dcrat | 41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309

Analysis

max time kernel
119s
max time network
113s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
Size

2.3MB
MD5

1e83ded2729ce777053c604e7d667c38
SHA1

e4de4580f9e80703961c6df8b3dc687d6ff16cda
SHA256

41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309
SHA512

6c032fee11131744a6234b9011e700faa12aaa194afc8d32f1206d61bbe397b7b4f9f278192e32883379e0ecb178b1aedf426285745c23a127e9db2495867ad1
SSDEEP

49152:P581k6pWQwY9zhWLCGUdeuGMvLq0jvYQxkm:P58C6pgTEO0jvYQR

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat 59 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2096	schtasks.exe
		112	schtasks.exe
		2220	schtasks.exe
File created	C:\Program Files\Windows NT\0a1fd5f707cd16		41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
		1684	schtasks.exe
		2584	schtasks.exe
		1300	schtasks.exe
File created	C:\Windows\Downloaded Program Files\886983d96e3d3e		41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
		1672	schtasks.exe
		2788	schtasks.exe
		2312	schtasks.exe
		324	schtasks.exe
		1424	schtasks.exe
		3036	schtasks.exe
		2280	schtasks.exe
		484	schtasks.exe
		1780	schtasks.exe
		2624	schtasks.exe
File created	C:\Windows\Logs\CBS\886983d96e3d3e		41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
		1784	schtasks.exe
		2676	schtasks.exe
		1452	schtasks.exe
		2780	schtasks.exe
		1964	schtasks.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\24dbde2999530e		41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
		1196	schtasks.exe
		2180	schtasks.exe
		2148	schtasks.exe
		2716	schtasks.exe
		3048	schtasks.exe
File created	C:\Windows\de-DE\75a57c1bdf437c		41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
		2228	schtasks.exe
File created	C:\Windows\SchCache\75a57c1bdf437c		41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
		1640	schtasks.exe
		2720	schtasks.exe
		1652	schtasks.exe
		1732	schtasks.exe
		2172	schtasks.exe
		1512	schtasks.exe
		1528	schtasks.exe
		636	schtasks.exe
		1960	schtasks.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e		41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
		1624	schtasks.exe
		2308	schtasks.exe
		1420	schtasks.exe
		592	schtasks.exe
		2900	schtasks.exe
		1036	schtasks.exe
		1508	schtasks.exe
		2836	schtasks.exe
		2536	schtasks.exe
		2668	schtasks.exe
		2876	schtasks.exe
File created	C:\Windows\ServiceProfiles\56085415360792		41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
		1644	schtasks.exe
		2200	schtasks.exe
		2568	schtasks.exe
		532	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2684	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2684	schtasks.exe	31

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3016-1-0x0000000000D20000-0x0000000000F70000-memory.dmp	dcrat
behavioral1/files/0x0005000000019aee-17.dat	dcrat
behavioral1/memory/2184-53-0x0000000001230000-0x0000000001480000-memory.dmp	dcrat
behavioral1/memory/3040-95-0x0000000001380000-0x00000000015D0000-memory.dmp	dcrat

Executes dropped EXE 8 IoCs

pid	Process
2184	OSPPSVC.exe
1864	OSPPSVC.exe
2108	OSPPSVC.exe
2180	OSPPSVC.exe
1012	OSPPSVC.exe
2888	OSPPSVC.exe
3040	OSPPSVC.exe
1720	OSPPSVC.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com
7	pastebin.com
9	pastebin.com
11	pastebin.com
13	pastebin.com
15	pastebin.com
17	pastebin.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\Windows NT\sppsvc.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\Windows NT\0a1fd5f707cd16	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\7a0fd90576e088	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\WmiPrvSE.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\24dbde2999530e	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\75a57c1bdf437c	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Windows\Logs\CBS\csrss.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Windows\de-DE\75a57c1bdf437c	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Windows\ServiceProfiles\wininit.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Windows\Downloaded Program Files\csrss.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Windows\SchCache\WMIADAP.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Windows\Logs\CBS\886983d96e3d3e	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Windows\de-DE\WMIADAP.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Windows\ServiceProfiles\56085415360792	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Windows\Downloaded Program Files\886983d96e3d3e	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2180	schtasks.exe
1732	schtasks.exe
1528	schtasks.exe
2720	schtasks.exe
2568	schtasks.exe
3048	schtasks.exe
2624	schtasks.exe
112	schtasks.exe
532	schtasks.exe
1424	schtasks.exe
1624	schtasks.exe
1036	schtasks.exe
1644	schtasks.exe
2200	schtasks.exe
2876	schtasks.exe
2900	schtasks.exe
1420	schtasks.exe
2228	schtasks.exe
2716	schtasks.exe
2668	schtasks.exe
2676	schtasks.exe
3036	schtasks.exe
2312	schtasks.exe
2148	schtasks.exe
324	schtasks.exe
1780	schtasks.exe
2220	schtasks.exe
2788	schtasks.exe
2780	schtasks.exe
1964	schtasks.exe
484	schtasks.exe
1684	schtasks.exe
2536	schtasks.exe
1640	schtasks.exe
1300	schtasks.exe
2308	schtasks.exe
1652	schtasks.exe
636	schtasks.exe
2584	schtasks.exe
1196	schtasks.exe
1452	schtasks.exe
1512	schtasks.exe
2280	schtasks.exe
1960	schtasks.exe
2172	schtasks.exe
1784	schtasks.exe
1508	schtasks.exe
2836	schtasks.exe
592	schtasks.exe
1672	schtasks.exe
2096	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3016	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
3016	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
3016	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
3016	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
3016	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
916	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
916	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
916	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
3004	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
2184	OSPPSVC.exe
1864	OSPPSVC.exe
2108	OSPPSVC.exe
2180	OSPPSVC.exe
1012	OSPPSVC.exe
2888	OSPPSVC.exe
3040	OSPPSVC.exe
1720	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3016	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
Token: SeDebugPrivilege	916	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
Token: SeDebugPrivilege	3004	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
Token: SeDebugPrivilege	2184	OSPPSVC.exe
Token: SeDebugPrivilege	1864	OSPPSVC.exe
Token: SeDebugPrivilege	2108	OSPPSVC.exe
Token: SeDebugPrivilege	2180	OSPPSVC.exe
Token: SeDebugPrivilege	1012	OSPPSVC.exe
Token: SeDebugPrivilege	2888	OSPPSVC.exe
Token: SeDebugPrivilege	3040	OSPPSVC.exe
Token: SeDebugPrivilege	1720	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 916	3016	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	71
PID 3016 wrote to memory of 916	3016	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	71
PID 3016 wrote to memory of 916	3016	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	71
PID 916 wrote to memory of 3004	916	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	78
PID 916 wrote to memory of 3004	916	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	78
PID 916 wrote to memory of 3004	916	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	78
PID 3004 wrote to memory of 2184	3004	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	85
PID 3004 wrote to memory of 2184	3004	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	85
PID 3004 wrote to memory of 2184	3004	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	85
PID 2184 wrote to memory of 2904	2184	OSPPSVC.exe	86
PID 2184 wrote to memory of 2904	2184	OSPPSVC.exe	86
PID 2184 wrote to memory of 2904	2184	OSPPSVC.exe	86
PID 2904 wrote to memory of 1848	2904	cmd.exe	88
PID 2904 wrote to memory of 1848	2904	cmd.exe	88
PID 2904 wrote to memory of 1848	2904	cmd.exe	88
PID 2904 wrote to memory of 1864	2904	cmd.exe	89
PID 2904 wrote to memory of 1864	2904	cmd.exe	89
PID 2904 wrote to memory of 1864	2904	cmd.exe	89
PID 1864 wrote to memory of 1960	1864	OSPPSVC.exe	90
PID 1864 wrote to memory of 1960	1864	OSPPSVC.exe	90
PID 1864 wrote to memory of 1960	1864	OSPPSVC.exe	90
PID 1960 wrote to memory of 672	1960	cmd.exe	92
PID 1960 wrote to memory of 672	1960	cmd.exe	92
PID 1960 wrote to memory of 672	1960	cmd.exe	92
PID 1960 wrote to memory of 2108	1960	cmd.exe	93
PID 1960 wrote to memory of 2108	1960	cmd.exe	93
PID 1960 wrote to memory of 2108	1960	cmd.exe	93
PID 2108 wrote to memory of 668	2108	OSPPSVC.exe	94
PID 2108 wrote to memory of 668	2108	OSPPSVC.exe	94
PID 2108 wrote to memory of 668	2108	OSPPSVC.exe	94
PID 668 wrote to memory of 1948	668	cmd.exe	96
PID 668 wrote to memory of 1948	668	cmd.exe	96
PID 668 wrote to memory of 1948	668	cmd.exe	96
PID 668 wrote to memory of 2180	668	cmd.exe	97
PID 668 wrote to memory of 2180	668	cmd.exe	97
PID 668 wrote to memory of 2180	668	cmd.exe	97
PID 2180 wrote to memory of 1300	2180	OSPPSVC.exe	98
PID 2180 wrote to memory of 1300	2180	OSPPSVC.exe	98
PID 2180 wrote to memory of 1300	2180	OSPPSVC.exe	98
PID 1300 wrote to memory of 1464	1300	cmd.exe	100
PID 1300 wrote to memory of 1464	1300	cmd.exe	100
PID 1300 wrote to memory of 1464	1300	cmd.exe	100
PID 1300 wrote to memory of 1012	1300	cmd.exe	101
PID 1300 wrote to memory of 1012	1300	cmd.exe	101
PID 1300 wrote to memory of 1012	1300	cmd.exe	101
PID 1012 wrote to memory of 2996	1012	OSPPSVC.exe	103
PID 1012 wrote to memory of 2996	1012	OSPPSVC.exe	103
PID 1012 wrote to memory of 2996	1012	OSPPSVC.exe	103
PID 2996 wrote to memory of 1968	2996	cmd.exe	105
PID 2996 wrote to memory of 1968	2996	cmd.exe	105
PID 2996 wrote to memory of 1968	2996	cmd.exe	105
PID 2996 wrote to memory of 2888	2996	cmd.exe	106
PID 2996 wrote to memory of 2888	2996	cmd.exe	106
PID 2996 wrote to memory of 2888	2996	cmd.exe	106
PID 2888 wrote to memory of 2756	2888	OSPPSVC.exe	107
PID 2888 wrote to memory of 2756	2888	OSPPSVC.exe	107
PID 2888 wrote to memory of 2756	2888	OSPPSVC.exe	107
PID 2756 wrote to memory of 2864	2756	cmd.exe	109
PID 2756 wrote to memory of 2864	2756	cmd.exe	109
PID 2756 wrote to memory of 2864	2756	cmd.exe	109
PID 2756 wrote to memory of 3040	2756	cmd.exe	110
PID 2756 wrote to memory of 3040	2756	cmd.exe	110
PID 2756 wrote to memory of 3040	2756	cmd.exe	110
PID 3040 wrote to memory of 1540	3040	OSPPSVC.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
"C:\Users\Admin\AppData\Local\Temp\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe"
1⤵
- DcRat
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
  "C:\Users\Admin\AppData\Local\Temp\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe"
  2⤵
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Users\Admin\AppData\Local\Temp\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
    "C:\Users\Admin\AppData\Local\Temp\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Users\Admin\Videos\OSPPSVC.exe
      "C:\Users\Admin\Videos\OSPPSVC.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2904
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1848
      - C:\Users\Admin\Videos\OSPPSVC.exe
        
        "C:\Users\Admin\Videos\OSPPSVC.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:672
        
        C:\Users\Admin\Videos\OSPPSVC.exe
        
        "C:\Users\Admin\Videos\OSPPSVC.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1948
        
        C:\Users\Admin\Videos\OSPPSVC.exe
        
        "C:\Users\Admin\Videos\OSPPSVC.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1464
        
        C:\Users\Admin\Videos\OSPPSVC.exe
        
        "C:\Users\Admin\Videos\OSPPSVC.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1968
        
        C:\Users\Admin\Videos\OSPPSVC.exe
        
        "C:\Users\Admin\Videos\OSPPSVC.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2864
        
        C:\Users\Admin\Videos\OSPPSVC.exe
        
        "C:\Users\Admin\Videos\OSPPSVC.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"
        17⤵
        
        PID:1540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2072
        
        C:\Users\Admin\Videos\OSPPSVC.exe
        
        "C:\Users\Admin\Videos\OSPPSVC.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Logs\CBS\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Logs\CBS\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\CBS\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\WMIADAP.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\de-DE\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Windows\de-DE\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\Sample Music\spoolsv.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\spoolsv.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\WMIADAP.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\SchCache\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Videos\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\Videos\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Videos\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat

Filesize
198B

MD5
8e6486eb39fa879e8640b483cf43544e

SHA1
d4015d60b14259faeb9a4db2705d207f2a6cc9fd

SHA256
f70023a05cda76d981e8133c33d751eb404ffd74e0439114738e10d75772c2f1

SHA512
a40a21bb16e5c425a16956b3bc98400ab21edb3eaca6b9ce11a7c723cee0ce8e04af78ad516a502db470394dc37f1b67a19360347707b7a273b3a13aa2ff8965

Download Submit
C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat

Filesize
198B

MD5
86f8a93613b4a4d85b28df61f453eb1d

SHA1
665ebf8ec751038ecb80fd843e703029218b94cc

SHA256
53844d93503ffffb53ff0319349550b2444d128c73e867baa3cae878ecb5b628

SHA512
f94dcf1b36670b4914fe76f73b6bc4e5eed0201ab2118b948fa31fc2f10a7b22ab67e5532e4e4ccfecc6ad6982963ea3ba571079c8222abbefd7f3d42fbd26c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat

Filesize
198B

MD5
64a66f0357936889fdcca2949a7dccbd

SHA1
8af2dd9006b2211b73736a120aac3ac4d6c5401d

SHA256
fbebd264a71feefebfea0f9dd117dbcda0cae107e7c467993af8f3b4c619c875

SHA512
90e7998d5267eb32e9e41ce0a4deb02a02343f4b141d9aa7cc11805a66d41d0ccb73279f6c3821fd04b7dada99bf0e9809fb33d77d14f1037f779974c5cf2c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat

Filesize
198B

MD5
e490000aee27fde5451862a1e489cd95

SHA1
0ecbc05f290bc68b9ded6ed1fd4274eecd8a3632

SHA256
f938a29642ed0658a825bbb610c7ae47c28927920bc1db39442080823437eb22

SHA512
e70a8367401eb145701cbc48296066ff6ab6051414c041d5752be2b365dbc9905781f1bfa79f2d8dc5c81ce56c705fa24d2fc832c6f283cf45345449905c8232

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat

Filesize
198B

MD5
fa324087785444bfd45aa5bff3cb57b5

SHA1
b64e95a618974b56d46c29ebd52322eed4ba991e

SHA256
5348fb3a3b30eddd9cf83dc4c3d10084036437c801428243165cf42089a45fe9

SHA512
d66a3d7a420b24ea56fef78c624d0260615f72525ab8f2c3c38136f6cbfad21c64cc6380b3901c89b98095c562e8534a6e3b7bffc51656388381a2aa842c79a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat

Filesize
198B

MD5
4dc814cb79419b02e050fe525e0f768c

SHA1
60d268c02f345cd92d798c442fb6d92533f32171

SHA256
d0be9f97db92fdafc7f4a29becf07f5d45c26a9343f92fb457a8b4dbfa0780a4

SHA512
81201a8ffadc833c693849f0955199a34c4f3472d8e56407d4cae7706aa9880dfe03203746982946c3ce8429e0fa80b7ef05c174cc8a687b00ad2950ef81b9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat

Filesize
198B

MD5
4225bf94fe6868dcf66bdebc41403cad

SHA1
f8b99ed949870b3915392a7b72cea24cc3845463

SHA256
5f0b14fc297361ca82f00f11aa0332bb7c0c090bc321c82623ca354bbbfab677

SHA512
034c1425e58b8917e3c96d3a837171d65fd4c0970cee32a915b8292316ece121272296b55b4aed0f79e52dbb49d86046866a846702d41634c60d866d2f2c2053

Download Submit
C:\Windows\ServiceProfiles\wininit.exe

Filesize
2.3MB

MD5
1e83ded2729ce777053c604e7d667c38

SHA1
e4de4580f9e80703961c6df8b3dc687d6ff16cda

SHA256
41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309

SHA512
6c032fee11131744a6234b9011e700faa12aaa194afc8d32f1206d61bbe397b7b4f9f278192e32883379e0ecb178b1aedf426285745c23a127e9db2495867ad1

Download Submit
memory/916-36-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/1720-103-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/1864-61-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/2108-68-0x0000000000580000-0x0000000000592000-memory.dmp

Filesize
72KB

Download
memory/2180-75-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2184-53-0x0000000001230000-0x0000000001480000-memory.dmp

Filesize
2.3MB

Download
memory/2184-54-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2888-88-0x0000000000590000-0x00000000005E6000-memory.dmp

Filesize
344KB

Download
memory/3004-42-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/3004-41-0x0000000000410000-0x0000000000466000-memory.dmp

Filesize
344KB

Download
memory/3016-5-0x0000000000CB0000-0x0000000000D06000-memory.dmp

Filesize
344KB

Download
memory/3016-8-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

Filesize
32KB

Download
memory/3016-7-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/3016-6-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/3016-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/3016-4-0x00000000005C0000-0x00000000005D6000-memory.dmp

Filesize
88KB

Download
memory/3016-35-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-3-0x0000000000560000-0x000000000057C000-memory.dmp

Filesize
112KB

Download
memory/3016-2-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/3016-1-0x0000000000D20000-0x0000000000F70000-memory.dmp

Filesize
2.3MB

Download
memory/3040-95-0x0000000001380000-0x00000000015D0000-memory.dmp

Filesize
2.3MB

Download
memory/3040-96-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download