Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/12/2024, 02:12
Behavioral task
behavioral1
Sample
2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe
Resource
win10v2004-20241007-en
General
-
Target
2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe
-
Size
1.1MB
-
MD5
027bbb0a4d9b911c6d707866e98c1314
-
SHA1
bfbdb849dcf89395492d916b69308505b87bb7fc
-
SHA256
2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c
-
SHA512
a66535cebff5e208c685c9f7a880e7bf36a70872cabd512ffdb8e97497c9f4438f7ebc213303487d9a652f1dabdbc438b5bd98be1cd0ed1accfe896cac69e94c
-
SSDEEP
24576:U2G/nvxW3Ww0t9XYOIWhhyjpaMwvhIhL2pCrC:UbA309YOIXEElW
Malware Config
Signatures
-
DcRat 37 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 2864 schtasks.exe 2156 schtasks.exe 3000 schtasks.exe 692 schtasks.exe 2644 schtasks.exe 2924 schtasks.exe 1624 schtasks.exe 2124 schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe 1700 schtasks.exe 1636 schtasks.exe 2724 schtasks.exe 2620 schtasks.exe 2964 schtasks.exe 1044 schtasks.exe 300 schtasks.exe 2916 schtasks.exe 2432 schtasks.exe 2788 schtasks.exe 1036 schtasks.exe 2080 schtasks.exe 1148 schtasks.exe 1408 schtasks.exe 1512 schtasks.exe 2688 schtasks.exe 1204 schtasks.exe 2896 schtasks.exe 1848 schtasks.exe 2504 schtasks.exe 1352 schtasks.exe 3060 schtasks.exe 2268 schtasks.exe 540 schtasks.exe 984 schtasks.exe 2660 schtasks.exe 1420 schtasks.exe 1752 schtasks.exe -
Dcrat family
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 300 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2432 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 984 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1700 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1036 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1420 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1752 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3060 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2124 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3000 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 692 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 540 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 2848 schtasks.exe 35 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1352 2848 schtasks.exe 35 -
resource yara_rule behavioral1/files/0x000700000001925c-12.dat dcrat behavioral1/memory/2760-13-0x0000000000AE0000-0x0000000000BB6000-memory.dmp dcrat behavioral1/memory/1984-46-0x0000000000330000-0x0000000000406000-memory.dmp dcrat -
Executes dropped EXE 3 IoCs
pid Process 2760 msbrowser.exe 2200 msbrowser.exe 1984 lsm.exe -
Loads dropped DLL 2 IoCs
pid Process 588 cmd.exe 588 cmd.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files\Windows Photo Viewer\ja-JP\42af1c969fbb7b msbrowser.exe File created C:\Program Files\Internet Explorer\fr-FR\winlogon.exe msbrowser.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\101b941d020240 msbrowser.exe File created C:\Program Files\Windows Photo Viewer\ja-JP\audiodg.exe msbrowser.exe File created C:\Program Files\Windows Media Player\fr-FR\csrss.exe msbrowser.exe File created C:\Program Files\Windows Media Player\fr-FR\886983d96e3d3e msbrowser.exe File created C:\Program Files\Windows Sidebar\it-IT\WmiPrvSE.exe msbrowser.exe File created C:\Program Files (x86)\Windows Mail\it-IT\msbrowser.exe msbrowser.exe File created C:\Program Files (x86)\Windows Mail\it-IT\121a4cfddf2121 msbrowser.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\lsm.exe msbrowser.exe File created C:\Program Files\Windows Sidebar\it-IT\24dbde2999530e msbrowser.exe File created C:\Program Files\Internet Explorer\fr-FR\cc11b995f2a76d msbrowser.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Registration\sppsvc.exe msbrowser.exe File created C:\Windows\Registration\0a1fd5f707cd16 msbrowser.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2620 schtasks.exe 300 schtasks.exe 2896 schtasks.exe 1636 schtasks.exe 984 schtasks.exe 1700 schtasks.exe 2156 schtasks.exe 2080 schtasks.exe 1624 schtasks.exe 3000 schtasks.exe 540 schtasks.exe 2924 schtasks.exe 2432 schtasks.exe 1036 schtasks.exe 3060 schtasks.exe 1044 schtasks.exe 1752 schtasks.exe 1848 schtasks.exe 1352 schtasks.exe 2724 schtasks.exe 1204 schtasks.exe 2660 schtasks.exe 692 schtasks.exe 1408 schtasks.exe 2124 schtasks.exe 1512 schtasks.exe 2504 schtasks.exe 2644 schtasks.exe 2788 schtasks.exe 2864 schtasks.exe 2688 schtasks.exe 2964 schtasks.exe 2916 schtasks.exe 1420 schtasks.exe 2268 schtasks.exe 1148 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2760 msbrowser.exe 2200 msbrowser.exe 2200 msbrowser.exe 2200 msbrowser.exe 2200 msbrowser.exe 2200 msbrowser.exe 2200 msbrowser.exe 2200 msbrowser.exe 1984 lsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2760 msbrowser.exe Token: SeDebugPrivilege 2200 msbrowser.exe Token: SeDebugPrivilege 1984 lsm.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 1324 wrote to memory of 2576 1324 2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe 30 PID 1324 wrote to memory of 2576 1324 2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe 30 PID 1324 wrote to memory of 2576 1324 2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe 30 PID 1324 wrote to memory of 2576 1324 2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe 30 PID 2576 wrote to memory of 588 2576 WScript.exe 32 PID 2576 wrote to memory of 588 2576 WScript.exe 32 PID 2576 wrote to memory of 588 2576 WScript.exe 32 PID 2576 wrote to memory of 588 2576 WScript.exe 32 PID 588 wrote to memory of 2760 588 cmd.exe 34 PID 588 wrote to memory of 2760 588 cmd.exe 34 PID 588 wrote to memory of 2760 588 cmd.exe 34 PID 588 wrote to memory of 2760 588 cmd.exe 34 PID 2760 wrote to memory of 2200 2760 msbrowser.exe 42 PID 2760 wrote to memory of 2200 2760 msbrowser.exe 42 PID 2760 wrote to memory of 2200 2760 msbrowser.exe 42 PID 2200 wrote to memory of 1992 2200 msbrowser.exe 73 PID 2200 wrote to memory of 1992 2200 msbrowser.exe 73 PID 2200 wrote to memory of 1992 2200 msbrowser.exe 73 PID 1992 wrote to memory of 3020 1992 cmd.exe 75 PID 1992 wrote to memory of 3020 1992 cmd.exe 75 PID 1992 wrote to memory of 3020 1992 cmd.exe 75 PID 1992 wrote to memory of 1984 1992 cmd.exe 76 PID 1992 wrote to memory of 1984 1992 cmd.exe 76 PID 1992 wrote to memory of 1984 1992 cmd.exe 76 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe"C:\Users\Admin\AppData\Local\Temp\2a31d3dc6783dad77df215a986789fb27933fe4b5c59705eb20c256788d4533c.exe"1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\refBrokerDhcp\QElwSQf83XBFhMyqm1gWbbiKf8tDaQ.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\refBrokerDhcp\eop7KwarhdN0r.bat" "3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:588 -
C:\refBrokerDhcp\msbrowser.exe"C:\refBrokerDhcp\msbrowser.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\refBrokerDhcp\msbrowser.exe"C:\refBrokerDhcp\msbrowser.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZssKRJ08Tb.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:3020
-
-
C:\Program Files (x86)\Windows Photo Viewer\en-US\lsm.exe"C:\Program Files (x86)\Windows Photo Viewer\en-US\lsm.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Documents\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Documents\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\refBrokerDhcp\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\refBrokerDhcp\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\refBrokerDhcp\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\refBrokerDhcp\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\refBrokerDhcp\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\refBrokerDhcp\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msbrowserm" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\msbrowser.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msbrowser" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\msbrowser.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msbrowserm" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\msbrowser.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\audiodg.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\fr-FR\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\fr-FR\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Registration\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\it-IT\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\fr-FR\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\fr-FR\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
222B
MD5f2e6a416bb7582063d33fad9dd0ac8bb
SHA1a8fb49fa1fc97ad55f8894cffaf91ab01f9813b1
SHA256b318f347b0b99171a3fe2f8aa1a0eb438f105cdcabd21493b1185fc5dc702837
SHA512773eba4470ecc83bdd1ba9dccd9e5a51a18ed118478c6caf8fa186e961da096bb549d96d10e8444609d48cd2084624e688a954ca065f9a968e965434dddede8e
-
Filesize
203B
MD5c54e49eaeb59c57e0d7bb2398e8ea617
SHA13e6bed8fb43f94c190bcdbfe33e9ba826275dfd6
SHA2560bcb8b3296b1b862104bc1917793a1b743afc9e623d91f5136fbf30ae7e022ed
SHA512d24dcd18188176f796b92d150b30d3b99c03654257fe48019308cca5ebb062c7312047fec43e0fa6823ff4ea29649c4f8db61f2ba950881df8a52ec15b662b85
-
Filesize
32B
MD565cbca0f14030e37f4536942be742fed
SHA11823a610cfb0945e0e234651d4045931aa241ba5
SHA2567d881d8c2a5a8756b85abe067e24efdc7c657d1af28ba1132d0e9ae443941d5d
SHA51287eb63d67e28c0f42c1b89c631c4573d0d8f9dc145f3720d26d3af8f7dc76e7d105b0598fe398f9e73d95e814301678097be811977c184ea2e101d4e0e8cc044
-
Filesize
828KB
MD53d428539f2cddf97abfe6586df2f2c1d
SHA1e828475a8e5ea8db3854cb66f0102c6532a0a997
SHA25658a180ba10aad7f5a7c9b86b2f93213fde5e2f4816393d7a19ddc9202bc1f7a4
SHA512325d96a63e0ddec4bb2c4c9fafa28b38c6961af0f4c282763eb82677037a50971ac2770c8277a11a80d7853218cc560600c18f7d201f23057387e0a858d05ccc