.dmp

Filesize
88KB

Download
memory/2912-8-0x00000000023F0000-0x00000000023F8000-memory.dmp

Filesize
32KB

Download
memory/2912-9-0x0000000002400000-0x0000000002456000-memory.dmp

Filesize
344KB

Download
memory/2912-10-0x0000000002450000-0x0000000002458000-memory.dmp

Filesize
32KB

Download
memory/2912-11-0x0000000002460000-0x000000000246C000-memory.dmp

Filesize
48KB

Download
memory/2912-0-0x000007FEF5003000-0x000007FEF5004000-memory.dmp

Filesize
4KB

Download
memory/2912-13-0x000000001A8A0000-0x000000001A8A8000-memory.dmp

Filesize
32KB

Download
memory/2912-14-0x000000001A8B0000-0x000000001A8BC000-memory.dmp

Filesize
48KB

Download
memory/2912-15-0x000000001ACC0000-0x000000001ACCC000-memory.dmp

Filesize
48KB

Download
memory/2912-6-0x0000000002240000-0x0000000002250000-memory.dmp

Filesize
64KB

Download
memory/2912-17-0x000000001A8D0000-0x000000001A8DC000-memory.dmp

Filesize
48KB

Download
memory/2912-18-0x000000001ACB0000-0x000000001ACBA000-memory.dmp

Filesize
40KB

Download
memory/2912-19-0x000000001ACD0000-0x000000001ACDC000-memory.dmp

Filesize
48KB

Download
memory/2912-26-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/2912-5-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/2912-4-0x0000000000800000-0x000000000081C000-memory.dmp

Filesize
112KB

Download
memory/2912-3-0x00000000007F0000-0x00000000007FE000-memory.dmp

Filesize
56KB

Download
memory/2912-2-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/2912-1-0x00000000003A0000-0x0000000000660000-memory.dmp

Filesize
2.8MB

Download